Evolution, php-nuke, phpbb only, etc.

We need to upgrade our site but are not sure which format to use. It is an old php-nuke site: www.URCgaming.com

Our best site was hacked & trashed over a year ago and I simply have not had the heart to to do another really nice one till now.

Any suggestions.

I think I mentioned this in another thread: I did a site for a friend which got all its database tables dropped a few weeks ago. I wanted to give up and cry at that point. Thankfully it was a small site, and I at least had the files still available to me. Still, rebuilding a site without the database as a foundation is, um, really annoying. It was a Joomla site which I hadn't taken the time to upgrade from 1.0.11 to 1.0.12 (and I don't even know if that would have solved it - somehow the logs from that day disappeared, and I can't tell how they hacked in). Perhaps it would have been fine if I simply had denied the CMS database account permission to do things like drop tables. I find, though, that when installing new modules, this causes errors since it usually wants to drop any tables that might be from an old install or whatever. Speaking of this, I am going to go to that right now, since I think we're pretty much set with the currently installed modules/components.

------------------
it's pronounced "tonics"

i did you a favour and portscanned the server at www.urcgaming.com i found many many ports open,even my currently client pc doesn't have that much ports open,here are some screen-shots:

ok,now you have seen those, here are some security tips:
1) the number of ports opened should be small
2)if you have ports other than 80 open and you really really need them, try using a proxy for those ports.
3)if you can't make a proxy at least try to use only encyption based protocols.
4)use the latest apache server.
5) always do a security check on your server, i personally recommend the so called best tool out there " tenable nesus". google for i didn't have time to find it for you.

6)the above points sum port security up but try doing your own port-scan on your server.
7)as for site security your site allows some directory transversals, i didn't find anything deadly but it's always best to avoid transversals.
8)it's always good to use templates but make sure they dont compromise your security, if you don't have password for your administrator account get one.

9)linux /unix servers are most of the times better than windows.(its good that you don't use iis though).

10)if you use any passwords for either open ssh or ftp (or any other protocol)make sure they can't be found in a wordlist, google for wordlist.txt an you 'll find some wordlists,then try searching the textfile for your pass/user-name.

11)if you decide to use templates such as php-nuke or something like that make sure you are up to date with all the security bugs found,i personally recommend you don't use any templates but maybe you just don't wanna code a site from ground up.

12)and wow ,wow, wow, i just found a really bad bug, you have a robots.txt file at www.urcgaming.com/urc/robots.txt i found your administrator login page,if you have a bad pass word i can brute force it if i wanted to.

i really recommend you shut it down and either recode it or fix these bugs.
if i wasn't a Christian (and if this wasn't a Christian site), i'd probably trying to hack your site,now that you know your security holes ,fix themm now .

thank the Lord i found some security holes for you here,hackers are looking for sites like yours to play around with---don't let them.

oh and if it's taking long for this post to open then tell so that i can make the images above just links instead of image tags.

if anyone else has a site try doing the security checks above.

------------------
Matthew(22:36-40)"Teacher, which is the greatest commandment in the Law?" Jesus replied: " 'Love the Lord your God with all your heart and with all your soul and with all your mind. This is the first and greatest commandment. And the second is like it: 'Love your neighbor as yourself.All the Law and the Prophets hang on these two commandments."
Whose Son Is the Christ

------------------
MM out-
Thought travels much faster than sound, it is better to think something twice, and say it once, than to think something once, and have to say it twice.
"Frogs and Fauns! The tournament!" - Professor Winneynoodle/HanClinto
I reserve the full right to change my views/theories at any time.

but whatever it is we should always be ---> HTH

------------------
Matthew(22:36-40)"Teacher, which is the greatest commandment in the Law?" Jesus replied: " 'Love the Lord your God with all your heart and with all your soul and with all your mind. This is the first and greatest commandment. And the second is like it: 'Love your neighbor as yourself.All the Law and the Prophets hang on these two commandments."
Whose Son Is the Christ

------------------
~~~boogie woogie woogie~~~

EDIT:
here is what i found when i tried sql injection apparently it doesn't work, did it mean be gone or beg one or is begone a name??

EDIT2: i found a couple of robots.txt files myself even google and whitehouse have one:
http://www.google.com/robots.txt
http://www.whitehouse.gov/robots.txt

it's not dangerous it's just one of those things you shouldn't do unless you are absolutley sure it's not gonna fail you ,besides one of the first things a hacker should do is check for a robots.txt file to find files you don't want him/her to find,now if i was a hacker and i wanted to find the admin login page you saved me lots of trouble.
------------------
Matthew(22:36-40)"Teacher, which is the greatest commandment in the Law?" Jesus replied: " 'Love the Lord your God with all your heart and with all your soul and with all your mind. This is the first and greatest commandment. And the second is like it: 'Love your neighbor as yourself.All the Law and the Prophets hang on these two commandments."
Whose Son Is the Christ

[This message has been edited by spade89 (edited February 19, 2007).]

[This message has been edited by spade89 (edited February 19, 2007).]

plus he just checked for robots.txt.

------------------
that post was really cool ^
|
[|=D) <---|| me

------------------
MM out-
Thought travels much faster than sound, it is better to think something twice, and say it once, than to think something once, and have to say it twice.
"Frogs and Fauns! The tournament!" - Professor Winneynoodle/HanClinto
I reserve the full right to change my views/theories at any time.

hackthissite.com taught me most of what i know plus google. but if you want to just start you should know most of the stuff at http://www.w3schools.com

they are one of the best web based coding tutorials i know.i finished all the basic challenges,the thing is with hack this site they concentrate on php /sql only and not much on asp/jsp and others too. i was trying to do the permanent programming challenge but you have to know python. and i am now trying to do it on c++.but didn't do too good with that i'm thinking of doing it on java.

i think i finished 3 of the app challenges. and i finished 1-3 realistic and 5-7 (i think).

after a while i was kind of offended with one of the challenges the way it portrayed Christians and all so i quit doing all the challenges on that site.

if you lurk around a site long enough you'll find some sort of security exploit. but seeing that site has lots of ports open (which some have known exploits) it is kinda easy to hack if you want too. using a basic port scanner i found out how many ports were open and which. then all i have to do is google up an exploit for that port.or look up in my exploit archive(which i don't think i have now,an i think moost hackers do).

then you use that exploit if you can't find many open ports then you'll try to you use an exploit finder like nessus or try to find your own exploit.

but i really don't recommend learning how to hack(unless you are a security specialist or something) .it is a pretty dirty and corrupt thing to learn.

if you want to be secure all you have to do is use somethig like nessus.
which is plugin based and is updates its pluging database continually as new exploits are found.

just don't let desire be planted in your heart to do anything hack realated some of the things look preety simple and harmless but they could harm a lot.

i even felt guilty for checking the security explots for this site(which is really simple and easy to do),i felt like i should have asked cicdragonlord before i checked the exploits(even though my intentioins were mostly to help out).

------------------
Matthew(22:36-40)"Teacher, which is the greatest commandment in the Law?" Jesus replied: " 'Love the Lord your God with all your heart and with all your soul and with all your mind. This is the first and greatest commandment. And the second is like it: 'Love your neighbor as yourself.All the Law and the Prophets hang on these two commandments."
Whose Son Is the Christ

------------------
MM out-
Thought travels much faster than sound, it is better to think something twice, and say it once, than to think something once, and have to say it twice.
"Frogs and Fauns! The tournament!" - Professor Winneynoodle/HanClinto
I reserve the full right to change my views/theories at any time.

but as far as my beliefs go:
"Then, after desire has conceived, it gives birth to sin; and sin, when it is full-grown, gives birth to death. Don't be deceived, my dear brothers." (James 1:15-16, NIV)

i'm not saying that you or even me desire to sin but one thing may lead to another and it may not be worth the risk.

i maybe exaggerating too much but most of the security related stuff you can do may violate the second law Jesus gave us-- love thy neighbor as thy self.

and one thing you should always remember "security is an illusion "

------------------
Matthew(22:36-40)"Teacher, which is the greatest commandment in the Law?" Jesus replied: " 'Love the Lord your God with all your heart and with all your soul and with all your mind. This is the first and greatest commandment. And the second is like it: 'Love your neighbor as yourself.All the Law and the Prophets hang on these two commandments."
Whose Son Is the Christ

I'm higher in Application hacking! lol.

------------------
MM out-
Thought travels much faster than sound, it is better to think something twice, and say it once, than to think something once, and have to say it twice.
"Frogs and Fauns! The tournament!" - Professor Winneynoodle/HanClinto
I reserve the full right to change my views/theories at any time.

------------------
Matthew(22:36-40)"Teacher, which is the greatest commandment in the Law?" Jesus replied: " 'Love the Lord your God with all your heart and with all your soul and with all your mind. This is the first and greatest commandment. And the second is like it: 'Love your neighbor as yourself.All the Law and the Prophets hang on these two commandments."
Whose Son Is the Christ

------------------
MM out-
Thought travels much faster than sound, it is better to think something twice, and say it once, than to think something once, and have to say it twice.
"Frogs and Fauns! The tournament!" - Professor Winneynoodle/HanClinto
"Of course, prayer requires that you actually take the time to listen for His answer..." - I'msold4Christ
I reserve the full right to change my views/theories at any time.

------------------
it's pronounced "tonics"

------------------
Matthew(22:36-40)"Teacher, which is the greatest commandment in the Law?" Jesus replied: " 'Love the Lord your God with all your heart and with all your soul and with all your mind. This is the first and greatest commandment. And the second is like it: 'Love your neighbor as yourself.All the Law and the Prophets hang on these two commandments."
Whose Son Is the Christ