Hello. I have been running phpNuke for several years now. For the past 3 days we have been having very big issues with hacking. Our database has been wiped again and again and scripts inserted redirecting to the likely culprits website.

Today we made the switch and started off clean. Changed database passwords, names, and erased every file off the directory and installed a fresh version of the latest Dragonfly.

After we got it configured to a point acceptable enough to launch it wasn't even 5 minutes later and the database had been wiped again.

Depends on a wide variety of issues, a few of which are,

1. an inside job?
2. has any unusual file been added to your server, below public_html level?
3. did you change your server password?
4. how many FTP accounts have access to your site and did you change them?
5. was the Dragonfly install a bare install without phpnuke modules?

We are not aware of any Dragonfly vulnerabilities, other than what comes from shared hosting or insecure third party modules.

Thanks for the reply. We are totally boggled by it.

I am the only person with ftp or mysql access for the account. Before installing Dragonfly I erased all files from public_html and checked and erased many outside as well.

Dragonfly was a fresh install on a new database under a new name and password.

Did you also change your FTP and cPanel login account password ?
Did the 'root' login user also change his password ?

they could have also gotten in because your webhost runs insecure third party addons or even an insecure install of apache, etc... I would look elsewhere for the hole now such as contacting your webhost and tell them whats going on. I'm sure they'll be quick to blame phpnuke and dragonfly but if their heads are screwed on straight they'll look extremely hard at themselves.

Thanks. I have been in contact with my webhost from the very start and he was the one who recommened I switch to Dragonfly and I plan to stick with it once this is fixed.

We are working closely to find the hole as well as trying to contact others since we are not the only ones to be attacked by this hacker.

LoneWolf367 wrote:

LoneWolf367's server specs (Server OS / Apache / MySQL / PHP / CPG-Nuke) Linux/1.33/4.0.22/4.3.1/phpNuke 7.6

Do you really mean php 4.3.1?

I must say that the speed makes it sound like a server hack rather than a dragonfly hack since you had not had dragonfly up before & no problems have been identified elsewhere.

Looks like they have you covered.
If you do have ssh tot he server I would check for a rootkit (I'm sure your host has this well covered).
Logs logs logs tell stories.

Another thing that comes to mind is a "man in the middle attack" are you running over a wireless connection. Been getting a lot of these lately with the "tutorials" going around.

Don't forget to go over possibilitys on your end, key loggers etc.

I will have my webhost comb through the system to make sure nothing has been planted... since that'd be very bad considering I host more than just my own site.

I am not operating on a wireless connection. And I've also looked over processes at my end just to be safe. I'm running MacOS 10.4.

I just updated my server specs.

Cool, if worst comes to worst & they can't find the cause or you are not satisfied with their explanation you may want to ask to have your account moved to another server.


Good luck!!

Look foward to checking out your site, sounds right up my ally

Ok. We increased logging detail to try and find out what is going on. He knows our password. No guessing is visible and seems to have his methods very automated. Our config file is outside of the public_html path. We've changed all our passwords at least once a day since the hacking began.

He is getting our password and going right in, only takes a matter of minutes. In our apache log a XSS attack showed up. He is also going through a proxy.

Is there any way to protect our config file?

what type of XSS attacks ?

config.php is NOT the issue, you may keep it in public_html since that file is well protected and only accessible thru the CMS itself or a different script.

If you are using Downloads Pro beta software be shure you have the latest which has a security exploit fixed.

Ok, I have applied those patches.

My webhost isn't really too firmiliar with XSS and says he hasnt had much experience in dealing with them.

I have applied the patche for Downloads Pro.

My database is back up. Our hacker is watching us and has attacked 4 times so far today.

This might be a stupid question, but are you totally sure .htaccess is getting put on the server when you upload your files?

Also in addition to changing the cpanel, ftp and database passwords are you changing the passwords for dragonfly admins?

Yes .htaccess is there. I have renamed admin.php and I just changed my password.

Also, is there anyway to take out the database features from the admin panel temporarily?