Author Topic: Hacked again..  (Read 29016 times)

0 Members and 1 Guest are viewing this topic.

Offline smokester

  • Administrator
  • Q
  • *
  • Posts: 15833
  • Gender: Male
  • Da mihi castitatem et continentiam, sed noli modo!
Hacked again..
« on: January 12, 2013, 07:36:44 AM »
I thought I'd set up a thread with info about when we are hacked or an attempted hack that has caused the site to fail.

Today we were hacked and when that happens access is restricted to only my IP so I can get in and fix things.  It was awkward because I had to go to East London to a client so I could only inspect half of the site before I had to leave.  It looks ok now and I will try and get full access back to the members.
Don't put off until tomorrow, what you can put off until the day after.

There is an exception to every rule, apart from this one.

Offline goldshirt*9

  • Super Hero
  • *******
  • Posts: 7273
  • Gender: Male
  • Who yous looking ats
Re: Hacked again..
« Reply #1 on: January 12, 2013, 10:23:26 AM »
seems ok for me know.
I wont post a picture of the screen i got when i tried to log in  as all seems ok

Offline smokester

  • Administrator
  • Q
  • *
  • Posts: 15833
  • Gender: Male
  • Da mihi castitatem et continentiam, sed noli modo!
Re: Hacked again..
« Reply #2 on: January 12, 2013, 10:36:27 AM »
We were hacked at around 9am (GMT) which really pissed me off as that it a bad time for me to sit down and wade through the site files. Next time can the hacker (if you are reading this) hack us around 1pm as I'll be all calm and drinking tea at that time.
Don't put off until tomorrow, what you can put off until the day after.

There is an exception to every rule, apart from this one.

Offline xtopave

  • Site Modette
  • Q
  • *
  • Posts: 28876
  • Gender: Female
Re: Hacked again..
« Reply #3 on: January 12, 2013, 01:40:10 PM »
 >:(

Offline dweez

  • Global Moderator
  • Q
  • *
  • Posts: 11610
  • Gender: Male
  • Rebel Mod
Re: Hacked again..
« Reply #4 on: January 12, 2013, 02:26:20 PM »
Any idea on how we were compromised?  Is there a SMF exploit we need to look into?
--dweez

Offline Beatrix

  • Cro-Magnon
  • ****
  • Posts: 861
Re: Hacked again..
« Reply #5 on: January 12, 2013, 02:55:45 PM »
Sorry there Smokes.

Offline smokester

  • Administrator
  • Q
  • *
  • Posts: 15833
  • Gender: Male
  • Da mihi castitatem et continentiam, sed noli modo!
Re: Hacked again..
« Reply #6 on: January 12, 2013, 05:54:18 PM »
Any idea on how we were compromised?  Is there a SMF exploit we need to look into?

Tricky one really.  In the past when the site shared the same password with the database, I assume they exploited a vulnerability to obtain it, and then created FTP user accounts and had a field day.  But now that is not the case and just last week we upgraded to MySQL 5.5, I have no idea how they got to upload some crap, even bypassing the SMF firewall while they did?

You could have always done it?  If it's more pay your after then consider your salary doubled as of today.

 
Don't put off until tomorrow, what you can put off until the day after.

There is an exception to every rule, apart from this one.

Offline ohcheap1

  • Q
  • *
  • Posts: 19082
  • Gender: Female
Re: Hacked again..
« Reply #7 on: January 12, 2013, 07:50:01 PM »
I did email dweez when I saw it. Sadly he never responded. :(

Offline dweez

  • Global Moderator
  • Q
  • *
  • Posts: 11610
  • Gender: Male
  • Rebel Mod
Re: Hacked again..
« Reply #8 on: January 13, 2013, 01:09:07 AM »
Sorry oc1, I don't normally get a chance to check my e-mail on the weekend.
--dweez

Offline smokester

  • Administrator
  • Q
  • *
  • Posts: 15833
  • Gender: Male
  • Da mihi castitatem et continentiam, sed noli modo!
Re: Hacked again..
« Reply #9 on: January 13, 2013, 05:34:04 AM »
I did email dweez when I saw it. Sadly he never responded. :(

Did you get the "...forbidden" page?  The system is pretty good now as when malicious files are detected, access is automatically forbidden to all IPs.  Then when I see the notification they grant access to my IP and then I can go in a fix things.

Essentially this means if the site is hijacked, no one can unsuspectingly fall foul to a phishing scam or the like. 
Don't put off until tomorrow, what you can put off until the day after.

There is an exception to every rule, apart from this one.

Offline goldshirt*9

  • Super Hero
  • *******
  • Posts: 7273
  • Gender: Male
  • Who yous looking ats
Re: Hacked again..
« Reply #10 on: January 13, 2013, 05:36:19 AM »
I had the forbidden page and the 403 also
looked pretty impressive.

Offline smokester

  • Administrator
  • Q
  • *
  • Posts: 15833
  • Gender: Male
  • Da mihi castitatem et continentiam, sed noli modo!
Re: Hacked again..
« Reply #11 on: January 13, 2013, 05:47:41 AM »
I had the forbidden page and the 403 also
looked pretty impressive.

The problem is that if the hack was to do with a MySQL vulnerability, it is not that straightforward to change the password for the database (that I know of). You have to rebuild it using a new user account which then has new credentials and then use that new database for the site.

What I am saying, without saying too much, is it could happen again.
Don't put off until tomorrow, what you can put off until the day after.

There is an exception to every rule, apart from this one.

Offline goldshirt*9

  • Super Hero
  • *******
  • Posts: 7273
  • Gender: Male
  • Who yous looking ats
Re: Hacked again..
« Reply #12 on: January 13, 2013, 05:49:21 AM »
O well
s==t happens 

Offline smokester

  • Administrator
  • Q
  • *
  • Posts: 15833
  • Gender: Male
  • Da mihi castitatem et continentiam, sed noli modo!
Re: Hacked again..
« Reply #13 on: January 13, 2013, 05:51:22 AM »
O well
s==t happens

I don't think it will as it was futile, and tomorrow I'll be able to do the above.
Don't put off until tomorrow, what you can put off until the day after.

There is an exception to every rule, apart from this one.

Offline dweez

  • Global Moderator
  • Q
  • *
  • Posts: 11610
  • Gender: Male
  • Rebel Mod
Re: Hacked again..
« Reply #14 on: January 13, 2013, 12:58:30 PM »
I know it's fairly simple to reset the root password on MySQL.  Not sure if that applies to other accounts, but once you have the root password, you're pretty much golden for the whole thing.

http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html

This assumes we have root access to MySQL.  If we're sharing the MySQL instance with other sites, we might just have a specific user for Diasfora.  In cases like that, the hosting company should have root and should be able to reset the db account password for you.
--dweez