If you are not registered or logged in, you may still use these forums but with limited features. Show recent topics
  [Search] Search   [Hottest Topics] Hottest Topics   [Members]  Member Listing   [FAQ]  FAQ 
[Register] Register / 
[Login] Login 
Tired of being hacked? Here is the fix  XML
Forum Index » Support Forum
Author Message
Jared
Student

Joined: 07/01/2003 22:58:43
Messages: 96
Offline

Tired of being hacked?

Guide to the ultimate protection.

1) create new file and name it anything you want .php
2) insert this code (comes straight from proxy2.de site)



4)
open up admin.php and on the second line directly after <?php
place this



now, make sure that the password in the authentication file matches YOUR password to the guestbook.

5) rename the admin.php to something other than admin.php
6) update /admin/config.inc.php file to reflect the new name of admin.php file
7) remove any and all links in guestbook to administration area

8)guestbook is completly secured from everyone...except you.
[WWW] [Yahoo!] [MSN]
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

Does this work with GB version 2.2. Thanks in advance. Also in which directory of GB do you place the new code in. Admin???

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
Jared
Student

Joined: 07/01/2003 22:58:43
Messages: 96
Offline

Since I have had guestbook 2.2 in the past, the admin file pretty much works the same. I don't see any reason why it would not work.

The password file, which you can name anything you want, is also placed in the root of the guestbook folder. You will just do a php include statement in the admin file so that it runs the script on startup. This will give you a .htaccess/.htpasswd file type of user prompt.

Make sure you rename the admin.php file to something only you will know. It is also important to remove the links to the administration area, because once you have updated /admin/config.inc.php it will show the new file name in those links.

I have noticed that Chi Kien Uong (proxy2.de) has done the same to his guestbook on this site, only he has not renamed the admin.php file.

you don't have to rename the admin.php file, but it is just increased security.

the nice thing is that once you enter the password, it takes you directly into the admin area. But you have to make sure that both user name and password sets match.
[WWW] [Yahoo!] [MSN]
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline

I did this and it worked great - for two days. Who knows why, but on the third day I couldn't get into admin. Even though I hadn't changed anything else, it was once again looking for a file named admin.php. so, I had to put everything back like it originally was... Go figure.
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

Carbonize has a much easier and simpler fix.

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

Just a couple of errors in your instructions Jared.
First I would use require and not include as this way if the password file is not found the script wont run.

Second the path will vary for every user. But given that, hopefully, the password script will be in the same directory as the admin.php we could use This is also assuming that they named the file passwordlock.php.

Basically users want to open notepad and copy the first bit of script from jareds post into it. You then want to save the file as passwordlock.php and then upload the file to your guestbooks directory. Make sure that the file ends in .php and that your text editor has not added an extension on the end. Now open up admin.php and just after the <? put .

I personally don't like this method for various reasons but it will do the job.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Auron
Expert
[Avatar]

Joined: 23/06/2003 22:02:17
Messages: 1053
Offline

Carbonize wrote:Just a couple of errors in your instructions Jared.
First I would use require and not include as this way if the password file is not found the script wont run.


If the file that contains the script is not found then how can the script run anyway??

Also you may wish to re-write your notes on Jared' method of securing the
guestbook since its doesn't make much sense.

_ Auron

Visit my site @ www.ragnaru.com
Adv. Poll Install Guide NOW BACK ONLINE! (And also rather out of date I would of thought)
[Email] [WWW]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

If the PHP engine doesnt find the file indicated in the include it will report an error but carry on with the rest of ths script. If it doesn't find the file indicated in require it will stop running the script at that point.

My instructions
1 - Open up your favourite text editor, notepad for example.
2 - Place the following in the empty file remembering to make the password the same as your guestbook password
3 - Save the file as passwordlock.php making sure your text editor has not added a different extension to the end.
4 - Upload the new passwordlock.php file into your guestbooks directory.
5 - Open up admin.php and just after the <?php put now save admin.php back to your server.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Anonymous



I'm going to try this. Just wanted to know if I can substitute another name for "passwordlock.php" if the other name is also used in step 5. Sounds logical?

3 - Save the file as passwordlock.php making sure your text editor has not added a different extension to the end.
4 - Upload the new passwordlock.php file into your guestbooks directory.
5 - Open up admin.php and just after the <?php put Code:
require ("passwordlock.php");
now save admin.php back to your server.
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

Yup sounds perfectly logical to me. My main gripe was that Jared had said to save the initial file as anything you want.php and then used a specific include path and file name. I was mainly pointing out that this may confuse a lot of people and that the full path they used would not apply to all as every server is set up differently.

I still prefer my fix.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Anonymous



Well, this is giving me the header errors. Did anybody else have this problem? After removing the blank lines, I still end up with the following error:

Warning: Cannot modify header information - headers already sent by (output started at /home/xxxxx/public_html/modules/guestbook/passwordlock.php:23)
/home/xxxxx/public_html/modules/guestbook/admin.php on line 205

Line 205 is:



Could this have something to do with Phpnuke, and do you know how I can fix it? Until then, I will have to disable it.

Also, (and I know this is on a different subject), the logout redirect instructions do not work with Phpnuke either.

Thanks.
Jared
Student

Joined: 07/01/2003 22:58:43
Messages: 96
Offline

change the admn.php file to anything you want. BE SURE to change /admin/config.inc.php with the new name of the renamed admin.php file
[WWW] [Yahoo!] [MSN]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

They will also need to edit the admin_enter.php if they use 2.2 as the target for the form data is hard coded into it as

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Anonymous



I was able to access the admin by following the instructions here, but I can no see previously posted messages. Plus the /index.php file is still that hacked message.

Help!!

R. Jones

http://www.afrovoices.com/
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

Get me on msn Now plus check your email

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
 
Forum Index » Support Forum
Go to:   
Based on the open source JForum