Hi All,
I went to log my forum to find to screen saying SnakE1095 was here
HaCkeD By
~ SnakE1095 ~
.. Shame On You ...
You have awful security .. DuDe
Greetz 2 : SnipeR CoDe
[email protected].. ][ S1A ][ ..
Any help would be awesome
A link may help and the version of SMF you are running
http://www.express-forums.com/index.php
smf 1.1.6
Not good to hear on 1.1.6. Anyway looks like you will need to replace your index.php with a backup.
what do i do about improving my security?
Well this is the thing I think you should make out a bug report seeing it is 1.1.6. I would also contact your host as 1.1.6 is supposed to be secure
ok thanks for the help, any other info you come across please post it.
Thanks as always
Specifically, you should fill out a security report. You can do that at the page below:
http://www.simplemachines.org/about/security.php (http://www.simplemachines.org/about/security.php)
Also, as DirtRider said. Its possible that they may have used an issue with your server configueration or another script on your website. You should ask your host about it.
Hey,
In the security report. where do I find Server Software?, PHP Version. MySQL Version? server accesslog?
They should be in your hosting account area. If they aren't then you will have to ask your host what your server specs are.
Quote from: I AM Legend on October 20, 2008, 02:25:01 AM
Hi All,
I went to log my forum to find to screen saying SnakE1095 was here
HaCkeD By
~ SnakE1095 ~
.. Shame On You ...
You have awful security .. DuDe
Greetz 2 : SnipeR CoDe
[email protected]
.. ][ S1A ][ ..
Any help would be awesome
seems thsi person is going after everyone i know lol i run i site called stoned freeroam and that has getting hacked nealy everyother day by that same person
it turned out to be a server exploit and not smf it hasnt happend since they fixed it
Bro how did you fix it?
i didnt the host 3ix fixed it
awesome, thx bro
have been in contact with my host, waiting to see what they have to say on this matter, will keep you informed
Hi All,
ok my host says it is not a server exploit,
they said:
Please ensure you are fully up to date with security patches etc for. Aside from that you have full 777 permissions on some of your files and directories which leave your website open to exploitation. Please refer to your forum's help files for changing permissions to the correct levels.
If you require further assistance from us please let us know.
I am going to need help on changing permissions to safe guard my site from future attacks of this type, I will need a list of files/phps that should never be 0777 so I can go and change permissions to safe guard this ever happening again, only smf can help me with this.
I have also asked my host to provide me with the info below:
Server Platform
Server Software
PHP Version
MySQL Version
Server accesslog (Please only send us the logs from around the time the intrusion occured)
Url of PHPinfo file
as soon as I receive it, I will fill out a security report for smf.
In the mean time, any help on the permissions issue would be great.
Thanks as always.
any help on permissions would be great ???
Well, chmod 777 isn't really a security risk (read the documentation below), although you may want to change your 'Settings.php' file so that it isn't chmoded to 0777.
Why chmod 777 is NOT a security risk (http://www.simplemachines.org/community/index.php?topic=2987.0)
Hi,
ok so is that it,
change the settings.php from 0777 to what? 644 or 766?
what else do i need to do to stop this happening again?
the index.php file was changed on the day of the hack, how do i stop that happening again?
the attachment here was the index file that was used, pull it into a firefox browser and you will see what I saw.
surely it cant be as simple as changing the settings.php file to 644 or 766 or something and this wont happen again?
thanks as always
I took a quick look at my Settings.php and it's set to 644. Out of curiosity, I checked my index.php and it was set the same, 644.
I can't help you with how to stop it from happening again. I don't know enough about hacking to know how he did it. :( Hopefully, someone else will have an idea or two.
thanks for the info
ok here is what I am doing at present, all directorys and folders im setting to 755 and all files and all .php files setting to 644, if anyone has any better ideas now would be a good time to air them, thanks
Permissions didn't cause this problem. Having permissions as 777, doesn't mean people from the internet can change your files.
You may as well leave them as is as there will be minimal, if any difference.
ok cool, so what did cause this problem?
how did he get in ?
Hi All,
So does anyone have the answer to the questions I posted 3 days ago?
(ok cool, so what did cause this problem?
how did he get in ?)
I feel, that this is weird, my forum was not not upgrade from 1.1.5 to 1.1.6, it was a fresh 1.1.6 install, and so far the only help I have received on here about my forum being hacked was from a non smf staff member, his advice "you need to change the index.php file".
Smf staff have been telling me to go and look at various articles that say having your folders and files 777 is all fine.
Which from having read these articles no one else agrees with, this also includes my own host.
With help from my host, now none of my directory/folders and none of my files in them are 777 anymore.
Also each directory/folder is now password protected with different name and password for each directory/folder.
Doing it this way means, when you want to install a mod or whatever, you need to access your host cp, make packages 777, install whatever it is, then take 777 away again, and it does not take long at all to do it.
Safety is better the usability with open access to your forum.
I know SMF staff are busy, but when ever you have time, i`d still like an answer to my 2 posted questions from 3 days ago:
ok cool, so what did cause this problem?
how did he get in ?
Thanks as always
Rob
Well, the most obvious part is that he was able to access your root directory and replace your index.php with his. That means he somehow got access to your server. If it wasn't by guessing your username and password, he might have picked the information out of your Settings.php - which contains everything he'd need to know, to access your server.
While it's possible for someone to run a script to do all that, SM does it's very best to protect those files. Your host blaming SMF for it's lack of security measures is just as premature as any of us blaming your host. Ideally, you want BOTH to be as secure as possible. But flaws exist and hackers are in the business of locating those weaknesses.
How did he do it? Who knows. You'd have to ask the hacker. How can you stop it? Depends on what he used to get at your server. If he used your Settings.php file, then protect that file from him or someone like him, ever getting it again. Maybe protect your index.php from being modified or rewritten. But if he has server access, HE may be able to chmod the file (and any others that he wants to) all he pleases. That's a host security issue - if that were the case. He shouldn't be able to change the permissions on anything.
Woh, Ty Dude, for the info, and ty for the in depth info and lastly ty for responding to my post.
I find it funny in a way when most hosts blame SMF for security issues on their end. Either they can't figure it out or are too lazy to look into it further themselves until it becomes a global issue for all the users on their servers. For the most part, if you are using the latest SMF version it's pretty much as stable as it comes. There are cases when a new exploit is found and if that's the case, you may report it as mentioned earlier. From what I have seen, all the hacked forums that were outdated that had a similar message from the hacker were all due to their servers not being secure.
^ That's true for me, as well. Virtually every single hack-in I've seen or heard of was from insecure servers, too. "The usual culprit," as it were. Probably gives us a biased opinion against a few different hosts :)
I AM Legend? One other thing that should probably be mentioned is about server passwords. One of my SMF friends, here, gave me a link to check my password security. Because I use it, my passwords are even more difficult to *guess*. It's not a guarantee, but it helps.
http://www.microsoft.com/protect/yourself/password/checker.mspx
@greyknight17
Hi Dude, thanks for the reply, I am in no way blaming smf, I have been asking for help and frankly getting none.
I filled out the smf security report and heard nothing back, I posted and asked for help numerous times.
Having a forum is new for me, so, I have always come here and either asked for help from the smf staff or searched smf for the answers, rather then jumping on in there head first myself and making a complete mess of things and then lol asking for help.
I had a friend take a long look at both my smf package and my hosting package, he is a computer programmer of 20 years, he did not like all the 777 access but having said that, he did not like both my hosting package and the software the host is using.
He wrote an email for me to my host stating various things and improvements needed, lol made me very unpopular with my host, but such is life, always better to be safe then be sorry.
@ ChainLightning thanks for the help and info you have provided, my friend agreed with a number of points you made, main one, was email the hacker, not from my home pc, and ask how he/she did it.
I would never have thought of doing that to be honest.
I had changed all passwords to my forum and my host after the hack, when I changed folder permissions after the hack, I re changed all passwords for my host, my forum, and directory's/folders and so on and tested them, they all came up as strong, which isn't the best, so I have re changed them all again lol, they now come up as "The Best", so Ty for the advice from both of you.
As for blaming my Host or Smf over my forum being hacked,
Weather my host is blaming Smf, or Smf is blaming my host, to be honest, I dont care, I am stuck in the middle of all of this still asking for help.
This comment will best explain how I feel on this, A guy once said to me, You dont like me at all, my reply was, I dont know you well enough to like or dislike you...
Thanks as always to the Smf staff who have always provided help to me.
Rob
Hi Rob, if you can try not to use 777 for the folders. Set all your main folders to 755 and the files to 644. This is just an extra security measure to take, but it won't matter much if the webhost is compromised due to a security snafu on their end. I'm sure SMF has bugs and security holes, but whenever they are found, the developers usually do a great job sending out an update to patch it up. Which brings me to one last thing. Make sure you have the latest version of SMF installed. A lot of users try to avoid it and some of them end up being hacked.