>> Peta Laman >> News
HOWTO: HOW TO RENAME YOUR ADMIN.PHP
#65 - 0--zulkiply--HOWTO: HOW TO RENAME YOUR ADMIN.PHP--2007-02-07 13:41:01
Recently, I wrote a guide on how to modify phpnuke captcha and has resulted in a flurry of comments and queries requesting me to write a guide on "how to change admin.php?" This article is not intended to teach you how to hack into PHPNuke but how to secure it properly. Since most of hackers are targetting this critical file to achieve their mission
you have to camouflage the file and secure it properly.
Read the rest of this article for some ideas on how to secure your PHPNuke against hackers...
- Even during the installation phase of phpnuke, we are told to change the admin.php. Here are a few lines found on top of config.php
# $admin_file: Administration panel filename. "admin" by default for
# "admin.php". To improve security please rename the file
# "admin.php" and change the $admin_file value to the
# new filename (without the extension .php)
Thats it! But how many of us have change it?
Let us start.
1) Fire up your config.php which is in the root (if you have not move it elsewhere).
Then find for this line:
$admin_file = "admin";
Change it to something else, what name you want your admin file to be (its only you know it), for example:
$admin_file = "hibiscus";
Note: (without the extension .php)
Save this config.php file.
2) Now make a copy of admin.php and rename the copy as hibiscus.php. Bring out the original admin.php to some where else - maybe you need it back if something goes wrong while following the process here).
3) This step involved some lines in your database. So now go to your mysql and find your database and modify to fit your needs. For example, in the SQL query type this (dont forget to change hibiscus.php to the name you have chosed in no.1):
DELETE from nuke_blocks where bid=2 and bkey='admin';
INSERT INTO nuke_blocks VALUES (2, 'admin', 'Administration', '<strong><big>·</big></strong>
<a href="hibiscus.php">Administration</a><br>\r\n<strong><big>·</big></strong>
<a href="hibiscus.php?op=adminStory">NEW Story</a><br>\r\n<strong><big>·</big></strong>
<a href="hibiscus.php?op=create">Change Survey</a><br>\r\n<strong><big>·</big></strong>
<a href="hibiscus.php?op=content">Content</a><br>\r\n<strong><big>·</big></strong>
<a href="hibiscus.php?op=logout">Logout</a>', ', 'l', 2, 1, 0, '985591188', ', ', 2, '0', 'd', 0);
4) Done? Not yet. Now go to your nuke/admin folder. There are so many files in each sub-folder. Lets do it one by one together.
a) Begin with nuke/admin/case subfolder
Try to open 1 file in this subfolder named case_authors.php
Find the line
"if (!eregi("admin.php", $_SERVER['PHP_SELF'])) { die ("Access Denied"); }
Since you have rename the file to hibiscus.php, the statement there should now changed to
if (!eregi("hibiscus.php", $_SERVER['PHP_SELF'])) { die ("Access Denied"); }
Save it.
Do the same to all files in this subfolder.
But sometimes you may encounter a different statement there like:
if ( !defined('ADMIN_FILE') )
{
die("Illegal File Access");
}
if it is so, then leave it as it is.
b) Now go to nuke/admin/links subfolder
Fire up one of the files there such as links_blocks.php
find this line:
if (!eregi("admin.php", $_SERVER['PHP_SELF'])) { die ("Access Denied"); }
if ($radminsuper==1) {
adminmenu("admin.php?op=BlocksAdmin", ""._BLOCKS."", "blocks.gif");
}
You know what to do now, yes, change admin.php to hibicus.php
As usual, do the same to every files in the subfolder.
c) Go to nuke/admin/modules
Fire up one of the files there such as authors.php
hunt for this line:
if (!eregi("admin.php", $_SERVER['PHP_SELF'])) { die ("Access Denied"); }
Change admin.php to the name you have chosen.
Do the same to all files in this subfolder.
Tke note that you may have installed several modules and that modules have created sub-sub folder in the admin/modules. So venture in each every file there to find whether there are changes to be made there - hunt for admin.php statement.
5) Then go to modules/_module_name/admin
Take up one subfolder that for instance nuke/modules/Reviews/admin
and fire up one of the files say index.php
There again you will find this statement
if (!eregi("admin.php", $_SERVER['PHP_SELF'])) { die ("Access Denied"); }
Change the "admin.php" name.
do it to every files there and in every admin subfolders in nuke/modules.
6) Everything now should be in tact and should be working.
Try it now to bring up your new admin file and login.
http://www.yourdomain.com/nuke/hibiscus.php
Can you login and are you succesfully got into your admin panel?
Great!
7) REMINDER
a) Never disclose the name of your new file in your nuke especially in the front page. If there is a link to admin.php
in your menu, remove it OR make a fake admin.php file such as trapping those calling admin.php
by gathering their details and store it in a log file so that you can ban them.
For example you can gather the IP, referer, browser etc and keep it in a log.html file. This is a fake admin.php
<?
//Set the date so we can store it in the text file.
$tdate = date("dS F Y h:i:s A");
//Check if there is a referer
if (!$HTTP_REFERER) { $HTTP_REFERER = "(NONE)"; }
$ip = getenv("REMOTE_ADDR");
$browser=$_SERVER['HTTP_USER_AGENT'];
$page = $_SERVER['REQUEST_URI'];
//Store it in the log.html file ! DONT FORGET TO SET COUNTER.TXT CHMOD 777 !
$fp = fopen("log.html", "a");
$line = "$tdate | IP: $ip | Browser:$browser | Page: $pagen
";
fwrite($fp, $line);
fclose($fp)
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Oops! You are not authorised to view this page
</head>
<body>
<h3>You do not have permission to access this page/directory. [error 401]
<p>... Get out from here!
</body>
</html>
You can always open up your log.html file to see who is trying
to hack your site via admin.php file.
8) FINALLY, it is a good practice to put your config.php file outside the
Web Server path, then you can create a new config.php with the line:
<?php include("../config.php"); ?>
GOOD LUCK.--comments-->16--10029--16
