Zikula Community

Hi all,

My site has been hacked twice by this group called Türkiye Harekat Cephesi http://www.tc-thc.org.

I would like to know if there are other people out there who have been hacked by these idiots and what the admins do to stop being hacked again.

I was running, .762 and I'm not sure which build of PNphpBB2 I was using. I was using 1.2g but not sure which RC version I was using. They deleted everything. All the CGI bin files as well.

Any help would be very much appreciated.

Best regards,
Danzian

sorry forgot to check notify

Ouch, hope you had backups. If they managed to get into your CGI directory, it sounds like the problem may be beyond PostNuke. Are there any files left at all? If not, is it possible that they have shell access to your server, FTP passwords, etc.?

Hi,

Thanks for the response. Yeah, somehow he got above the HTML folder and deleted all my bin files and backups.

I found that he had placed a file called c99.php and another one (the name escapes me) in one of th folders he did not delete. Running the c99.php, wow, that sucker pretty much had a full control over my files. I got rid of the files.

I removed the PNphpBB2 forum and replaced it with pnForum 2.6. Hopefully, he is not going to try to hack my site again. I almost cried the second time when he hacked.

The hacker is called cukurOva'li from the Turkish Hacker Group. He has been going on defacement rampage for some time now.

http://www.google.co…&btnG=Google+Search

One thing I noticed on this forum (community.postnuke.com) is that they have a different version 2.7. Where can I find it, help?

Thanks.

Danzian

2.7 has not been released yet, you can proly get a current snapshot from the NOC but there's no guaranty that it'll work or behave anything like the version you see running here.

--
Under Construction!

Thanks Topiatic, I think I will wait then. :D

regards,
Danzian

Looking at my logbook, I have his IP address, it is: 66.249.66.65 from Syria.

He's been trying today as well but fortunately he has not been successful.

66.249.66.65 - - [04/Jun/2006:18:10:33 -0400] "GET /phpBB2/viewtopic.php?p=667&sid=b4ea5c5c1968be8aa578403d1b1fa9aa HTTP/1.1" 404 699 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.66.65 - - [04/Jun/2006:18:10:46 -0400] "GET /phpBB2/posting.php?mode=quote&p=690&sid=2df455483cb68d4573445d7160027d76 HTTP/1.1" 404 699 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.66.65 - - [04/Jun/2006:18:10:53 -0400] "GET /phpBB2/posting.php?mode=quote&p=632&sid=cb9b948ccfae59f4018d807a2a67ba47 HTTP/1.1" 404 699 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.66.65 - - [04/Jun/2006:22:47:40 -0400] "GET /robots.txt HTTP/1.1" 200 216 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.66.65 - - [04/Jun/2006:22:47:40 -0400] "GET /phpBB2/posting.php?mode=smilies&sid=0f4db2e8cb3f24c7aff0240c0d1a1819 HTTP/1.1" 404 699 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
crawl-66-249-66-65.googlebot.com - - [04/Jun/2006:22:52:52 -0400] "GET /Aircraft/DC_10/spa_dc10_30er.zip HTTP/1.1" 200 2618195 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

I did not have phpBB2 nor do I have PNphpBB2. He was just guessing.

Looking at the GoogleMap module, he pops in and out almost every ten minutes from Syria. I still have to get the log from my website for today.

If anybody can help me hack into his computer, that would be really great. Or, if anybody can hack into his computer, please feel free to and please publish the result here. :D

I just pinged his IP address, and he's alive.

I'm so mad. I want revenge.

Danzian

I just looked up that address. It's a googlebot in Mountain View, CA, not Syria. Either it's really the googlebot, testing links they previously indexed, or the attacker is spoofing you. I can't tell you any more than that.

By the way- compromising the security of somebody else's computer is illegal in many countries. Should you find this guy, don't go posting your exploits in public. If you read the news, you'll hear about teenagers doing this on MySpace and getting arrested at a rate of several per week. Don't be that guy.

Frank

--
Serious hosting - all the features, bandwith and storage you could want without breaking the bank at DreamHost.com


See what I do with PostNuke - http://surreal-dreams.com

Thanks Frank. Yes, I just double checked using a different IP whois and it says from Google. The http://www.hostip.info/ lists as from Syria. :P

Ha, I feel so dumb. And thanks for the advice about the posting of the exploits. Can't think when I'm mad. :D

To say the least, the hacker has not hacked my site yet.

Danzian

pnPhpBB2/viewtopic ???

sounds like the old unpatched version of 1.2g, which had this notorious
flaw fixed a year ago.

Yup.

The current and fully patched version of PNphpBB2 (link to local source here) is 1.2i and is available from PNphpBB where there is active support.

In addition to including all the patches for identified exploits, it fixes some bugs and improves functionality. Anyone using a PNphpBB2 forum should upgrade, IMO.



edited by: pheski, Jun 10, 2006 - 12:36 PM

--
Peace
______________________________________
The commonest cause of problems is solutions.

OHHH!!!

An 'i' version... downloading NOW.

:}