Dizkus

I've been getting the following error on my site:

"spykids
ADONewConnection: Unable to load database driver ''

Fatal error: Call to a member function on a non-object in /vhost/vhost2/m/a/n/mancuniathletes.co.uk/www/includes/pnAPI.php on line 428"

This is caused by the content of my config.php file being nothing but "Spykids" I'm assuming my site has been hacked, can anyone tell me anything about spykids or how they hacked my site/what I can do to stop it happening again?

Oh and can I copy my config.php from an old backup, or is that one likely to be out of date?

Cheers.

--
www.mancuniathletes.co.uk

I replaced the config.php file with an older one, but get exactly the same error. Does anyone have an idea what other files are likely to have been altered?

--
www.mancuniathletes.co.uk

ditto. Any ideas from anyone?

I assume it has to do with this:
http://news.postnuke.com/index.php?name=News&file=article&sid=2699
I replaced my config file and followed the instructions for prevention, everything seems fine.

Have a look here:

http://forums.postnuke.com/index.php?name=PNphpBB2&file=viewtopic&t=42893

Take note of the comments from MMaynard, MACsrc, and myself. Preventing further intrusion from the original point of entry will not guarantee safety.

Frank

--
Serious hosting - all the features, bandwith and storage you could want without breaking the bank at DreamHost.com


See what I do with PostNuke - http://surreal-dreams.com

Right, thanks for all that. I'm planning a reinstall (again!) but a couple of questions; I've replaced the config.php file and now I get the error "Session initialisation failed", any idea what's causing that? Also can I rely on the date last modifided date to see which files have been affected by the hack, or can this be fudged?

--
www.mancuniathletes.co.uk

Trust nothing. Things like those dates can be forged. Are you sure all the config.php data is correct and up to date? You might want to check/change your various passwords in case they've been comprimised.

Frank

--
Serious hosting - all the features, bandwith and storage you could want without breaking the bank at DreamHost.com


See what I do with PostNuke - http://surreal-dreams.com

I've checked the passwords etc, can still log into the database manually. But the config.php file doesn't have 'nuke' as the prefix, think has fixed the site. My question was merely out of curiosity, if those date were guaranteed then it would be a lot easier to see what else (if anything) has been done to my site.

Cheers.

--
www.mancuniathletes.co.uk

You can certainly look for them, but I think somebody with sufficient skill can probably change the datestamp on altered files.

This is why people (like me) will recommend that you wipe everything and start over, because while you might find that there was an intrusion, it's very hard to determine what happened during that intrusion.

Frank

--
Serious hosting - all the features, bandwith and storage you could want without breaking the bank at DreamHost.com


See what I do with PostNuke - http://surreal-dreams.com

Is there a log recorded anywhere of people/computers visiting my website?

--
www.mancuniathletes.co.uk

My site got hit as well. What a pain. I am reinstalling post nuke .75

If you need any motivation to wipe your account after an intrusion, please see this post:

http://forums.postnuke.com/index.php?name=PNphpBB2&file=viewtopic&p=174606#174606

They leave things behind.

Frank

--
Serious hosting - all the features, bandwith and storage you could want without breaking the bank at DreamHost.com


See what I do with PostNuke - http://surreal-dreams.com

i got hit as well! gimps. they replaced all my index.php and index.* files with their own. had to replace all of them with backups !!

gits.

my question is how do i find out what version i am on so i can upgrade to the latest?

thnx in advance

Have a look at your credits module. That has the version number.

Frank

--
Serious hosting - all the features, bandwith and storage you could want without breaking the bank at DreamHost.com


See what I do with PostNuke - http://surreal-dreams.com

Just deactivate the xmlrpc module, and completely remove the xmlrpc directory from the 'modules' directory. Also get rid of xmlrpc.php from your root.

IT works!