Request: IP logger..

[MadSci]

Hey guys,
I dont know may be this was done already but: Im using ver. 1.7.1 curantly updating some security fixes. My site was taken down 2 times by hackers (I faltered bid f..ing deal )..and today again i found 2 files by Demon team or crap like this. I also find this pseudo images being uploaded ( PHP files renamed to JPG ). I have installed the ban script and I wanted to ask you if it is possible to do the following:

when logged to the admin control panel --> then edit users and then search --> along with the other fields like ID name email etc..etc. to get all IP addresses for that user. It will be nice to have someway to add a line to htaccess to block these IP addresses.

You think thats a good idea ? or it will clog the database with too may IP addresses..

ms

sorry but these amateurs hackers are getting on my nerve....

[thunderstrike]

// Step 1

In includes/db_field_definitions.php file,

add top ?>:

Code: [Select]

$additional_user_fields['user_ip'] = array($lang['user_ip'], "text", 0);

In phpmyadmin, create user_ip field in USERS_TABLE (VARCHAR (15) NOT NULL DEFAULT '').

// Step 2

In includes/sessions.php file,

find:

SET ".get_user_table_field("", "user_lastaction")." = $this->current_time, ".get_user_table_field("", "user_location")." = '$this->user_location', ".get_user_table_field("", "user_lastvisit")." = ".$this->user_info['user_lastvisit']."

replace:

Code: [Select]

SET ".get_user_table_field("", "user_lastaction")." = $this->current_time, ".get_user_table_field("", "user_location")." = '$this->user_location', ".get_user_table_field("", "user_lastvisit")." = ".$this->user_info['user_lastvisit'].", user_ip = '" . $this->user_ip . "'

Find:

SET ".get_user_table_field("", "user_lastaction")." = $this->current_time, ".get_user_table_field("", "user_location")." = '$this->user_location'

replace:

Code: [Select]

SET ".get_user_table_field("", "user_lastaction")." = $this->current_time, ".get_user_table_field("", "user_location")." = '$this->user_location', user_ip = '" . $this->user_ip . "'

Should see field in ACP -> Users -> Edit Users (no need for search).
This is for user log in. If no log in, no see guest reading in ACP (axcept session) ...

[MadSci]

Thunderstrike, thnx gazilion times for that MOD.

I will test it tonight. I was working arround the clock to update my 4images however I was too late the site got defaced this morning by someone called br3k ( I hope he/she rots someware  or catch something). I will restore my backups...

I was wondering if there is a way to tell the server which scripts to execute and which not..I mean I was looking at htaccess allow deny to prevent execution of foreign PHP scripts on the server but this is not my thing..
its like creating a white list of file names which are good for execution and denly for the rest.

You guys know anything like that  ?

ms

[MadSci]

Wow so much damage...why would people do stuff like this...Im not sure how to restore my site..mySQL destroyed, images corrupted..
Im saying come one...its a medical web site for Christ sake...

ms

[thunderstrike]

Find new host with good server protection.

[thunderstrike]

+ Install all patch from bug fixes in forum. You need fast.

[MadSci]

well I guess its too late...i tryed to restore it however the site gives just a blank page..tried to restore the mySql and I think I messed up things even more...well there it goes 3 f..king years of hard work..700 disease entities with references and over 1000 members..down the drain..man ...why bother finding a new host...
 
ms

PS talk to tech support they said that they can control exploits like that and I have to upgrade my software and keep it up to date. And they are right of course..

ms

[thunderstrike]

Install bug fix from forum. Is for protect gallery ...

[MadSci]

..see i can not open the site

http://www.surgicalpathologyatlas.com/db

how and what to fix there is nothing to fix...I did restore the site from a backup but see its not showing up..

[thunderstrike]

Nothing to fix ? ...

Use this ?

http://www.4homepages.de/forum/index.php?board=17.0
and
http://www.4homepages.de/forum/index.php?board=2.0
http://www.4homepages.de/forum/index.php?board=2.20

[MadSci]

May be I was not clear : I have no site to fix...I have files there but the f...er deleted random files and stuff from the database...it is useless to fix something which does not work. If I manage to get the site online again I will update the fixes but for now I have no site to fix.

BTW I try to do fresh install of the 4images but I get this error:

"An unexpected error occured. Please try again later."

I have no clue what that is..any idea

ms

[MadSci]

For those who might be interested:

I have traced the hacker back to the good ol Matushka Rusia USSR..the user have tried to upload fake img file which had a php embeded in them. I have managed to ban about 5 different entities of that person using the htaccess however I found out that he managed to plaque the site by uploading different shell scripts named: h.php, mohajershell.php,lolek.php and root.php. The h.php was actually a trojan (JS:TrojDnldr-16 ) detected by the Avast software. Then he uploaded a bsh.c script tmp_media directory. There is a lot of other crap all over the directories...

ms

[thunderstrike]

ahHA ! a clue. Member.php file - uploadimage action might be whole ...
Install any MOD ? Like multi-upload image MOD ?

I have no clue what that is..any idea

SETTINGS_TABLE empty.

[MadSci]

Yea my friend,
the fkr have emptyed the setting and user databases but left one hole..I have deleted the entire directory and uploaded my backed up directory. Then I logged to admin panel. He deleted the account but I menage by using Admin and Admin as accound (lucky guess). From there I restored the databases and voila my site is up and running smootly. You my friend rule..

Now I have big favor for the MOD developers:

I have found a script online which I use to ZIP my entire site if you guys can build it in the Admin panel as Plug In it will be fantastic:

Code: [Select]


<?php 
$emailaddress = "your@email.com"; 
$target = "/home/".get_current_user()."/backup.".date(d).".tar.gz"; 
if (file_exists($target)) unlink($target); 
system("tar --create --preserve --gzip  --file=".$target." ~/public_html ~/mail",$result); 
$size = filesize($target); 
switch ($size) { 
  case ($size>=1048576): $size = round($size/1048576) . " MB"; break; 
  case ($size>=1024);    $size = round($size/1024) . " KB"; break; 
  default:               $size = $size . " bytes"; break; 
} 
$message = "The website backup has been run.\n\n"; 
$message .= "The return code was: " . $result . "\n\n"; 
$message .= "The file path is: " . $target . "\n\n"; 
$message .= "Size of the backup: " . $size . "\n\n"; 
$message .= "Server time of the backup: " . date(" F d h:ia") . "\n\n"; 
mail($emailaddress, "Website Backup Message" , $message, "From: Website <>");  
?>

thats it run it and it will zip the entire public_html dir and make file for you to download. It saved my site and work.

thanx

ms

[thunderstrike]

I no think good idea of use ... code before use linux command + mail function (security risk). This night, I find good upload script (free - single & multiple mode). Far better class code compare includes/upload.php file. I test sometime. I find work with 4images.