I run a moderately-sized SMF 2.0 forum. It started being SMF 2.0 RC3 and then upgraded to RC5 when the update came out. Recently I've been repeated hacked by this hacker named 'z3r0w1zard'. If you do a Google search on him, you can see that he has had several hacks under his belt, that he is Albanian, in the hacker group AHG (Albanian Hacker Group), and has a video on Youtube where he showcased his SQL injection of another site. So, a typical script-kiddie. I would provide links if I could post external URLs.
The way he compromises my forums is by hacking into my account first; he can change my account's info without being logged into the forums as an admin or moderator (or even with the forums in maint mode). The first time he hacked me, he changed my account info and logged into my account on the forums, and then edited pages like index.template.php to display his 'banner' or header saying "this site was hacked by z3r0w1zard', etc. The other forum admin then logged on, removed my account's admin and banned it. Couple hours later, we found out that the hacker was able to re-give my account admin and remove the ban. He removed the ban by dropping the entire "smf_ban_items" table.
Then, I changed Maintenance Mode to 2 in Settings.php, which rendered the board unviewable at all. A few hours later the hacker dropped 20 tables from the database. I responded by deleting the entire forums directory and database. Installed a fresh new copy of SMF 2.0 RC5 with no custom themes or mods except the 'Forum Firewall' mod. Restored a copy of the forum database a week ago. Database password is changed to a new thing. I set the new forum installation to maintenance mode (Maintenance Mode = 1) and went to sleep.
This morning, woke up, got on forums, it saved my session from last night and auto-logged in (so this means he did not try to login into my account yet), tried to get into the admin panel, said password was incorrect. I was like huh? Opened up PhPMyAdmin and looked at the members table, and behold, my account info was changed again. My member_name is now z3r0w1zard. So he is able to sql-inject and alter fields in the database.
Here's what I know
- my webhost is shared hosting, with SSH disabled
- my passwords for the cPanel, mySQL, forum account are all very secure and consist of randomly keyboard-mashed 15+ characters. So bruteforcing is out of the question.
- my website itself is simple HTML based, so it's just the forum itself that's being hacked
- he has never changed the other forum admin's account info or compromised it
- he is able to change my account's info such as username, password, etc as said in above paragraphs
- my account has a member_id of 1 and is first in the members table, which we believe may pose some significance related to his code injections
- even when maintenance mode was set to 2, he was able to drop tables in my database
- originally I thought he exploited through a theme that was made for SMF RC1-3, but since he sql injected again after the fresh installation, that must not be it
- The current SMF2.0 RC5 installation is vanilla except for the mod 'Forum Firewall' and the attachments folder, which I restored from previous backups. All other folders such as smilies, avatars, themes, etc, are untouched.
- Forum logs shows nothing suspect
- PHP logs shows lines such as:
- [15-Mar-2011 09:05:00] PHP Warning: mysql_real_escape_string() expects parameter 2 to be resource, boolean given in /home/***/public_html/forums/Sources/Subs-Db-mysql.php on line 143 (about 60k+ occurences)
- PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 237170684 bytes) in Unknown on line 0
- [14-Mar-2011 06:03:12] PHP Fatal error: Call to undefined function db_fatal_error() in /home/***/public_html/forums/Sources/Subs-Db-mysql.php on line 77
- I ran the kb_scan.php tool both on the site and on the forums, nothing was infected
- The other admin and I both have home PCs, and we're pretty sure we're not affected by keyloggers/trojans, etc. And, both of our usernames (member_id) and our display names are different
Considering that a fresh installation of RC5 didn't stop this hacker from easily altering my account info in the database, I'm out of ideas as to what to do to improve my forum's security to remove this vulnerability. Anybody got any ideas?
Thanks
Interesting, have you talked with your service provider? What did they say?
Have you asked your host if anyone else on the same server is having problems? If he's compromised someone else and the server isn't setup properly, he could easily get to anyone on the server, including you. There are no known security holes in RC5 that could cause anything like this.
Do you have website access logs (normally available through cPanel)? If he was using any part of SMF to hack in, this would be revealed in the access logs. If there is no trace of him in the access logs, he's into the server itself somehow, which your host will have to look into.
I've talked to InMotion (the host)'s customer support twice. Each time they've said the generic you-know-what's when dealing with a hacker, and I just talked to a rep again and he said no the other accounts have no problems, it seems to be isolated to just your forums. And I do see him in the raw access logs. His IP changes constantly, so it's hard to track him.
Maybe the reseller or vps account which your shared account belongs has been compromised. It sounds lot like somethings wrong with hosting side rather than forum.
I know its kind of really troublesome but how about move your forum to another hosting account with a fresh installation and see if you still have the problem.
Also there might be a tiny possibility of having a keylogger in your pc.
Can you attach the raw access logs to your post and kinda point out which IP's are his?
Quote from: Bluearrow on March 16, 2011, 01:26:07 AM
Maybe the reseller or vps account which your shared account belongs has been compromised. It sounds lot like somethings wrong with hosting side rather than forum.
I know its kind of really troublesome but how about move your forum to another hosting account with a fresh installation and see if you still have the problem.
Also there might be a tiny possibility of having a keylogger in your pc.
I agree with this.
I once kept getting hacked. I later found out that I didn't update filezilla(like for over a year), and I was comprised through it, in which the hacker got my username & password. He never really hacked through the forum itself, but rather he hacked me through filezilla. There are so many ways you can be hacked, do't always assume it's the software.
I had about 7 sites at the time, he hacked all of them. Now I use a different username/password for every domain FTP, and DB. In case it happens again, he won't be able to hack all my sites at once.
Sadly, Filezilla saves your password in plain text. It's not even encrypted. :(
http://visibleblog.blogspot.com/2010/07/filezilla-security-issues-hackers-are.html
One reason that I use Total Commander, instead. ;)
How could I be hacked through FileZilla? He's got to send me a trojan or something?
This time when he hacked it he edited the index.php file in the main forum directory to advertise himself. Is there a file permission problem?
Update: Apparently he can modify files outside of the /forums folder. He changed my www/index.html file. So he was able to change my site's main page. Does this mean it's something hacked outside of SMF? Or can SMF access files outside of the forums directory?
QuoteHow could I be hacked through FileZilla? He's got to send me a trojan or something?
FileZilla holds the passwords to your FTP in plain text. Any other program, like a trojan, can then access it - and log into the server as you to hack the files.
Switch webhosts, certainly always run the most recent copy of any FTP client. Use decent username and passwords for every site you have.
I have used Filezilla for years with no issues at all. If you have been comprised once then who knows what they left behind.
Might not even be directly your fault - could of been an issue with the host too, who knows. Very seldom is SMF to blame for such things.
~RedOne
Quote from: Arantor on March 20, 2011, 01:43:53 PM
QuoteHow could I be hacked through FileZilla? He's got to send me a trojan or something?
FileZilla holds the passwords to your FTP in plain text. Any other program, like a trojan, can then access it - and log into the server as you to hack the files.
I never download anything and I've scanned my computer with multiple scanners right after the hacking occured and they all showed nothing. If he put a trojan on my PC I think he could have gotten alot more than just FTP passwords to my site, he could have also gotten my FTP password to my server. He could even have keylogged me and gotten all infos like credit card info.
Seems, to me, like you want to change your host.
Like NOW!
I had a similar story
But the guy just created and uploaded index.html with his records... cracked by bla bla bla
I have used this time FTP PRO with crack, probably there was a hole
Did u use 3rd party programs to upload any files into you host ???
My be the problem with you provide us somebody mention above
If you use cracked software, you should typically expect bad things. I use WinSCP personally and don't have such issues...
I use FileZilla and it's open source freeware.
I do not thrust to all those programs
as you aware FTP is not secured at all, best solution to use FTPS
Any way many worms, trojans are now available, your computer could be infected and sending all typed info from you PC to bad boys
use Linux and control panel of your host provider
SURE YOU ARE SAFE !
so considering he has access to my WWW folder, it means he has access to my FTP? or cPanel?
Likely both on the basis that in most cases the password is the same.
Well I guess I phrased my question not exactly clear; I wanted to ask that given we know this hacker's ability/access to replace/edit files in my main www folder, does this mean the ONLY way to do it is through the FTP or control panel file manager? Is there other ways to edit files in the www folder without knowing login credentials? Like, is there a way to include a script or install a backdoor shell on the hosting account and access it via those methods?
Not at all, no.
If they have access through your account credentials, they can edit anything in www by pretending to be you.
But they might not be accessing via your account credentials, they might be on the server and executing commands through a different piece of software on a different account - if the file permissions allow them to edit the files.
Looking through the logs you sent me, I can see what he is doing and it's pretty clear, but I can't access your forum any longer. It looks like Settings.php is either wiped out or not there or has the wrong information.
Have you noticed any 'Password Reset' emails come to your email box throughout any of this?
On a side note, can you look in your Themes/core/css directory and see if there is a file named cb.php. If so, please download it, zip it up and send me a link to download it so I can view it, then delete it from the directory.
Quote from: SlammedDime on March 21, 2011, 11:39:04 AM
Looking through the logs you sent me, I can see what he is doing and it's pretty clear, but I can't access your forum any longer. It looks like Settings.php is either wiped out or not there or has the wrong information.
Have you noticed any 'Password Reset' emails come to your email box throughout any of this?
On a side note, can you look in your Themes/core/css directory and see if there is a file named cb.php. If so, please download it, zip it up and send me a link to download it so I can view it, then delete it from the directory.
I took the forums down by renaming the directory since there's no reason for it to be up while I'm migrating hosts. I could put it up at any moment's notice if you would like to take a look at it.
No I have not noticed any password resets. Between the couple of times that he hacked my forums, I've either had my secret question as some random button mash, or have it blank and not set, and it seemed to have made no difference. I just checked my hosting webmail and my own email webaddress and both do not have any password reset emails, although I noticed that everytime he hacked me he changed the email address to his.
There is indeed a cb.php file in that directory and it was modified on the day of hacking, sending it to you now.
Thank you sir
I have similar problem with him. My forum has been hacked twice. But now I have not found the reason. I need some help.
I am using a FTP account, I did not find cb.php in Themes/core/css directory.
I don't know how to repair it. Who can help us?
Quote from: dahuamao on July 27, 2011, 10:51:16 PM
I have similar problem with him. My forum has been hacked twice. But now I have not found the reason. I need some help.
I am using a FTP account, I did not find cb.php in Themes/core/css directory.
I don't know how to repair it. Who can help us?
Can we see your site?
I have send PM to you.
Quote from: Xarcell on July 27, 2011, 11:00:59 PM
Quote from: dahuamao on July 27, 2011, 10:51:16 PM
I have similar problem with him. My forum has been hacked twice. But now I have not found the reason. I need some help.
I am using a FTP account, I did not find cb.php in Themes/core/css directory.
I don't know how to repair it. Who can help us?
Can we see your site?
Also, they changed the index.php to their page, like this http://www.zone-h.com/mirror/id/13410497; Hacked by JH-TEAM
Quote from: dahuamao on July 27, 2011, 11:25:35 PM
Also, they changed the index.php to their page, like this http://www.zone-h.com/mirror/id/13410497; Hacked by JH-TEAM
You will need to open your own topic so that people can help you properly.
If your index.php was changed, they either got your FTP login details from your FTP client or cPanel. They hacked you to get the FTP details before they hacked your site. It will happen again unless your take precautions to protect yourself first. Run a virus/malware remover, and change your FTP password to something more complex before attempting to fix your site.
The changed they made is causing the "Warning: session_start() [function.session-start]: The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/wwwroot/Settings.php on line 4" error. Not sure which file though. Look at your Settings.php file for anything suspicious.