My Forum got hacked by: SnakE1095

I AM Legend · October 20, 2008, 02:25:01 AM

Hi All,
I went to log my forum to find to screen saying SnakE1095 was here
HaCkeD By

~ SnakE1095 ~

.. Shame On You ...

You have awful security .. DuDe

Greetz 2 : SnipeR CoDe

[email protected]

.. ][ S1A ][ ..

Any help would be awesome

DirtRider · October 20, 2008, 02:26:54 AM

A link may help and the version of SMF you are running

I AM Legend · October 20, 2008, 02:30:52 AM

http://www.express-forums.com/index.php

smf 1.1.6

DirtRider · October 20, 2008, 02:34:59 AM

Not good to hear on 1.1.6. Anyway looks like you will need to replace your index.php with a backup.

I AM Legend · October 20, 2008, 02:36:15 AM

what do i do about improving my security?

DirtRider · October 20, 2008, 02:51:10 AM

Well this is the thing I think you should make out a bug report seeing it is 1.1.6. I would also contact your host as 1.1.6 is supposed to be secure

I AM Legend · October 20, 2008, 02:56:56 AM

ok thanks for the help, any other info you come across please post it.
Thanks as always

Nathaniel · October 20, 2008, 02:59:41 AM

Specifically, you should fill out a security report. You can do that at the page below:
http://www.simplemachines.org/about/security.php

Also, as DirtRider said. Its possible that they may have used an issue with your server configueration or another script on your website. You should ask your host about it.

I AM Legend · October 20, 2008, 03:19:25 AM

Hey,
In the security report. where do I find Server Software?, PHP Version. MySQL Version? server accesslog?

Nathaniel · October 20, 2008, 03:29:34 AM

They should be in your hosting account area. If they aren't then you will have to ask your host what your server specs are.

SA™ · October 20, 2008, 03:53:55 AM

Quote from: I AM Legend on October 20, 2008, 02:25:01 AM
Hi All,
I went to log my forum to find to screen saying SnakE1095 was here
HaCkeD By

~ SnakE1095 ~

.. Shame On You ...

You have awful security .. DuDe

Greetz 2 : SnipeR CoDe

[email protected]

.. ][ S1A ][ ..

Any help would be awesome

seems thsi person is going after everyone i know lol i run i site called stoned freeroam and that has getting hacked nealy everyother day by that same person

it turned out to be a server exploit and not smf it hasnt happend since they fixed it

I AM Legend · October 20, 2008, 04:14:16 AM

Bro how did you fix it?

SA™ · October 20, 2008, 04:15:57 AM

i didnt the host 3ix fixed it

I AM Legend · October 20, 2008, 04:20:24 AM

awesome, thx bro

I AM Legend · October 20, 2008, 06:56:35 AM

have been in contact with my host, waiting to see what they have to say on this matter, will keep you informed

I AM Legend · October 20, 2008, 03:57:07 PM

Hi All,
ok my host says it is not a server exploit,
they said:

Please ensure you are fully up to date with security patches etc for. Aside from that you have full 777 permissions on some of your files and directories which leave your website open to exploitation. Please refer to your forum's help files for changing permissions to the correct levels.

If you require further assistance from us please let us know.

I am going to need help on changing permissions to safe guard my site from future attacks of this type, I will need a list of files/phps that should never be 0777 so I can go and change permissions to safe guard this ever happening again, only smf can help me with this.

I have also asked my host to provide me with the info below:
Server Platform
Server Software
PHP Version
MySQL Version
Server accesslog (Please only send us the logs from around the time the intrusion occured)
Url of PHPinfo file

as soon as I receive it, I will fill out a security report for smf.

In the mean time, any help on the permissions issue would be great.
Thanks as always.

I AM Legend · October 21, 2008, 03:37:36 AM

any help on permissions would be great

Nathaniel · October 22, 2008, 05:12:15 AM

Well, chmod 777 isn't really a security risk (read the documentation below), although you may want to change your 'Settings.php' file so that it isn't chmoded to 0777.

Why chmod 777 is NOT a security risk

I AM Legend · October 22, 2008, 04:34:22 PM

Hi,
ok so is that it,
change the settings.php from 0777 to what? 644 or 766?
what else do i need to do to stop this happening again?
the index.php file was changed on the day of the hack, how do i stop that happening again?
the attachment here was the index file that was used, pull it into a firefox browser and you will see what I saw.
surely it cant be as simple as changing the settings.php file to 644 or 766 or something and this wont happen again?
thanks as always

ChainLightning · October 22, 2008, 05:25:08 PM

I took a quick look at my Settings.php and it's set to 644. Out of curiosity, I checked my index.php and it was set the same, 644.

I can't help you with how to stop it from happening again. I don't know enough about hacking to know how he did it.

Hopefully, someone else will have an idea or two.

News:

My Forum got hacked by: SnakE1095