Topic: Forum hacked. Session stolen? (Read 1566 times)

toster · « **on:** June 21, 2008, 05:20:51 AM »

Hello. I've got some problems finding the way the hacker cracked my forum.

Sorry my English.

Here is the case:
We've got member banned from the second admin. The banned member use some way so he got admin privileges and bans the second admin.

I have no Moderation Log enabled until now (my mistake).

Here is something interesting i found in the server logs:

Quote

[20/Jun/2008:15:55:22 +0300] "GET /index.php?PHPSESSID=3c13e732e64ed95ad9b549ffa4a0f269;action=login2;sa=check;member=825 HTTP/1.1" 302 26 "hxxp:forum.beinsa.info/index.php?PHPSESSID=184581569447aa53d5154bcd48479c20; [nonactive]" "Firefox/2.0.0.14"
[20/Jun/2008:15:55:22 +0300] "GET /index.php?PHPSESSID=3c13e732e64ed95ad9b549ffa4a0f269; HTTP/1.1" 200 8371 "hxxp:forum.beinsa.info/index.php?PHPSESSID=184581569447aa53d5154bcd48479c20; [nonactive]" "Firefox/2.0.0.14"
[20/Jun/2008:15:55:29 +0300] "GET /index.php?PHPSESSID=3c13e732e64ed95ad9b549ffa4a0f269&action=profile;u=987 HTTP/1.1" 200 4821 "hxxp:forum.beinsa.info/index.php?PHPSESSID=3c13e732e64ed95ad9b549ffa4a0f269; [nonactive]" "Firefox/2.0.0.14"
[20/Jun/2008:15:55:39 +0300] "GET /index.php?PHPSESSID=3c13e732e64ed95ad9b549ffa4a0f269&action=trackip;searchip=213.226.51.254 HTTP/1.1" 200 4327 "hxxp:forum.beinsa.info/index.php?PHPSESSID=3c13e732e64ed95ad9b549ffa4a0f269&action=profile;u=987 [nonactive]" "Firefox/2.0.0.14"

-----------

The cracker first tried getting Settings.php by this way: hxxp:site-name/Settings.php [nonactive]

As my sites are running under different users at my server, it is interesting for me what more can I do to protect them.

SlammedDime · « **Reply #1 on:** June 21, 2008, 05:44:40 AM »

Before getting hacked, what version of SMF where you using?

The attacker would have to know your session id in order to try and exploit it, but this issue was resolved in 1.1.3. In order for him or her to know it, they would need to have either database access, in which case it wouldn't even be needed, or they would trick you into following a link to their site that contained the session id so they could steal it from you.

toster · « **Reply #2 on:** June 21, 2008, 05:46:20 AM »

Version 1.1.5

I have to ban the attacker via my firewall. The SMF ban feature does not work here.

The attacker got access again, he just logs as admin. I think it is session problem.

Can I renew all sessions?

SlammedDime · « **Reply #3 on:** June 21, 2008, 05:48:07 AM »

You can truncate the smf_sessions table of your database, which will remove all sessions stored in it.

What mods do you have installed?

Black_Paolo · « **Reply #4 on:** June 21, 2008, 06:09:23 AM »

Sorry, just a question...
If I don't use PHP sessions but I store them in the database (no PHPSESSID=xx), can someone hack my forum?

It's just a question, you can use whatever you want..Just for my security

toster · « **Reply #5 on:** June 21, 2008, 06:29:57 AM »

No mods installed. I am trying keep csafe & clean my SMF install..

I have contacted the attacker. The problem is not in the SMF software, but in the other scripts hosted at the server.

I have security audit to do

Have a nice day!

PS: It should be clear how easy is for an attacker to get access to your site when it is hosted on a shared web hosting service. Especially low-priced one.

SlammedDime · « **Reply #6 on:** June 21, 2008, 01:48:30 PM »

Glad you know the source now. I'll mark the topic as solved then.

News:

Author Topic: Forum hacked. Session stolen? (Read 1566 times)

toster

Forum hacked. Session stolen?

SlammedDime

Re: Forum hacked. Session stolen?

toster

Re: Forum hacked. Session stolen?

SlammedDime

Re: Forum hacked. Session stolen?

Black_Paolo

Re: Forum hacked. Session stolen?

toster

Re: Forum hacked. Session stolen?

SlammedDime

Re: Forum hacked. Session stolen?