Hackers

marknz · August 05, 2013, 06:08:41 AM

In looking through my site's default email address, I recently spotted 67,000+returned messages most of which seems to be from hack attempts on my forum.

To: <spam email address that is not in the member list>
Subject: Welcome to My Board
X-PHP-Script: <my site>/index.php for 220.250.52.66
From: "My Board" <my personal email address, hacked>
Date: Thu, 21 Mar 2013 05:09:35 -0000
X-Mailer: SMF
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="SMF-15e459a9cf06b745818c75a077587bb0"
Content-Transfer-Encoding: 7bit
Message-Id: <E1UIXkt-00037n-Vk@server1.<my server>>

1/ How the hell did people hack my personal email address?
2/ This message is being sent to an email address that is not in the database. Therefore it looks like the code has being hacked.

I had applied what I thought were excellent and tight security measures. Now Ive had to shut the forum down.
What can I do other than get rid of SMF to apply all antihack mechanisms

emanuele · August 05, 2013, 09:49:57 AM

What was the body of the original messages?

This simply looks like the "send this topic" thing TBH, no hacking whatsoever.
But obviously that's just a guess at the moment without more details.

If instead you find anything around your logs, the security report forum is the better place to get in touch.

MrPhil · August 05, 2013, 10:17:23 AM

Would a bot (search engine or spambot) clicking on "SEND THIS TOPIC" generate such an email? I would think that its use would be restricted to logged-in members, but maybe not (have a look at the permissions, to see if it's open to guests). If spammers are doing this, they probably won't obey any robots.txt directives to ignore action=emailuser;sa=sendtopic, but if it appears to be reputable search engines, it might be worth putting something in robots.txt.

Arantor · January 19, 2014, 03:18:31 PM

Yeah, this isn't a hack, this is someone using the Send This Topic function. While it's not a bug, I'd personally love to get rid of it precisely because of issues like this.

Shambles · January 19, 2014, 04:47:55 PM

Quote from: Sir Cumber-Batcher
... the Send This Topic function. ... I'd personally love to get rid of it ...

I'll cover your back, if you go down that route

AllanD · January 20, 2014, 10:20:56 AM

This was also an issue with a version of Zen Cart where guests were sending spam emails. They also got rid of this function just for that. I agree it's something that should be done away with or reworked to send to a friend on the forum.

Arantor · January 20, 2014, 10:26:49 AM

Do legitimate people really use it any more? Seems to me that people just copy/paste into whatever it is they're using anyway, be that an IM client (incl. WhatsApp, iMessage), or social networking (FB, Twitter) or whatever.

AllanD · January 20, 2014, 10:27:47 AM

I can't answer that since I have never used it

Arantor · January 20, 2014, 10:29:34 AM

I think I only ever loaded it to see what it was

Arantor · January 23, 2014, 04:44:06 PM

So I've removed send-this-topic. Now just just leaves send-email-to-members which can't be entirely removed (e.g. you might need to send a message to a guest)

AllanD · January 24, 2014, 08:57:32 AM

Sounds great thank you, will help alot of forums from being used to send spam through.

Arantor · February 09, 2014, 01:32:27 AM

Consolidated the remaining bits on Github under https://github.com/SimpleMachines/SMF2.1/issues/1403

News:

Hackers

MrPhil