Welcome to Geeklog, Anonymous Thursday, March 28 2024 @ 12:08 pm EDT

Geeklog Forums

Have I Been Hacked? anonymous always logged in?


Status: offline

clicktrader

Forum User
Newbie
Registered: 09/09/05
Posts: 12
Location:Virginia
freakingout
I posted an inquiry 9/17/05 (http://www.geeklog.net/forum/viewtopic.php?forum=3&showtopic=57750) regarding the login required prompt being on a page by itself, and asking if it could be placed in center block instead. I never did anything to attempt to work-around.

Sometime since then, not exactly sure when, even though I have config.php set to require login for almost all functions, everything is available except posts to forum. The welcome message shows as anonymous being logged in. I have checked and rechecked config.php, even replaced it with a 'working correctly' config file from another site. Nothing works. I have made changes within geeklog as admin, but nothing within any scripts.

Searching for how to modify 'anonymous' from showing after the welcome message, I found the post explaining how. Seems one would have to know a lot more about php than myself to change this, so this is when I decided I must have been hacked in some way.

I also deleted browser cache, used different browser, etc. Nothing works. The 2nd site I have with geeklog works fine. Requires login as requested.

Anyone have any ideas?

Problem site: http://notaryregister.com/


... pay it forward ...
 Quote

annon

Anonymous
I have no idea but is it possible that when there are multiple sites on a domain (or server?), do the cookies need to be labelled differently in each config to avaid conflict??
 Quote

Status: offline

newblogger

Forum User
Regular Poster
Registered: 08/22/04
Posts: 107
Location:Virginia Beach
i would guess you might have been hacked.. i currently have 7 sites running geeklog on my server, i have never experienced any of the problemes that you are. sorry i couldn't be more help
Got Hot wheels? http://www.dcmotoring.com
 Quote

remdotc

Anonymous
assuming you still have this problem your best best is to get the raw log files from the web server, should you have access in question

the real questions you should ask and find out before you make such a claim

Have you disabled the site?
What OS/ Are you running. Is it patched
What Services are you running , and are they up to date and patched
What Weberser are you running, is it up tod ate, ptached and configured correctly
What version of PHP
What version of MySQL
What add in modules to you have running
what are the directory permissions
what is the global scope of your "compromised system" Will your other systems be effected, or are they already?

If you truily believe you are hacked, you need to pull the server offline. this meens physically disconnecting the server off the network / internet. Pulling the drive(s) and data for detailed analysis and possible legal investigation / proscution

Note that if you file a complaint with the FBI Cybercrime unit, They will pull your box, and thus you will need to run another for a while

More often than not its a virus or malformed spam bot doing nothing more than what its designed to do, SPAM

If you search the net, there are a number of articles on how to block people and services as well as harden your webserver (s) in just an event

Either way, more than likely, usually out of 30 hacking claims less than 1 is semi legitimate, and usually that is a script kiddie running some automated program they found on a "l33t" site. A raw copy of the server logs along with a nasty phone call to the end users ISP usually is more than enough to get there services terminated

Just my thoughts

RemdotC
 Quote

Status: offline

vadertech

Forum User
Full Member
Registered: 05/26/03
Posts: 329
If you log out, can you do anything that an anonymous user shouldn't be able to do? (Post in forum, comment, admin stuff, etc.)

Try replacing your lib-common.php with a fresh version and see if that fixes anything. Rename your original one to lib-common.old. Also you can download beyond compare (google for it) and compare the new lib-common.php to your original one. See if anything is different.

Also check your database table "users" and make sure anonymous user's uid is -1.

Be sure to post your findings.
GeekLog Hosting, Installations and Upgrades - WWW.AWEHOST.COM - Hosting starts @ only $4.95/mo.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by vadertech: Also check your database table "users" and make sure anonymous user's uid is -1.


1, actually. I also agree that you should try rolling back any code modifications you made recently.

My guess is, it's either the uid of Anonymous or some broken code in the session / login handling and / or lib-common.php

bye, Dirk
 Quote

Status: offline

clicktrader

Forum User
Newbie
Registered: 09/09/05
Posts: 12
Location:Virginia
UID is set to 1. Replaced lib-common.php but didn't help. Giving it a try

Where should I begin looking for the session/login files? I've been thru most of the files searching for anything with a modified date over the past 10 days and haven't found anything relevant.

Any more ideas/suggestions would be greatly appreciated.

Thanks
... pay it forward ...
 Quote

Status: offline

vadertech

Forum User
Full Member
Registered: 05/26/03
Posts: 329
I mean 1. I think maybe phpbb is -1. Embarassed

Try renaming and replacing your system folder. If you have any custom code in lib-custom.php, u will need to copy that file into the new folder.

As far as a login center block, why don't you try copying the html from loginform.thtml in your theme folder and putting it into a static page. I haven't tested it but it is worth a shot.

*EDIT - ok i tested it and it works if you hard code the url and you can change the static page to only show for anonymous users.
GeekLog Hosting, Installations and Upgrades - WWW.AWEHOST.COM - Hosting starts @ only $4.95/mo.
 Quote

Status: offline

clicktrader

Forum User
Newbie
Registered: 09/09/05
Posts: 12
Location:Virginia
Since 'anonymous' is being welcomed so kindy to my site, shouldn't I be able to find the code which tells the word 'anonymous' to print after the welcome to...

I have downloaded the entire html directory and used a searh tool to find any instance of 'anonymous'.

I have found nothing which would cause 'anonymous' to print. The only instances which reference the typed input are 'Anonymous' (capital A).

I even checked the db and the user is Anonymous not anonymous.

Any more ideas?

javascript:emoticon('Banging your head')
... pay it forward ...
 Quote

Status: offline

vadertech

Forum User
Full Member
Registered: 05/26/03
Posts: 329
that's because the word "anonymous" is in your english.php file. Just removing the code will mess up something else. You need to replace your files as suggested so geeklog will work as intended and hopefully fix your problem. Dirk suggested it might be something with your login or session files. He probably has a good idea of how to fix it.
GeekLog Hosting, Installations and Upgrades - WWW.AWEHOST.COM - Hosting starts @ only $4.95/mo.
 Quote

Status: offline

clicktrader

Forum User
Newbie
Registered: 09/09/05
Posts: 12
Location:Virginia
Thanks for the reply vadertech. Doesn't the english.php file instruct to print anonymous with a capital A? This was my concern when I asked about this. I couldn't find any reference which would instruct it to print with lower case a.

As far as replacing files, I'm working on it. I'm downloading a working set from another gl site of mine and will attempt to compare files to perhaps find the offending issue instead of just replacing everything. Hoping by doing this it will save someone else some time if it ever happens again.

Since the site is so new, I won't be risking too much. I have backed up current db and analyzed it also, compared to the known good one, and found no issues there. I'm not a programmer so it's possible I have overlooked things, but I learn fast and believe me I'm learning a lot from all this.

Thanks for everyone's help and suggestions so far. Keep them coming. I'll post updates as I progress. Giving it a try
... pay it forward ...
 Quote

Status: offline

clicktrader

Forum User
Newbie
Registered: 09/09/05
Posts: 12
Location:Virginia
Very Happy Well, for anyone following along with this, progress is being made. After comparing a known good geeklog install with this problem one, and finding nothing except content differences, I decided to focus on the database itself before I started replacing all the gl files.

Replaced my problem site's database with the known good one, and woo hoo, works like a charm. No mr(s). anonymous!!!! No access where not allowed!!!! Was hoping when I reinstalled the problem database, maybe whatever is wrong would right itself, but it didn't happen. anonymous is back!!!!!

I have already looked, studied, and compared until my eyes are bleeding, but have found nothing as of yet which would resolve. So, I'm takin a break, and lookin again later.
... pay it forward ...
 Quote

Status: offline

clicktrader

Forum User
Newbie
Registered: 09/09/05
Posts: 12
Location:Virginia
The paypal plugin was the culprit. Now, if I can just find out why....
... pay it forward ...
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by clicktrader: The paypal plugin was the culprit.

Whew, thanks for letting us know. I really had no idea what else to suggest ... Neutral

bye, Dirk
 Quote

Status: offline

vadertech

Forum User
Full Member
Registered: 05/26/03
Posts: 329
Quote by clicktrader: The paypal plugin was the culprit. Now, if I can just find out why....


Did it happen right after you installed the plugin or did the plugin work fine then it happened later? Just curious.
GeekLog Hosting, Installations and Upgrades - WWW.AWEHOST.COM - Hosting starts @ only $4.95/mo.
 Quote

Status: offline

clicktrader

Forum User
Newbie
Registered: 09/09/05
Posts: 12
Location:Virginia
I can't say for sure whether the problem started immediately after the plugin was installed, or later. However, I will be adding the plugin to the other site I used for comparing/testing this issue and will post the results. May be a few days...
... pay it forward ...
 Quote

Status: offline

vinny

Site Admin
Admin
Registered: 06/24/02
Posts: 352
Location:Colorado, USA
embarrassed
I missed this thread earlier. Anyway, the problem is the paypal plugin. If you want more details see:
http://vinny.furiafamily.com/forum/viewtopic.php?forum=1&showtopic=16

Basically I was having the plugin "force" the anonymous user id, name, etc, into $_USER. Apparently Geeklog prefers an undefined/empty $_USER for the anonymous user. I'll fix the paypal plugin to conform to Geeklog's wishes in the next release.

-Vinny
 Quote

All times are EDT. The time is now 12:08 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content