cicdragonlord Junior Member Posts: 8 From: Hotlanta Registered: 06-14-2004 |
What are the most secure types of sites currently? Evolution, php-nuke, phpbb only, etc. We need to upgrade our site but are not sure which format to use. It is an old php-nuke site: www.URCgaming.com Our best site was hacked & trashed over a year ago and I simply have not had the heart to to do another really nice one till now. Any suggestions. |
Tonnyx Member Posts: 140 From: Indiana, USA Registered: 08-02-2005 |
I, too, am dying to know the answer (or at least, people's informed opinions)! I think I mentioned this in another thread: I did a site for a friend which got all its database tables dropped a few weeks ago. I wanted to give up and cry at that point. Thankfully it was a small site, and I at least had the files still available to me. Still, rebuilding a site without the database as a foundation is, um, really annoying. It was a Joomla site which I hadn't taken the time to upgrade from 1.0.11 to 1.0.12 (and I don't even know if that would have solved it - somehow the logs from that day disappeared, and I can't tell how they hacked in). Perhaps it would have been fine if I simply had denied the CMS database account permission to do things like drop tables. I find, though, that when installing new modules, this causes errors since it usually wants to drop any tables that might be from an old install or whatever. Speaking of this, I am going to go to that right now, since I think we're pretty much set with the currently installed modules/components. ------------------ |
spade89 Member Posts: 561 From: houston,tx Registered: 11-28-2006 |
wow,wow,wow, this is just one of those pc's dying to get hacked. i did you a favour and portscanned the server at www.urcgaming.com i found many many ports open,even my currently client pc doesn't have that much ports open,here are some screen-shots:
6)the above points sum port security up but try doing your own port-scan on your server. 9)linux /unix servers are most of the times better than windows.(its good that you don't use iis though). 10)if you use any passwords for either open ssh or ftp (or any other protocol)make sure they can't be found in a wordlist, google for wordlist.txt an you 'll find some wordlists,then try searching the textfile for your pass/user-name. 11)if you decide to use templates such as php-nuke or something like that make sure you are up to date with all the security bugs found,i personally recommend you don't use any templates but maybe you just don't wanna code a site from ground up. 12)and wow ,wow, wow, i just found a really bad bug, you have a robots.txt file at www.urcgaming.com/urc/robots.txt i found your administrator login page,if you have a bad pass word i can brute force it if i wanted to. i really recommend you shut it down and either recode it or fix these bugs. thank the Lord i found some security holes for you here,hackers are looking for sites like yours to play around with---don't let them. oh and if it's taking long for this post to open then tell so that i can make the images above just links instead of image tags. if anyone else has a site try doing the security checks above. ------------------ |
Mene-Mene Member Posts: 1398 From: Fort Wayne, IN, USA Registered: 10-23-2006 |
:O I just gotta say this. Spade, you're amazing. ------------------ |
spade89 Member Posts: 561 From: houston,tx Registered: 11-28-2006 |
M^2: we all have our strong sides and weak sides. i thinkwe should use our strong sides to help others and learn from each others strength to overcome our weaknesses. but whatever it is we should always be ---> HTH ------------------ |
cicdragonlord Junior Member Posts: 8 From: Hotlanta Registered: 06-14-2004 |
Holy Cow my mind is about to explode - gheeezzz what on earth? Wow all I can say is wow, and I need some time to digest this to better understand - thx for all the info - I'll be back.... |
bwoogie Member Posts: 380 From: kansas usa Registered: 03-12-2005 |
whoa spade is teh haxx0rz! ------------------ |
cicdragonlord Junior Member Posts: 8 From: Hotlanta Registered: 06-14-2004 |
The robot thing was goole's recommendation for their search engine - so I take it that was bad on their part and mine - gheeezz I have so much to learn. |
spade89 Member Posts: 561 From: houston,tx Registered: 11-28-2006 |
not really,i use to a bit of hacking myself , it really isn't that harmful it's just a way of hiding files/folders from being found by google/other search engines. it'd be best if you don't disguise your admin login page so that it won't attract much attention,if you can embed it in one of your pages and let the server handle the whole login thing, maybe i should test your site for sql injection... EDIT: EDIT2: i found a couple of robots.txt files myself even google and whitehouse have one: it's not dangerous it's just one of those things you shouldn't do unless you are absolutley sure it's not gonna fail you ,besides one of the first things a hacker should do is check for a robots.txt file to find files you don't want him/her to find,now if i was a hacker and i wanted to find the admin login page you saved me lots of trouble. [This message has been edited by spade89 (edited February 19, 2007).] [This message has been edited by spade89 (edited February 19, 2007).] |
buddboy Member Posts: 2220 From: New Albany, Indiana, U.S. Registered: 10-08-2004 |
well, a lot of what he did isn't that hard to do. you can learn some sql injection on a few sites I can't remember the name of, basic mailserver use is not that hard. then you just need portscanner and a basic knowledge of telnet. plus he just checked for robots.txt. ------------------ |
Mene-Mene Member Posts: 1398 From: Fort Wayne, IN, USA Registered: 10-23-2006 |
Yeah, until I get my dad to look at hackthissite.org, I'm only working on App hacking. Finding 5 to be a bit tough, but I'll get it. ------------------ |
spade89 Member Posts: 561 From: houston,tx Registered: 11-28-2006 |
yes you really don't have to know that much to break into a weak system. all you have to be is a lazy theif. hackthissite.com taught me most of what i know plus google. but if you want to just start you should know most of the stuff at http://www.w3schools.com they are one of the best web based coding tutorials i know.i finished all the basic challenges,the thing is with hack this site they concentrate on php /sql only and not much on asp/jsp and others too. i was trying to do the permanent programming challenge but you have to know python. and i am now trying to do it on c++.but didn't do too good with that i'm thinking of doing it on java. i think i finished 3 of the app challenges. and i finished 1-3 realistic and 5-7 (i think). after a while i was kind of offended with one of the challenges the way it portrayed Christians and all so i quit doing all the challenges on that site. if you lurk around a site long enough you'll find some sort of security exploit. but seeing that site has lots of ports open (which some have known exploits) it is kinda easy to hack if you want too. using a basic port scanner i found out how many ports were open and which. then all i have to do is google up an exploit for that port.or look up in my exploit archive(which i don't think i have now,an i think moost hackers do). then you use that exploit if you can't find many open ports then you'll try to you use an exploit finder like nessus or try to find your own exploit. but i really don't recommend learning how to hack(unless you are a security specialist or something) .it is a pretty dirty and corrupt thing to learn. if you want to be secure all you have to do is use somethig like nessus. just don't let desire be planted in your heart to do anything hack realated some of the things look preety simple and harmless but they could harm a lot. i even felt guilty for checking the security explots for this site(which is really simple and easy to do),i felt like i should have asked cicdragonlord before i checked the exploits(even though my intentioins were mostly to help out). ------------------ |
Mene-Mene Member Posts: 1398 From: Fort Wayne, IN, USA Registered: 10-23-2006 |
I'm seeing where you're going, and I can mostly agree. I still wanna know though. Totally not to the point or alining with my beliefs, i just thought how funny it would be to have a site which asks you if you could, "please install a Trojan on your computer". What I think would be could would be a virus which runs through your computer uncorrupting your files and makes new ones of Bible verses, and gives you an uninstall option, that i would download, lol. But it wouldn't be a virus but a utility. ------------------ |
spade89 Member Posts: 561 From: houston,tx Registered: 11-28-2006 |
viruses are real easy to make(as far as i know),it's basically a program that replicates itself and destroys other stuff too,if you know some file io in c++ you should be able to do it. but as far as my beliefs go: i'm not saying that you or even me desire to sin but one thing may lead to another and it may not be worth the risk. i maybe exaggerating too much but most of the security related stuff you can do may violate the second law Jesus gave us-- love thy neighbor as thy self. and one thing you should always remember "security is an illusion " ------------------ |
Mene-Mene Member Posts: 1398 From: Fort Wayne, IN, USA Registered: 10-23-2006 |
Not quite sure what to say, except that doing it without somebody's permission would probably be violating that. I'm higher in Application hacking! lol. ------------------ |
spade89 Member Posts: 561 From: houston,tx Registered: 11-28-2006 |
what level did you reach?? and did you pass the idiot test?? ------------------ |
Mene-Mene Member Posts: 1398 From: Fort Wayne, IN, USA Registered: 10-23-2006 |
I'm not registered yet, (my father hasn't approved the registration yet) so I've not taken the idiot test. ------------------ |
Tonnyx Member Posts: 140 From: Indiana, USA Registered: 08-02-2005 |
Soooo..... Any reco's for more secure sites? Or, perhaps, a basic security checklist for someone who needs it? ------------------ |
spade89 Member Posts: 561 From: houston,tx Registered: 11-28-2006 |
you mean other than the ones i listed above?? ------------------ |