News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Can't get into Admin - a hack attempt?

Started by joiful77, July 21, 2010, 10:59:32 PM

Previous topic - Next topic

joiful77

Today, my forum started acting up. When I try to go to various sections, it just keeps taking me back to the forum home page. I can't get into Admin, Moderation, and it won't even let me log out - it just returns to the home page. http://www.lighthousetrailsresearch.com/LTForum/

A couple times when I tried to log in, I get this message: The database value you're trying to insert does not exist: p_member_ip2 But it does log me in.

Tried on Firefox too, and the same thing.

I just realized, when I click on members, it comes up with "Hacker?" Good heavens. What does that mean?

Stuck CAPS

I hope you have a backup! Because, you're most likely gonna have to restore, or at least, fix your DB, change the Username/Password, and fix/re-install your forums.
My website: iCAPS


joiful77

What in the DB do I have to fix? Do you know what could have caused this?

Kill Em All

This seems to be a possible SQL injection. First, you should let your host know this way they can run a AV scan and hopefully you or they have a database back up. After restoring the backup, you should upload a fresh set of SMF files from the large upgrade package. Just don't upload the upgrade.php and sql info files.

What version of MySQL and PHP are you running?


My Site: KEAGaming.com

Manual Installation of Mods
Prevent Spam and Forum Attacks
Please do not PM or email me for support unless offered, help should be publicly displayed to others.

Stuck CAPS

Oh yes! I forgot about SQL Injections.  I thought SMF was practically invulnerable to SQL Injection though.  I thought the Admin Req's just didn't work.
My website: iCAPS


Kill Em All

Well it could be SMF's side, or it could be serverside. Other outdated software possibly.


My Site: KEAGaming.com

Manual Installation of Mods
Prevent Spam and Forum Attacks
Please do not PM or email me for support unless offered, help should be publicly displayed to others.

Stuck CAPS

I guess it could be, but he said he's using SMF 2.0 RC3, so it could be a glitch that the hacker took advantage of?
My website: iCAPS


Kill Em All

Well there are no known security holes in RC3. The hacker hasn't seem to screw much up on the site itself. I'm betting on it being a problem server side. or the OP might have other outdated software installed.


My Site: KEAGaming.com

Manual Installation of Mods
Prevent Spam and Forum Attacks
Please do not PM or email me for support unless offered, help should be publicly displayed to others.

Stuck CAPS

Yeah, but if it's serverside, what explains the "Hacker?" in the Memebergroups?
My website: iCAPS


Kill Em All

SQL injection. When I say serverside, I'm saying the hacker exploited a security hole from lets say PHP, or cPanel, or whatever software the host might have installed. Not SMF.


My Site: KEAGaming.com

Manual Installation of Mods
Prevent Spam and Forum Attacks
Please do not PM or email me for support unless offered, help should be publicly displayed to others.

Stuck CAPS

But CPanel doesn't save it's users with each having its own admin, like forums do, so, the hacker couldn't have done admin requests over and over, as it would get him nowhere, so I would say it's PHP.
My website: iCAPS


Kill Em All

You can get into phpmyadmin through cPanel. Even if it wasn't cPanel, hosts have plenty of software on servers that could have possibly been exploited due to them being outdated.

We will just have to wait for the OP to respond back with further details.


My Site: KEAGaming.com

Manual Installation of Mods
Prevent Spam and Forum Attacks
Please do not PM or email me for support unless offered, help should be publicly displayed to others.

Stuck CAPS

You're right.  Hmm. Well, now i know why it says to UPDATE PACKAGES NOW In fantastico. :P
My website: iCAPS


joiful77

I appreciate all the input. I am not sure this really is at the server side. I was working on my forum, working on a couple already installed packages, one being the simple ad package, and then this happened. I have up to date software in my other functions, such as wordpress blog, etc. I only became a smf client about three weeks ago, upgraded to 2.0 about a week ago and all has worked well, until today. I restored my forum so perhaps you could take a look at it. It looks normal but isn't.

joiful77

My server technician is looking at this right now.

Stuck CAPS

My website: iCAPS


joiful77

Ok. I have to get a few hours of sleep, but my server tech doesn't sleep  :), and he is going to see if he can figure it out.

joiful77

#17
This in from my server technician.

We are running php 5.2.11, the latest is 5.2.13.  There shouldn't be any major security issues between 5.2.11 and 5.2.13 but I will go ahead and update it tonight just to be safe.  Mysql version is 5.0.91-community MySQL Community Edition.  We are running cPanel but it is fully up to date.  I honestly don't believe either are the culprit. Here are my observations.  Forum software is often suspect to security problems and I am not familiar enough with the SMF software to speak to it's security.  However, you are running a Release Candidate version which is not a production release.  Even on their site they state Note: As this is in development, we do not recommend running SMF 2.0 RC3 on a production site. You should never run RC software on a production machine without expect problems, including possible security problems.  Whether they have been identified or not. 

Follow up Note: My tech has restored the forum back to an earlier point today. It is working perfectly again. We don't know what happened at this point. He is recommending I go back to the 1.1.11 version of SMF until the actual release of 2.0 is ready.

CapadY

Quote from: joiful77 on July 22, 2010, 01:08:57 AM
I have up to date software in my other functions, such as wordpress blog, etc.

I've seen here before security problems with Wordpress.
Please, don't PM me for support unless invited.
If you don't understand this, you will be blacklisted.

Kill Em All

I don't think this might be a server side issue as everything seems to be up to date server side.

Has the server tech run an AV scan on the server yet? That might shed some light. The hacker either got in through WP or SMF is most likely the case. However, there are no known security holes in SMF right now. I'm not saying there aren't security holes, as I know there are, but they are not known yet by anyone unfortunately. But ever software has security holes, WP has a few that I don't think are patched yet if I recall correctly. I could be wrong on that though.


My Site: KEAGaming.com

Manual Installation of Mods
Prevent Spam and Forum Attacks
Please do not PM or email me for support unless offered, help should be publicly displayed to others.

Advertisement: