My SMF FOrum hacked and Admin status lost

Started by Vish, June 26, 2006, 06:13:02 PM

Previous topic - Next topic
Print
Go Down Pages1 2 All
User actions

Vish

June 26, 2006, 06:13:02 PM Last Edit: July 01, 2006, 03:13:31 PM by redone
I need help getting my admin status back on my forum. It seems that some hacked my forum and removed me as the admin !!!

I am on SMF 1.1 RC1.

Any ideas and/or pointers?

Neol

#1
June 26, 2006, 06:20:26 PM
Use the mysql database to retake your admin status.

jerm

#2
June 26, 2006, 06:21:32 PM
sure it wasn't just one of your other admins who took your status away?
if not, visit http://www.simplemachines.org/about/security.php

to get your admin status back
log into phpmyadmin and run this command:
Code Select
UPDATE smf_members SET ID_GROUP = 1 WHERE ID_MEMBER = x;
where smf_ is your prefix, and X is your id

Vish

#3
June 26, 2006, 06:48:36 PM
Thanks for your replies...
I am very sure that someone did not take my status away as I am the only one....also, I see spam on my forum by this suspicious user !!

Vish

#4
June 26, 2006, 06:56:53 PM
How can I prevent this from happening again? I know how to prevent this particular user as I have his IP (66.246.72.170 )....

But are any other ways this could have prevented?

Any ideas?

Tony Reid

#5
June 26, 2006, 07:01:50 PM
I've had that user try to register on my forum too....

JillyYQT - Attempted registration on 20/06/2006, 17:14 (GMT)
[email protected]
66.246.72.170
221038.ds.nac.net
Tony Reid

jerm

#6
June 26, 2006, 10:35:28 PM
well, do you know what has happened? did you fill out the information needed on the security site i linked you to?

Vish

#7
June 26, 2006, 11:12:32 PM
I do not have much information except that some one registered on my site as admin and removed me as admin. I have the ip as I posted....

I do not know how this user managed to hack in...may be you guys can help me figure it out...I will post the information in the securit form

Tony Reid

#8
June 27, 2006, 03:30:14 AM
Vish you need to download a copy of your log files and manually go through them - Search for the IP address and look at all the lines associated with it.

I checked my logs of this user and didn't turn up anything suspicious - just the fact that they registered. Luckily we manually approve new members.
Tony Reid

Skipdawg

#9
June 27, 2006, 12:08:44 PM
Quote from: Tony on June 26, 2006, 07:01:50 PM
I've had that user try to register on my forum too....

JillyYQT - Attempted registration on 20/06/2006, 17:14 (GMT)
[email protected]
66.246.72.170
221038.ds.nac.net

They tried registering on one of my forums too. Did not accept.
Skipdawg's Community

Powered by SMF 1.1.3

Vish

#10
June 27, 2006, 12:51:16 PM
Quote from: Tony on June 27, 2006, 03:30:14 AM
Vish you need to download a copy of your log files and manually go through them - Search for the IP address and look at all the lines associated with it.

I checked my logs of this user and didn't turn up anything suspicious - just the fact that they registered. Luckily we manually approve new members.

By logs you mean the cpanel logs or are there SMF logging too? I will check my self in the meantime...

JayBachatero

#11
June 28, 2006, 01:37:32 AM
It might be that he was able to get admin access through an exploit in 1.1 RC1 and lower.  I suggest that you upgrade to 1.1 RC2 ASAP.
Follow me on Twitter

"HELP!!! I've fallen and I can't get up"
This moment has been brought to you by LifeAlert

Vish

#12
June 28, 2006, 02:58:17 AM
I was not able to find anything from the logs.
I have also upgraded to RC2.

I hope this does not happen again !!

b0x

#13
June 28, 2006, 06:26:32 AM Last Edit: June 28, 2006, 06:31:16 AM by Lost1
Quote from: Skipdawg on June 27, 2006, 12:08:44 PM
Quote from: Tony on June 26, 2006, 07:01:50 PM
I've had that user try to register on my forum too....

JillyYQT - Attempted registration on 20/06/2006, 17:14 (GMT)
[email protected]
66.246.72.170
221038.ds.nac.net

They tried registering on one of my forums too. Did not accept.

Same here:
VallyKSH - Date Registered: 21 Jun 2006 05:27 (account was not validated via email)
[email protected]
66.246.72.170
221038.ds.nac.net

judymcl

#14
July 01, 2006, 02:20:11 AM
I had the same one as well except the user name was BobbyDIR. Exact same email address though. 
Judy

Vish

#15
July 01, 2006, 02:22:14 AM
What version of SMF you were at the time?
I am hoping RC2 resolves this security vulnerability

judymcl

#16
July 01, 2006, 02:28:39 AM
My apologies,... I neglected to mention that they did not get in. I have RC2
Judy

Vish

#17
July 01, 2006, 01:06:48 PM
Good to know...

I also upgraded to RC2. May be thats what I should have done long back.

redone

#18
July 01, 2006, 03:13:05 PM
Always a good idea to pay attention to the updates and security fixes that come out with each and every release. No matter which piece of software you are running all they need is one little opportunity.

At this time there are no known security vulnerabilities regarding 1.1rc2.

judymcl

#19
July 01, 2006, 08:23:16 PM Last Edit: July 01, 2006, 08:27:23 PM by ruskin
I've been using SMF for almost a year now and it was the best move I ever made. I've had no problems at all with it, security or otherwise. The SMF team stays on top of things really well. What sparked my interest in this thread was that the trouble-maker had the same email address as what they tried with on my board. They didn't get in the door at all and they were banned 6 ways to Sunday on my board.
;D Thumbs up SMF!
Judy
Print
Go Up Pages1 2 All
User actions
Advertisement: