Advice Needed.. Possible database hack/ Security Breech on SMF 2.0 RC3

[macbook121]

Hi everyone.

My name is Jake and I am the administrator of an SMF forum, called Baden Transportation. It is a virtual bus contracting service, kind of like an RP, but more like a virtual airline type of simulation (if you know what those are). Forum URL can be given out to those who'd like to look, however as a new member I cannot post URLs.

Tonight we have had a long series of issues. I am not sure if this is merely a hack or if someone has cracked our forum database but either way this has caused us to halt all forum operations as we investigate this issue. I am going to tell the entire story and everything we know here. For peoples testimonies (of moderators) I cannot guarantee that they are telling the exact truth however I have reason to believe that they are.

It all started when a moderator noticed that one account on the forum had its information changed. The account, is a very unique and known account through the forum, as it is a character that I narrate. Regardless, all the profile fields were changed to "VOID HACKERS" and the email was reset to "[email protected]" (does not exist). Only one profile was affected, as far as we know. Coincidentally, the same moderator who noted the changes, when we looked at the members profile (I will refer to it as Chanda), it said that the main profile fields that were adjusted was by the moderator who noticed it. However, the moderator who noticed it, when we looked at his records, during the five minute time span that the fields were changed, the same user was posting in different parts of the forums. Some information may be lost as when I learned about this, I immediately went to the profile and changed all the information back and reset the password (so people would not freak out). During this process I might have overrode some of the forums tracking software to profile changes but I am not sure. HOWEVER, it states that exactly 8:59PM the email was changed by the moderator, and 9:04 PM the Personal Text field was updated. (Let me explain, ALL profile fields except for location was changed.. the forum did not record all of those changes. Also, the profile picture for this account was deleted) During this 5 minute interval, the same moderator posted at 8:57PM and exactly 9:00:57 PM. The moderator came across reading one of Chanda's topics and noticed the signature was changed to say VOID HACKERS and went to investigate. I also received a message on facebook at exactly 9:05PM by the same moderator saying he noticed the profile was changed and was trying to tell me something is going wrong. HOWEVER, this moderator (using a custom moderator badge that I set permissions to) does not have the ability to edit those fields. The moderator can only change the registration date (not sure why) and the membergroups. Nothing else. I have this set because we put new members under a certain profile setting to where they cannot access the entire forum, and this same moderator also approves new accounts.

However, it does not stop there. When I logged in, I noticed immediately that my profile was changed. Not the information, but I had "Buddies" installed on my profile. I have never set this, and when I got on before I left to go somewhere at 3PM this feature was not set. I was set as a buddy of Chanda, whos profile information was hacked. I also noticed that when I was talking to my web host (site is privately hosted) that when he would link me to the website over AIM, firefox would not automatically validate my log-in, it wanted me to relogin each time that I clicked a link and opened. It has never done this in the past. (not for ADMIN stuff, just to look at the forum.. we have the forum set to where you have to be logged in to view certain boards, posts, profiles, etc). Another thing noticed is under the error log, around 4:58 PM one of our respected members registered an error as trying to login under my account. This was exactly one minute after he logged out. The user is 13 years old and I highly doubt he has any skills of hacking or cracking passwords and we have not talked to him to know if this was him or not, he has not been available. Nothing else was recorded that was unusual or strange.

What I want from you all: I would like to learn how the events that are occurring are happening. Talking to friends and other computer gurus (not necessarily skilled in SMF forums) said this could possibly be the work of a script kiddie. My forum has enemies, but the intelligence level of these people are very slim (usually people who have been banned off our forum, one user in particular however he was 13 years old too and he started causing behavioral problems and was kicked out). His banned IP has recorded only one hit since he was banned almost two months ago, however we are not sure the date of that hit and it is not recent either. I would also like to know if I should be worried for my forums security and whether or not any passwords, user information, etc was exploited.

Forum is SMF 2.0 RC3.

The profile fields that were hacked on Chanda's profile had either "VOID HACKERS" inputted, "VOID" (for AIM), and "[email protected]" for email. The security question was changed to VOID HACKERS, we cannot verify if the passwords were changed but they have been reset. The account for Chanda also has not been online since October 15th, and the last login date is the last time i remember using the account and there are posts showing that this is a genuine login from my end.

If you need to know more information, let me know. Have a good night.

Jake

[macbook121]

Sorry to bump, but I have information to add. Since the forum was put into maintenance mode, over 50 pages of error logs appeared.

This morning, when a forum admin (we have 4 admins), one that was not informed of what was going on logged in. Almost immediately after reading his email and finding out, he logged out. THREE MINUTES after he logged out, 50+ pages of error messages appeared. They are all the same variation of message, but repeated. These errors are under our admin's IP as a guest after he logged out.

Apply Filter: Only show the error messages of this member  Guest
Apply Filter: Only show the error messages of this IP address (member's IP) as guest
     Reverse chronological order of list Today at 05:17:36 am
Apply Filter: Only show the error messages of this session 609775f5c6fef279467c1d6ad8d3cb51
Apply Filter: Only show the errors of this type Type of error: Undefined
Apply Filter: Only show the error messages of this URL
(url)index.php?action=dlattach;attach=65;type=avatar
Apply Filter: Only show the errors with the same message
8: Undefined index: icon_cheesy
Apply Filter: Only show the errors from this file
File: /var/www/baden/forum/Sources/Subs.php
Line: 2474

Guest
Apply Filter: Only show the error messages of this IP address (members IP) as guest
     Reverse chronological order of list Today at 05:17:36 am
Apply Filter: Only show the error messages of this session 5c6c7c67e9e72bb9bf75e48a98012a7b
Apply Filter: Only show the errors of this type Type of error: Undefined
Apply Filter: Only show the error messages of this URL
(URL)/index.php?action=dlattach;attach=69;type=avatar
Apply Filter: Only show the errors with the same message
8: Undefined index: icon_shocked
Apply Filter: Only show the errors from this file
File: /var/www/baden/forum/Sources/Subs.php
Line: 2474

Guest
Apply Filter: Only show the error messages of this IP address (members IP) as guest
     Reverse chronological order of list Today at 05:17:36 am
Apply Filter: Only show the error messages of this session 5c6c7c67e9e72bb9bf75e48a98012a7b
Apply Filter: Only show the errors of this type Type of error: Undefined
Apply Filter: Only show the error messages of this URL
(URL)/index.php?action=dlattach;attach=69;type=avatar
Apply Filter: Only show the errors with the same message
8: Undefined index: icon_sad
Apply Filter: Only show the errors from this file
File: /var/www/baden/forum/Sources/Subs.php
Line: 2474

These errors occurred over the process of two or three timestamps within the same minute, and also using different avatar URLs. There are over 50 pages of these kinds of errors with different variations of "Undefined indexes", including code, server, code_select, quote_from, etc.

[Kindred]

I would not worry too much about the errors.

1- Check the date stamps on your files on the server. If any have a recent date stamp that does not coincide with an actual forum update, then check that file for scripts (usually they are just tacked onto the end of the file)

2- The Chandra account may have been hacked individually because of an insecure password. I don't know why the mod log would be showing the moderator as having changed the record, though.

3- Are you running any other scripts on your site, other than SMF?

4- Are you on shared hosting or a dedicated server?

[macbook121]

I would not worry too much about the errors.

1- Check the date stamps on your files on the server. If any have a recent date stamp that does not coincide with an actual forum update, then check that file for scripts (usually they are just tacked onto the end of the file)

2- The Chandra account may have been hacked individually because of an insecure password. I don't know why the mod log would be showing the moderator as having changed the record, though.

3- Are you running any other scripts on your site, other than SMF?

4- Are you on shared hosting or a dedicated server?

I have my system administrator looking through the stuff and he will get back to me when he gets home tonight. The forums are privately hosted (my sysadmin has his own personal server running out of his house.. i'm the main website he hosts however he also hosts another minor website to my understanding).

Other scripts, other than SMF on my website directly we have a Mambo install being used for the homepage, however we had problems with it and although it is still up, it has not been actively used in a few months.

About Chandra's account, see thats what i thought too, right? But the account has not been logged into for 3 days prior to this incident, and the last time it was logged in was by me (I sent a few private messages).

Here is a screenshot of the edits:


88ford is me, an admin. Jpross1 is a moderator who does not have access privileges to edit the information that is being said he edited. Cansdoula is Chandra's account.

I know you said ignore the errors but now there are 80+ pages of errors from today where me and the other admin have been reviewing the forum. (logging his errors as guests, but his IP).

Thanks for the advice so far and I'll get back to you with the other information later today.

Jake

[flapjack]

just thinking out loud - what it be possible that someone have a access details to your hosting account? if someone gained access to let's say phpmyadmin, changing ALL user texts require only one line of code and is untraceable from SMF logs

[macbook121]

I got to talk to my host. He said:

If they did change through MySQL, 1: that user can't be used now, and 2: It DOES show up in SMF logs, so that can't be it.

We noticed changes in the directory, more specifically the Settings.php file only, however we are not sure if this is an attack because it could be from where we put the forum in Maint. Mode.

There are no other scripts installed on the host that have access to the SMF database.

Hosting server is dedicated, independently managed. Technically shared, but not really...

[Kindred]

having access to the smf database is not actually a requirement. If you have other scripts on the site which can be hacked, then your whole site is at risk.

I'd suggest
1- take a new backup
2- put your site back online
3- watch for anything else funky
4- keep an eye on file dates, and any file which is modified (and was not done by you) gets investigated.

[twig/al]

I would consider changing username and password on the server/database, that way IF someone has it, they won't be able to gain entry again.. That is what I would do... Just thoughts from a lowly user...

[flapjack]

If they did change through MySQL, 1: that user can't be used now, and 2: It DOES show up in SMF logs, so that can't be it.

I suggest you find a new host, one who actually have any idea of what is talking about, as both of those statements are 100% false

[Oya]

if it showed up in the smf logs, either the intruder came through mysql and was very thorough and made sure to document his own changes in the log, or it was done via mysql

don't think it was directly done through mysql...

[macbook121]

Sorry for the late reply and I appreciate everyone and their comments.

The host is someone I've known for years (good friend) and I get a very good discount so I will probably continue hosting with him. As for anything technical, I am not very savvy on all the details on how SMF works, I just know the basics. I have run their forums for going on four years now and I will admit its great software, this is the first time I've ever had any issue with an SMF forum.

I will pass along the work about having him change the server password and username. As for the site/ forum, we are probably going to end up scrapping it for security reasons. The main issue here is we were wanting to try to figure out how this could have happened so we can prevent it from happening again in the future. There is a tremendous amount of material that goes into our forums (again, being a website like an RPG, lots of information topics etc that we will have to copy).

Since the issues have transpired, we have had the forum in maintenance mode and so far there has not been any usual activity. I was also able to talk to the member who's IP registered as trying to login as my admin account and he denies trying to login as me. So I am not sure if that could have been related to the issues that went on or not.

Anyway thanks for the help guys. I also have one more question: is SMF 1.11 anymore secure than 2.0 RC3? We might switch back to 1.11 for the new forum if this is the case. I know 2.0 isn't fully released yet and can have vulnerabilities so I'm just trying to get a good opinion, its a huge inconvenience to us and our members when issues like this arise.

Thanks!

[xenovanis]

Hello macbook121, sorry for the late reply.

How are things now?

To answer your last question, there are no known issues with 2.0RC3 or now with 2.0RC4, similar to yours.