My SMF FOrum hacked and Admin status lost

[Vish]

I need help getting my admin status back on my forum. It seems that some hacked my forum and removed me as the admin !!!

I am on SMF 1.1 RC1.

Any ideas and/or pointers?

[Neol]

Use the mysql database to retake your admin status.

[jerm]

sure it wasn't just one of your other admins who took your status away?
if not, visit http://www.simplemachines.org/about/security.php

to get your admin status back
log into phpmyadmin and run this command:

Code Select Expand

UPDATE smf_members SET ID_GROUP = 1 WHERE ID_MEMBER = x;
where smf_ is your prefix, and X is your id

[Vish]

Thanks for your replies...
I am very sure that someone did not take my status away as I am the only one....also, I see spam on my forum by this suspicious user !!

[Vish]

How can I prevent this from happening again? I know how to prevent this particular user as I have his IP (66.246.72.170 )....

But are any other ways this could have prevented?

Any ideas?

[Tony Reid]

I've had that user try to register on my forum too....

JillyYQT - Attempted registration on 20/06/2006, 17:14 (GMT)
[email protected]
66.246.72.170
221038.ds.nac.net

[jerm]

well, do you know what has happened? did you fill out the information needed on the security site i linked you to?

[Vish]

I do not have much information except that some one registered on my site as admin and removed me as admin. I have the ip as I posted....

I do not know how this user managed to hack in...may be you guys can help me figure it out...I will post the information in the securit form

[Tony Reid]

Vish you need to download a copy of your log files and manually go through them - Search for the IP address and look at all the lines associated with it.

I checked my logs of this user and didn't turn up anything suspicious - just the fact that they registered. Luckily we manually approve new members.

[Skipdawg]

I've had that user try to register on my forum too....

JillyYQT - Attempted registration on 20/06/2006, 17:14 (GMT)
[email protected]
66.246.72.170
221038.ds.nac.net

They tried registering on one of my forums too. Did not accept.

[Vish]

Vish you need to download a copy of your log files and manually go through them - Search for the IP address and look at all the lines associated with it.

I checked my logs of this user and didn't turn up anything suspicious - just the fact that they registered. Luckily we manually approve new members.

By logs you mean the cpanel logs or are there SMF logging too? I will check my self in the meantime...

[JayBachatero]

It might be that he was able to get admin access through an exploit in 1.1 RC1 and lower.  I suggest that you upgrade to 1.1 RC2 ASAP.

[Vish]

I was not able to find anything from the logs.
I have also upgraded to RC2.

I hope this does not happen again !!

[b0x]

I've had that user try to register on my forum too....

JillyYQT - Attempted registration on 20/06/2006, 17:14 (GMT)
[email protected]
66.246.72.170
221038.ds.nac.net

They tried registering on one of my forums too. Did not accept.

Same here:
VallyKSH - Date Registered: 21 Jun 2006 05:27 (account was not validated via email)
[email protected]
66.246.72.170
221038.ds.nac.net

[judymcl]

I had the same one as well except the user name was BobbyDIR. Exact same email address though. 

[Vish]

What version of SMF you were at the time?
I am hoping RC2 resolves this security vulnerability

[judymcl]

My apologies,... I neglected to mention that they did not get in. I have RC2

[Vish]

Good to know...

I also upgraded to RC2. May be thats what I should have done long back.

[redone]

Always a good idea to pay attention to the updates and security fixes that come out with each and every release. No matter which piece of software you are running all they need is one little opportunity.

At this time there are no known security vulnerabilities regarding 1.1rc2.

[judymcl]

I've been using SMF for almost a year now and it was the best move I ever made. I've had no problems at all with it, security or otherwise. The SMF team stays on top of things really well. What sparked my interest in this thread was that the trouble-maker had the same email address as what they tried with on my board. They didn't get in the door at all and they were banned 6 ways to Sunday on my board.
Thumbs up SMF!

[xlegacyx]

Interesting.

DenisVMN
66.246.72.170
221038.ds.nac.net
[email protected]

This account registered on June 20th and hasn't been activated yet. Perfect timing for a ban. 

[Cache-man]

Hmmmm, I had this user register on one of my forums too

JallyTPX
066.246.072.170
221038.ds.nac.net
[email protected]

They never managed to hack in though (as far as I am aware)

[JayBachatero]

If it's a bot registering that will soon be gone when 1.1 RC3 comes out.

[mike-hunter]

I think it's safe to ban that IP via .htaccess.

  Mike

[Mimi E. Gotist]

I'm glad you posted this.  I have this user on my board as well, or rather, I had this user on my board.
 

[scsshell]

He's back!

JimArc
66.246.72.170
same hxxp:punkass.com [nonactive] email.

He spammed my forum back in June and I banned him via admin.  How is it that he was able to login again and start spamming my boards?

Well for now.... htaccess here comes 66.246.72.170!

btw... I am running 1.1RC2
and was running the same version in June when he first started this stuff.



Just wanted to add this to the list as others may not be aware this person/bot is on the loose again.

[J. Williams]

Please upgrade to 1.1 RC3, usually people can easily abuse exploits such as worms/holes