hacked: www.madphilosophers.com / need help

Deprecated · October 09, 2008, 11:56:50 AM

It's okay with me if SlammedDime is available for the job, and in fact I believe it is preferable to let him do the job for you. I hadn't realized that he would be available. I'm retired. I'm available all the time.

I have to admit that kicking a hacker's ass was a pretty attractive incentive.

Deprecated · October 09, 2008, 12:07:11 PM

I'm just thinking of the agenda irrespective of who gets the job done.

1. Login to cPanel, go to file manager and rename index.php to terminate all access to forum.

2. Go to phpMyAdmin and edit smf_members to reset any admin accounts to regular member.

3. The hacker could still get in again by the same exploit so the forum has to be upgraded to SMF 1.1.6. Create FTP account and upload the upgrade, then execute it.

4. Find the owner's account and set him to admin, reset his password and send it to him.

5. Owner then has to reinstall any mods or themes. Owner also to change all passwords so that we at SMF have no more access.

Done.

DirtRider · October 09, 2008, 12:07:19 PM

Now this is what I wanted to hear kicking this guy out

SlammedDime · October 09, 2008, 12:10:32 PM

The publicly known exploit for 1.1.5 will not work on this board. It only works on Win32 based web servers.

Deprecated · October 09, 2008, 12:12:07 PM

Me too pard, me too! That really chaps my hide what that hacker did.

Another thing I intend to do is to start tracking down the hacker from his IP address and any other details I might find. I may get no further than finding his geographic location, but I would like to know where this attack came from, if for no other reason than my own curiosity.

If somebody else does the job please post (or PM) the hacker's IP address.

Deprecated · October 09, 2008, 12:12:56 PM

Quote from: SlammedDime on October 09, 2008, 12:10:32 PM
The publicly known exploit for 1.1.5 will not work on this board. It only works on Win32 based web servers.

Then how did the hacker get in? All the earlier posts in this topic indicate that he got in through an exploit.

DirtRider · October 09, 2008, 12:15:54 PM

When he got in it was still 1.1.4 he upgraded to 1.1.5 and please keep me in the loop when tracking him down. I also hope that the staff here will now ban him. He will be the second hacker we have had here taking advantage of this forum

Deprecated · October 09, 2008, 12:16:46 PM

Hey Slam, if you get the job please post a note so the rest of us can relax and go do something else.

DirtRider · October 09, 2008, 12:20:30 PM

Well lets hope this is him sorting it out and not the hacker killing the database

Connection Problems
Sorry, SMF was unable to connect to the database. This may be caused by the server being busy. Please try again later.

pipedreams · October 09, 2008, 12:25:58 PM

Thank you Deprecated, for your offer of help. I would greatly appreciate it!! I have sent the info through PM.

And SlammedDime, thank you for your warning as well, I understand Deprecated is not SMF team (and so SMF team can't vouch for him) but an external party that you do have some knowledge of.

For me, it is well worth the risk... I don't doubt Deprecated's good intentions

SlammedDime · October 09, 2008, 12:27:15 PM

Very well

I do beleive you're in good hands.

DirtRider · October 09, 2008, 12:28:33 PM

Congratulations Deprecated and while you are there please restore my user account DirtRider I think it was either locked or the e-mail address has been changed

DirtRider · October 09, 2008, 12:30:31 PM

SlammedDime what are you guys going to do about his account here I see he was online earlier today reading this thread.

SlammedDime · October 09, 2008, 12:31:20 PM

I've already brought it to the Project Manager's attention.

DirtRider · October 09, 2008, 12:34:29 PM

Cool what a low thing for this guy to do, but then this is what turn them on I suppose

Deprecated · October 09, 2008, 12:52:51 PM

Okay I've got pipedreams' details and I'm on the job. And Slam, thank you for the compliments.

Let me get the hacker's IP address before anybody does anything about the person at SMF being suspected of doing the bad deed. It might be the same person and might not. I haven't seen sufficient evidence in posts but there may be additional information that I'm not aware of. I will communicate the IP address to Slam via PM and let him inform the proper parties.

I'll post status here as I work so you can all enjoy this vicariously.

brb...

Deprecated · October 09, 2008, 01:01:24 PM

Okay the first step is done. I've taken the forum down and it's now impossible for the hacker (or anybody) to login to SMF.

http://www.madphilosophers.com/

I'm gonna go kill all the admin accounts now. (Demote any admins to regular members.)

DirtRider · October 09, 2008, 01:01:46 PM

I love this

Service temporarily suspended while we kick out a hacker.

Deprecated · October 09, 2008, 01:20:04 PM

Heh.

All the admins are gone now. I wanted to satisfy myself that he didn't hide an admin account under additional groups.

Actually the only admin account was willem. Presumably the hacker was using his account.

It's not clear to me if the forum requires an upgrade because I don't know for sure whether or not the hacker got in by a security vulnerability or by somebody leaking their password. I could use a little bit of advice here because I don't want to upgrade the SMF if it isn't required to keep the hacker out.

Comments?

RustyBarnacle · October 09, 2008, 01:25:38 PM

I liked the suggestion of just starting from scratch with a fresh install, just in case he left something behind.

News:

hacked: www.madphilosophers.com / need help