Administrator account hacked

themavesite · October 17, 2010, 09:19:29 AM

Yesterday some punk kid hacked my account, but I'm unsure how he did it, that's the scary part...

I'm running the latest version of SMF, and only the AEVA video modification.

Theme I'm running is Inferno (free theme from dziner studio)

Here's a screenshot of my forum directory

Here's my index.php

http://pastebin.ca/1964818

BTW I already reverted all changes the guy made and changed my password again and etc, my only concern is HOW he did this.

Robert. · October 17, 2010, 09:21:59 AM

You can guess passwords, but you can also pipe passwords. But he can only do that if he has acces to the ftp server. Piping passwords is get the password when someone logs in, BEFORE Smf encrypt it to Sha1 to check if the pass is right.

Oya · October 17, 2010, 09:23:27 AM

if you're referring to the core files, that's not the sign of a hack, but the sign of apache or php crashing (might be hostname lookup related)

there's nothing obviously wrong in that file, so im not sure what evidence there is of a hack?

tah zonemaster, smf encrypts the password in javascript before it sends it to the server for logging in...

themavesite · October 17, 2010, 09:48:30 AM

Another person stated this;

QuoteThe punk just probably got lucky, because there is a way to inject custom runcode into SMF theme files (if they're not protected properly afaik)

I'd like a second opinion on this.

So what do you guys suggest?
I already changed my FTP account's password

ALSO: Is it safe to remove the core files?

(I just disabled hostname lookups, I heard that that might fix these files from being created)

Oya · October 17, 2010, 10:12:54 AM

so what was changed exactly?

it could just as easily have been a poorly setup host, or files set to higher permissions than they needed to be

talk to your host about the core files, to see if they're going to dissect them, if not they're safe to delete (they can tell what caused the crash from it if they want)

themavesite · October 17, 2010, 10:17:18 AM

Quote from: Oya on October 17, 2010, 10:12:54 AM
so what was changed exactly?

it could just as easily have been a poorly setup host, or files set to higher permissions than they needed to be

talk to your host about the core files, to see if they're going to dissect them, if not they're safe to delete (they can tell what caused the crash from it if they want)

My name was changed to "ELiiTE", all my forum settings were messed up
- Maximum image height and width was 1px
- Signatures and avatars were disabled
- Who's online feature was disabled
- The hacker tried to delete my account
- The hacker banned 10 ranges, luckily I could login with my phone (other IP adress then home) and could revert the changes that way.
- Polls were disabled
and a lot of other stuff.

Oya · October 17, 2010, 10:22:33 AM

that's just the database, nothing in the files themselves

could mean your password was guessed or if you have the same password as another service and that was compromised, that's another way

themavesite · October 17, 2010, 10:41:24 AM

So I don't need to change themes?

butchs · October 17, 2010, 10:42:41 AM

But you do need to change all your passwords.

themavesite · October 17, 2010, 10:44:37 AM

Yeah I already did.

So I guess I'm good now(?)

butchs · October 17, 2010, 10:54:44 AM

Yes, as long as there are no easter eggs hiding in your directories.

themavesite · October 17, 2010, 11:13:00 AM

^ Is there some kind of tool to check your forum directory for files that aren't supposed to be there?

Oya · October 17, 2010, 11:14:18 AM

nope because mods often add their own files so any tool is likely to be useless

ARG01 · October 17, 2010, 01:42:17 PM

Quote from: themavesite on October 17, 2010, 09:48:30 AM

ALSO: Is it safe to remove the core files?

I have found a few of those same core files that actually disabled my site because they were so large. I just deleted them and everything was fine. But, you may want to save them on your comp just in case.

ThePro · October 17, 2010, 07:08:18 PM

Well first of all, i'm a member of that site

Second, well, i remember there was a tool back in the day that checked for those php files in the Themes directory and all sub-directories, anyone have the link for it?

Aleksi "Lex" Kilpinen · November 01, 2010, 06:32:40 AM

The .core files are something you should turn the host about - since they are the only ones in position to do something to them,
and normally they only appear when something is wrong with the server setup.

Quote from: themavesite on October 17, 2010, 11:13:00 AM
^ Is there some kind of tool to check your forum directory for files that aren't supposed to be there?

None that I know of, but I can see files in your screenshot even that I don't think belong to a default installation.
MGallery, pindex, smffoot, smfhead...

There are a couple of tools that could help but, I can't remember where to find them though.
One is to find missing end tags in php files, and one is to seek out signs of a certain hack from the past.

News:

Administrator account hacked

Oya

Oya

Oya

Oya