Latest posts for the topic "Tired of being hacked? Here is the fix"

Tired of being hacked? Here is the fix

Jared — GMT

Tired of being hacked?

Guide to the ultimate protection.

1) create new file and name it anything you want .php
2) insert this code (comes straight from proxy2.de site)

[code]
// include this file where you want to limit access.

$username = "test";
$password = "123";

function authenticate() {
Header( "WWW-authenticate: basic realm=\"Protected\"");
Header( "HTTP/1.0 401 Unauthorized");
echo "You must enter a valid login ID and password!\n";
exit;
}

function CheckPwd($user,$pass) {
global $username,$password;
return ($user != $username || $pass != $password) ? false : true;
}

if(!isset($PHP_AUTH_USER)) {
authenticate();
}
elseif(!CheckPwd($PHP_AUTH_USER,$PHP_AUTH_PW)) {
authenticate();
}
?>
[/code]

4)
open up admin.php and on the second line directly after place this

[code]include "/home/httpd/yourhost/yourdomainpath/www/guestbook/password_file.php";[/code]

now, make sure that the password in the authentication file matches YOUR password to the guestbook.

5) rename the admin.php to something other than admin.php
6) update /admin/config.inc.php file to reflect the new name of admin.php file
7) remove any and all links in guestbook to administration area

8)guestbook is completly secured from everyone...except you.

JTD — GMT

Does this work with GB version 2.2. Thanks in advance. Also in which directory of GB do you place the new code in. Admin???

Jared — GMT

Since I have had guestbook 2.2 in the past, the admin file pretty much works the same. I don't see any reason why it would not work.

The password file, which you can name anything you want, is also placed in the root of the guestbook folder. You will just do a php include statement in the admin file so that it runs the script on startup. This will give you a .htaccess/.htpasswd file type of user prompt.

Make sure you rename the admin.php file to something only you will know. It is also important to remove the links to the administration area, because once you have updated /admin/config.inc.php it will show the new file name in those links.

I have noticed that Chi Kien Uong (proxy2.de) has done the same to his guestbook on this site, only he has not renamed the admin.php file.

you don't have to rename the admin.php file, but it is just increased security.

the nice thing is that once you enter the password, it takes you directly into the admin area. But you have to make sure that both user name and password sets match.

amber222 — GMT

I did this and it worked great - for two days. Who knows why, but on the third day I couldn't get into admin. Even though I hadn't changed anything else, it was once again looking for a file named admin.php. so, I had to put everything back like it originally was... Go figure.

JTD — GMT

Carbonize has a much easier and simpler fix.

Carbonize — GMT

Just a couple of errors in your instructions Jared.
[code]include "/home/httpd/yourhost/yourdomainpath/www/guestbook/password_file.php";[/code] First I would use [b]require[/b] and not [b]include[/b] as this way if the password file is not found the script wont run.

Second the path will vary for every user. But given that, hopefully, the password script will be in the same directory as the admin.php we could use [code]require "passwordlock.php";[/code] This is also assuming that they named the file [b]passwordlock.php[/b].

Basically users want to open notepad and copy the first bit of script from jareds post into it. You then want to save the file as [b]passwordlock.php[/b] and then upload the file to your guestbooks directory. Make sure that the file ends in .php and that your text editor has not added an extension on the end. Now open up [b]admin.php[/b] and just after the [b]
I personally don't like this method for various reasons but it will do the job.

Auron — GMT

[quote="Carbonize"]Just a couple of errors in your instructions Jared.
[code]include "/home/httpd/yourhost/yourdomainpath/www/guestbook/password_file.php";[/code] First I would use [b]require[/b] and not [b]include[/b] as this way if the password file is not found the script wont run.[/quote]

If the file that contains the script is not found then how can the script run anyway??

Also you may wish to re-write your notes on Jared' method of securing the
guestbook since its doesn't make much sense.

_ Auron

Carbonize — GMT

If the PHP engine doesnt find the file indicated in the [b]include[/b] it will report an error but carry on with the rest of ths script. If it doesn't find the file indicated in [b]require[/b] it will stop running the script at that point.

My instructions
1 - Open up your favourite text editor, notepad for example.
2 - Place the following in the empty file remembering to make the password the same as your guestbook password[code]
// include this file where you want to limit access.

$username = "test";
$password = "123";

function authenticate() {
Header( "WWW-authenticate: basic realm=\"Protected\"");
Header( "HTTP/1.0 401 Unauthorized");
echo "You must enter a valid login ID and password!\n";
exit;
}

function CheckPwd($user,$pass) {
global $username,$password;
return ($user != $username || $pass != $password) ? false : true;
}

if(!isset($PHP_AUTH_USER)) {
authenticate();
}
elseif(!CheckPwd($PHP_AUTH_USER,$PHP_AUTH_PW)) {
authenticate();
}
?> [/code]
3 - Save the file as [b]passwordlock.php[/b] making sure your text editor has not added a different extension to the end.
4 - Upload the new [b]passwordlock.php[/b] file into your guestbooks directory.
5 - Open up [b]admin.php[/b] and just after the

Anonymous — GMT

I'm going to try this. Just wanted to know if I can substitute another name for "passwordlock.php" if the other name is also used in step 5. Sounds logical?

[quote]3 - Save the file as passwordlock.php making sure your text editor has not added a different extension to the end.
4 - Upload the new passwordlock.php file into your guestbooks directory.
5 - Open up admin.php and just after the require ("passwordlock.php");
now save admin.php back to your server.[/quote]

Carbonize — GMT

Yup sounds perfectly logical to me. My main gripe was that Jared had said to save the initial file as anything you want.php and then used a specific include path and file name. I was mainly pointing out that this may confuse a lot of people and that the full path they used would not apply to all as every server is set up differently.

I still prefer my fix.

Anonymous — GMT

Well, this is giving me the header errors. Did anybody else have this problem? After removing the blank lines, I still end up with the following error:

Warning: Cannot modify header information - headers already sent by (output started at /home/xxxxx/public_html/modules/guestbook/passwordlock.php:23)
/home/xxxxx/public_html/modules/guestbook/admin.php on line 205

Line 205 is:

[code]header("Location: $base_url");[/code]

Could this have something to do with Phpnuke, and do you know how I can fix it? Until then, I will have to disable it.

Also, (and I know this is on a different subject), the logout redirect instructions do not work with Phpnuke either.

Thanks.

Jared — GMT

change the admn.php file to anything you want. BE SURE to change /admin/config.inc.php with the new name of the renamed admin.php file

Carbonize — GMT

They will also need to edit the admin_enter.php if they use 2.2 as the target for the form data is hard coded into it as [code]action="admin.php"[/code]

Anonymous — GMT

I was able to access the admin by following the instructions here, but I can no see previously posted messages. Plus the /index.php file is still that hacked message.

Help!!

R. Jones

http://www.afrovoices.com/

JTD — GMT

Get me on msn Now plus check your email

hawkeye — GMT

I am new here and my guestbook was just hacked...I did this that carbonize mentioned and now I am getting this error when trying to access the admin

Fatal error: Call to undefined function: phprequire() in /home/mikespe/public_html/huesped/admin.php on line 1

any ideas?

Thx

amber222 — GMT

Password Lock? - This didn't work for me because I am using Phpnuke. I have not tried it in my non-nuke guestbooks.

Once the 2.2 exploit is fixed or the book is upgraded to 2.3, and html code is always disabled, there is no evidence of the guestbook being hacked. The only exception I can think of would be those guestbooks where the admin got caught in the admin loop after upgrading and mistakenly reverted back to the version 2.2 session.class.php. That's where the exploit is.

Followed instructions but will not let me in

tcjay — GMT

Which directory does the passwordlock.php file belong. The enter network password box appears but will not let me in when using the default test 123 user/passwords. TIA TOm

Carbonize — GMT

[quote]Fatal error: Call to undefined function: phprequire() in /home/mikespe/public_html/huesped/admin.php on line 1 [/quote]Lost me. Where did this phprequire call coem from? It's not in my admin.php and I don't remember anything in the image verification mod that involved the admin.php file.

hawkeye — GMT

I pasted this in the admin.php like you mentioned in the above posts...and as a result this is the error I got...

This is not the image verication mod..this is the fix to stop from getting hacked...

[code]require ("passwordlock.php");[/code]

You did say to put this in the admin.php correct?

Thx

Carbonize — GMT

Try removing the ()'s so it's just [b]require "passwordlock.php";[/b].

hawkeye — GMT

Thank you Carbonize...I will try it when I get home from work and post back here the results...

On a side note...I sent you an email via your MSN address...I waswondering if you got it?

Thx

hawkeye

Carbonize — GMT

No as my hotmail account only exists to let me use MSN messenger. My email address is on my website and at the bottom of every post I make in the forum.

Not able to login

Anonymous — GMT

I put the passwordlock on thew geustbook.
But now i have the following problem.
I have put in the password lock the right password and username.
but when i want to login thru the password box, it keeps hanging in a loop.
When i remove the passwordlock.php and adjust admin.php then i can just login normal with the password i have appleid.

How can i solve this

Carbonize — GMT

If you are using Advanced Guestbook 2.3.1 or 2.3.2 there is no need to go to this extreme.

Anonymous — GMT

Thx i'm using 2.3.2
And i'm really happy with it.

akira — GMT

Hi,

I am using 2.3.2 now and the admin login is from browser instead of a pop-up password window.

Should I make a change in accoding to the modification posted here? Are the changes work for 2.3.2?

Please advice and thanks in advance.

Carbonize — GMT

2.3.2 is secure so I'd just leave it as it is.

akira — GMT

Thanks Carbonize.

Tired of being hacked? Here is the fix

Severynin322 — GMT

It,s problem!

Tired of being hacked? Here is the fix

Carbonize — GMT

[quote=Severynin322]It,s problem![/quote]

What?

Re:Tired of being hacked? Here is the fix

deragoku — GMT

I should change accoding posting the changes here? Changes in the work of 2.3.2?