Topic: Hacked again..

[smokester]

I thought I'd set up a thread with info about when we are hacked or an attempted hack that has caused the site to fail.

Today we were hacked and when that happens access is restricted to only my IP so I can get in and fix things.  It was awkward because I had to go to East London to a client so I could only inspect half of the site before I had to leave.  It looks ok now and I will try and get full access back to the members.

[goldshirt*9]

seems ok for me know.
I wont post a picture of the screen i got when i tried to log in  as all seems ok

[smokester]

We were hacked at around 9am (GMT) which really pissed me off as that it a bad time for me to sit down and wade through the site files. Next time can the hacker (if you are reading this) hack us around 1pm as I'll be all calm and drinking tea at that time.

[xtopave]

 

[dweez]

Any idea on how we were compromised?  Is there a SMF exploit we need to look into?

[Beatrix]

Sorry there Smokes.

[smokester]

Any idea on how we were compromised?  Is there a SMF exploit we need to look into?

Tricky one really.  In the past when the site shared the same password with the database, I assume they exploited a vulnerability to obtain it, and then created FTP user accounts and had a field day.  But now that is not the case and just last week we upgraded to MySQL 5.5, I have no idea how they got to upload some crap, even bypassing the SMF firewall while they did?

You could have always done it?  If it's more pay your after then consider your salary doubled as of today.

 

[ohcheap1]

I did email dweez when I saw it. Sadly he never responded.

[dweez]

Sorry oc1, I don't normally get a chance to check my e-mail on the weekend.

[smokester]

I did email dweez when I saw it. Sadly he never responded.

Did you get the "...forbidden" page?  The system is pretty good now as when malicious files are detected, access is automatically forbidden to all IPs.  Then when I see the notification they grant access to my IP and then I can go in a fix things.

Essentially this means if the site is hijacked, no one can unsuspectingly fall foul to a phishing scam or the like. 

[goldshirt*9]

I had the forbidden page and the 403 also
looked pretty impressive.

[smokester]

I had the forbidden page and the 403 also
looked pretty impressive.

The problem is that if the hack was to do with a MySQL vulnerability, it is not that straightforward to change the password for the database (that I know of). You have to rebuild it using a new user account which then has new credentials and then use that new database for the site.

What I am saying, without saying too much, is it could happen again.

[goldshirt*9]

O well
s==t happens 

[smokester]

O well
s==t happens

I don't think it will as it was futile, and tomorrow I'll be able to do the above.

[dweez]

I know it's fairly simple to reset the root password on MySQL.  Not sure if that applies to other accounts, but once you have the root password, you're pretty much golden for the whole thing.

http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html

This assumes we have root access to MySQL.  If we're sharing the MySQL instance with other sites, we might just have a specific user for Diasfora.  In cases like that, the hosting company should have root and should be able to reset the db account password for you.

[bubu]

I am having problem with the site, still some pages don't open up, could be related to this problem?

[smokester]

I know it's fairly simple to reset the root password on MySQL.  Not sure if that applies to other accounts, but once you have the root password, you're pretty much golden for the whole thing.

http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html

This assumes we have root access to MySQL.  If we're sharing the MySQL instance with other sites, we might just have a specific user for Diasfora.  In cases like that, the hosting company should have root and should be able to reset the db account password for you.

We can set up as many MySQL user accounts that we want and then set the database to use the credentials from one of those users to operate (that's the tricky part), while keeping the admin account for the site, separate. Then we might have to update the settings here so that the forum still had permission to use the database.

[busterone]

Hey Smokes. There was an undisclosed security vulnerability in SMF 2.0.2, but I have not been able to get a straight answer from anyone over there as to exactly what it was. The 2.0.3 patch through the admin control panel will fix it though, if and only if that is the way they are getting in. The patch doesn't affect any installed mods or customizations, and took less than a minute to implement. 

[smokester]

Thanks Buster, I'd suspected that the site software might have been the weak link as the main site was still locked down.  I'll run that update immediately and hope that is the last of it.

I am having problem with the site, still some pages don't open up, could be related to this problem?

It was probably a load spike on the server as they happen intermittently. Thanks for mentioning it though.

[busterone]

I suspect that was it, but of course, you know your own setup better than anyone else. The site is responding really fast for me today also.

I understand why they won't tell what the holes are, not wanting every skiddie out there hacking away at all the unpatched sites, but for us that have to deal with the hack attempts, it would be nice to know what they are targeting.

Happy anniversary!

[smokester]

I suspect that was it, but of course, you know your own setup better than anyone else. The site is responding really fast for me today also.

I understand why they won't tell what the holes are, not wanting every skiddie out there hacking away at all the unpatched sites, but for us that have to deal with the hack attempts, it would be nice to know what they are targeting.

Happy anniversary!

Many thanks again Buster, as you can see we are now 2.0.3.

I have other sites I maintain that also use SMF  2.0.2., and they have also been hacked at least once although not that recently.  I'll run the patch over on them too and see if that puts an end to things.

Is Aelthric using that update I wonder.

[busterone]

Aelthric is still on 2.0.2 as of a little while ago.

[dweez]

I understand why they won't tell what the holes are, not wanting every skiddie out there hacking away at all the unpatched sites, but for us that have to deal with the hack attempts, it would be nice to know what they are targeting.

I understand the logic behind this, but it's a flawed logic.  Much like DRM, not giving full disclosure only keeps the info out of the hands of the "good people".  The hackers have their own sub-culture and can easily learn of the details of a 0-day vulnerability.

[busterone]

So true. In many, if not most cases, the hacker underground knows about a software vulnerability long before the developers do. Keeping it away from the good guys serves no real purpose that I can see.

[6pairsofshoes]

Thanks for fixing it.

[SACPOP]

As dumb as this may sound (and it WILL sound dumb), I was always under the impression that running a forum was a lot more simple than it is.
I figured you just bought a domain, paid the server provider, picked a template, chose some colors, checked a few boxes, and viola! you are now running a forum. After reading a little into it I now know I could not have been more wrong (well, I guess I could if I really tried... ).

Thanks for all the work you do.

[xtopave]

You know, SACPOP... Your post makes me want to say thank you again.

[smokester]

As dumb as this may sound (and it WILL sound dumb), I was always under the impression that running a forum was a lot more simple than it is.
I figured you just bought a domain, paid the server provider, picked a template, chose some colors, checked a few boxes, and viola! you are now running a forum. After reading a little into it I now know I could not have been more wrong (well, I guess I could if I really tried... ).

Thanks for all the work you do.

Essentially this is true, but forums are "dynamic" sites that require both the front end and a back end. Then have to continually upgrade the site, add modifications - quite often by hand (as Buster will testify), maintain a healthy database as it is this that is the forum, so if that goes, then everything goes (as Aelthric will testify), and fix things that regularly break.

You also have to continually battle your host (as Dweez will testify to due to some hilarious senior management threads) as dynamic sites, as opposed to static ones, require a constant low server load and most of the services to be up and running well - hosts tend to want to oversell their servers which cause high loads which then knocks out other services like MySQL etc - and just chasing the techs that run the servers can be a major struggle by itself. Our first host for instance, took about 36 hours just to reply to an outage ticket let alone deal with the problem.

Then you have hackers and spammers that have nothing better to do than to destroy other people's work.

[busterone]

Indeed. Back before I switched from the 1.1.x series to the 2.x series, every single modification had to be hand coded repeatedly for every theme that was installed to the forum. At that time, that would mean several hours of adding code to a dozen or more theme templates, as well as the code the mod added to the core files.  Then, because so many themes are slightly different in their templates and structure, some themes would break or display wonky, and you had to experiment and manipulate the code to bring it back in line.  I don't miss those days at all.

Hosting issues are always a potential nightmare, depending on how well they maintain the servers and their own security. Then you always have the good and the bad service reps. God forbid you get one of the idiots for server support. 

 Then the worst of them are the hackers and spammers. Spam fighting is an ongoing fight. For every measure we take to keep them out, they soon learn ways to bypass it and get in again. I hate them more than I can speak here. 

[smokester]

I can see the spambots trying to register all the time, but the invite system gives us complete security against spam and self registering robots.  That might be why when they get home empty handed, their coder decides to hack us for good measure.

[smokester]

Either I'm going mad or some of the previously deleted hack files, reappeared.

MarkMonitor then got us temporarily shut down and saved the world in the process

[xtopave]

I've been scared for the last half hour or so when I got "Forbidden". 

[smokester]

I've been scared for the last half hour or so when I got "Forbidden". 

For me it was "ACCOUNT SUSPENDED" which was odd as I do the suspendin' and stuff for individual accounts.  Then I read my mail which included the MarkMonitor request to the host to shut us down.

I am second guessing myself now but I am sure I checked every single file individually and deleted all that shouldn't have be there.  I also checked the code of files that had been modified post the SMF installation to check that they hadn't been altered in some way.

It may be another conspiracy.

[ohcheap1]

Got an IM from Goldie and he was getting the "ACCOUNT SUSPENDED" message too.

[mishca09]

I got acct suspeneded @ like 5am and then later in the morning got the forbidden message.
Every seems to be okay now, thank goodness.

[Autumn]

^same for me. I gotta say, I was freaking out. I already lost the noid, I can't lose you guys too!

[smokester]

For everyone's interest, we cannot disappear or be shut down for very long as I essentially control the domain (as a reseller). I could have re-activated the site myself this morning but seeing as it was a serious request from the real authorities, I thought it better to liaise with the host to ensure they were fully aware of the current situation and could check the site files themselves.

If we are ever offline/suspended/giving you errors, it shouldn't take very long for me to sort things out - as long as I haven't had too many beers.

[xtopave]

as long as I haven't had too many beers.

Aaaaand we're doomed. 

[smokester]

I've just realised that our legitimate smileys have now gone.  That was the folder that had the hidden poo in it and why they may have been harder to detect (although I'm sure I did).  I'll get 'em back asap.

[dweez]

smokester, did you get an e-mail from SMF on Feb. 4th titled "SMF 2.0.4 and 1.1.18 critical security patches released"?  Maybe it was a new exploit that nailed us?  Let me know if you need me to forward it to you.

[6pairsofshoes]

I missed the excitement, but I'm glad you have the matter well in hand.  Thanks.

[goldshirt*9]

Missed all the "fun" it seems.
glad its all ok now. phew

[smokester]

smokester, did you get an e-mail from SMF on Feb. 4th titled "SMF 2.0.4 and 1.1.18 critical security patches released"?  Maybe it was a new exploit that nailed us?  Let me know if you need me to forward it to you.

I may have but haven't checked the email attached to my SMF account this year.

When I had to replace the smileys folder last night, I did so using an archive I made of the site files after the hack last month or whenever it was.  The phishing files were not in that but were yesterday after the suspension, so someone is still meddling by the looks of it.  I need to change all the passwords again especially that of the database so if you all bump into the maintenance page sometime in the near future, you'll know what's happening.

[townie2]

i was getting the "forbidden" message too. anybody piss off Anonymous? 

[smokester]

i was getting the "forbidden" message too. anybody piss off Anonymous? 

That would have been me.

[goldshirt*9]

doesn't take alot these days to piss off Anonymous.
The standards of the hacker today have certainly dropped

[smokester]

These days it seems to be all about "phishing". We have never had a hack from a bored, probably spotty, teen trying to hone his skills, nor have WikiLeaks made any attempt to out us.  What does happen every time one of my sites are hacked, is that bogus phishing pages and files are added in an attempt to defraud someone.

It's pretty futile to as these files are almost immediately picked up and either quarantined or the site disabled.

[8ullfrog]

Have you ever considered kicking off a new week/month/year by completely firebombing the database and starting from scratch? I always thought the demonoid fora could be improved by a short exposure to a black hole.

[smokester]

The database is never touched.  What they seem to do is find a vulnerability that gets them FTP access and then they upload the files. 

There was one hack when all the index pages (SMF has a lot of them) had the code altered with a redirect script, but as some of the index pages were remote and only called back the main index, I presume this was also an automatic hack that just searched and altered all instances that it found.

[8ullfrog]

Any idea what makes them target this site specifically?

[smokester]

Any idea what makes them target this site specifically?

I would guess that in part it may be the SMF installation as few, if any, versions have been bulletproof. It could also be that on paper it looks like we have a lot of traffic so if you are going to go phishing, you will need the phish. Lastly, you have to consider that dweez is a hacker-magnet.  He had signed up to be a chick-magnet but the ink ran.

[dweez]

Dang!



It's probably an automated thing.  Hacker runs a script and plugs in a range of IP addresses then walks away.  Script checks each IP to see if it's vulnerable to any of a number of exploits.  Script reports back to hacker, either when the scan is complete or as each vulnerable IP/server is found to let him/her know what it's vulnerable to.

The smart hackers do what's called a "slow scan".  It takes much longer but can help avoid "threshold" security on the server (server locks out offending IP and/or alerts the server owner if too many malicious looking "hits" occur during a pre-set up timeframe).

[smokester]

I'm confused now: where's the twitching eye?

[smokester]

Sorry all. Had to work and then this one was difficult to remedy once I got home and started on it.

Must eat and bathe and will update later.

[6pairsofshoes]

encore une fois?

[bubu]

Happy you are back 

[brickbatz]

Happy you are back 

\o/

[tarascon]

Thank you for the good work smokester. >bows<

[Discover99]

Happy you are back 

word

[smokester]

encore une fois?

Yep, they were at it again.

Thank you for the good work smokester. >bows<

Thanks tarascon. 

I have taken some additional measures in an attempt to stop this happening again.  I'm not entirely sure why we have had such interest recently when we have gone years without a squeak. 

Keeps it interesting I suppose.

[tarascon]

People like that do not deserve the name Hacker; there's nothing creative about what they do.
(and I'm not referring to the hacker/cracker dichotomy either...)

[dweez]

You're absolutely right t.  Most of the time, they don't do anything except download a script from an underground hacker site.  These kinds of <fingerquote>hackers</fingerquotes> get the nom de plume of "script kiddiez".

[goldshirt*9]

You're absolutely right t.  Most of the time, they don't do anything except download a script from an underground hacker site.  These kinds of <fingerquote>hackers</fingerquotes> get the nom de plume of "script kiddiez".

very now ish http://www.bbc.co.uk/news/technology-21371609

[tarascon]

very now ish http://www.bbc.co.uk/news/technology-21371609

frakin' mutants. we reap what we sow.