Security - SMF 2.0 RC3

[gedhara]

Please be kind enough to let me know how I can prevent by site being hacked - It is happening to me now - just the other day my site was hacked, and it had the webpage - login for this site www.EbnPaL.com,

Now I blocked the ip address of that site - But today when I logged in I found that the FONT SIZE had double or even more on whole body of the forum - where we have the boards, everything was very large -

Could anyone here please  help to prevent such an attack, what have I to do as I am clueless

Thanks

[Norv]

First, please, upgrade your forum. RC3 is outdated, and further security fixes have been made.

Please be kind enough to let me know how I can prevent by site being hacked - It is happening to me now - just the other day my site was hacked, and it had the webpage - login for this site www.EbnPaL.com

This sounds like something else, a defacing of the site... which may or not have the cause related to SMF. Could you please try to file a security report (link in my signature) and make available to us your webserver's access logs, and if possible, your FTP account transfer logs? They should be in your host's panel or accessible through your FTP account, in some folder named /logs or similar.

[gedhara]

Am I to upgrade to RC4

This is the communication I had with Tech Staff - at my hosting company

I want to know how I can deactivate this as my Forum Firewall that I use says that its - SECURITY RISK: MAGIC_QUOTES ARE ON!


the site was attacked a few hours back and I had all arabic login oage - from this site -0 www.EbnPaL.com

please let me know what I could do tyo prevent this type of attack.

Its very urgent


The Reply

Hello,

I have made some modifications, please try it again now.

Andrew P.

My reply

Now I do not get that, but when I came online today and opened the forum - the body of the forum was in VERY LARGE LETTERS

What can this be

They Replied

Hello,

Unforatuntly I am not sure what that might be. I do not see any server issues or server compromises or any root level issues.

As requested, I have disabled magic quotes.

Andrew P.

I will upgrade and send you the info you need

Thanks a lot

[Norv]

I would suggest to upgrade to RC5 actually, since you're doing a large upgrade anyway.
Please see, if you may find useful: Upgrading SMF.

[gedhara]

I will upgrade to RC R - I have a security report - but I found that the logs were empty.

Please Let me know what I am to do to help you to help me out

[Norv]

You may want to check in your host's panel - or ask them - if logging is enabled, or ask them for the webserver logs and FTP logs. They might allow (if they exist for the days when the hack happened) to see how exactly did it happen.

[gedhara]

I have sent them a Ticket requesting will come to you as I receive an reply.

I am upgrading to RC5 - This forum which was started on 24th November 2010 has 2,444 Posts in 1,859 Topics by 990 Members,

Please Let me know what I am to do for you to help you to help me out

[gedhara]

I have upgraded to RC5, what are security packages/ modifications that you would suggest me to add

Thanks

[gedhara]

This has happened again XXX  - The size of the fonts have become big please check it out and let me know -

This what the hosting company says about the loggin

Hello,

Unforatunly we do not keep track of logs - the only logs you have access to is via cpanel --> awstats or FTP logs.

If you want us to terminate and create a brand new account so that may help remove any compromise for your account, please let us know.


Andrew P.

I can  get these from the cpanel


Raw Access Log Downloads Using FTP

You can download your raw access logs at the following URLs using the login gedhara_logs and your account password.

[Norv]

Thank you for the followup, I sent you an email.

Your website is hacked by a script at this moment as well. It seems the malicious user(s) have access to your account. The injection is typical for scenarios where security vulnerabilities of this scale have been exploited either on the software installed on the server, either on your own computer. (though there could be other avenues as well).
I suggest taking your host advice too, and let them set up a different account for you, but also I will send you some more details.

[gedhara]

Thanks a lot for your guidance, which is greatly appreciated, I will get the hosting company to proceed after I backup my database,

Thanks a lot, will keep you informed

[gedhara]

I have emailed you the ftp details, Please let me know

Thanks a lot

Kind Reagrds

[SOC Caesar]

Have you tried installing Butch's Forum Firewall. Also consider ZBBlock from http://www.spambotsecurity.com/ [nofollow]
Both of which I use and are excellent bits of kit.

[gedhara]

I got the hosting company to setup a new account, and had my computer checked as suggested, and the thing happened after about 8 hours. so what I did was to upload ONLY the index page and it was back to normal.

I will try the ZBBLOCK and also see, I want to know whether it can get into the data base

[gedhara]

<?php include('/home/.........../public_html/zbblock/zbblock.php'); ?>

to all the pages you wish to protect, as near as you can to the top as you can, and deffinitely before any MySQL access occurs.

SOC Caesar, Please let me know where I am to insert that section

[SOC Caesar]

ok using FTP, download your security.php, register.php and login.php. Also if your using vbgamer45 Contact Page mod add the line to contact2.php as this will stop people listed on Stop Forum Spam from spamming your inbox also.
The first line is
<?php
Put your zb code before this so it looks like

<?php include('/home/.........../public_html/zbblock/zbblock.php'); ?><?php

now upload your files back to the server. Make sure you use the php include that was generated while installing ZBBlock as the one above is just an example....