SMF 2.0 RC5 keeps getting SQL hacked by a hacker

Started by Karlanse, March 15, 2011, 06:48:44 PM

Previous topic - Next topic

Karlanse

I run a moderately-sized SMF 2.0 forum. It started being SMF 2.0 RC3 and then upgraded to RC5 when the update came out. Recently I've been repeated hacked by this hacker named 'z3r0w1zard'. If you do a Google search on him, you can see that he has had several hacks under his belt, that he is Albanian, in the hacker group AHG (Albanian Hacker Group), and has a video on Youtube where he showcased his SQL injection of another site. So, a typical script-kiddie. I would provide links if I could post external URLs.

The way he compromises my forums is by hacking into my account first; he can change my account's info without being logged into the forums as an admin or moderator (or even with the forums in maint mode). The first time he hacked me, he changed my account info and logged into my account on the forums, and then edited pages like index.template.php to display his 'banner' or header saying "this site was hacked by z3r0w1zard', etc. The other forum admin then logged on, removed my account's admin and banned it. Couple hours later, we found out that the hacker was able to re-give my account admin and remove the ban. He removed the ban by dropping the entire "smf_ban_items" table.
Then, I changed Maintenance Mode to 2 in Settings.php, which rendered the board unviewable at all. A few hours later the hacker dropped 20 tables from the database. I responded by deleting the entire forums directory and database. Installed a fresh new copy of SMF 2.0 RC5 with no custom themes or mods except the 'Forum Firewall' mod. Restored a copy of the forum database a week ago. Database password is changed to a new thing. I set the new forum installation to maintenance mode (Maintenance Mode = 1) and went to sleep.
This morning, woke up, got on forums, it saved my session from last night and auto-logged in (so this means he did not try to login into my account yet), tried to get into the admin panel, said password was incorrect. I was like huh? Opened up PhPMyAdmin and looked at the members table, and behold, my account info was changed again. My member_name is now z3r0w1zard. So he is able to sql-inject and alter fields in the database.

Here's what I know

  • my webhost is shared hosting, with SSH disabled
  • my passwords for the cPanel, mySQL, forum account are all very secure and consist of randomly keyboard-mashed 15+ characters. So bruteforcing is out of the question.
  • my website itself is simple HTML based, so it's just the forum itself that's being hacked
  • he has never changed the other forum admin's account info or compromised it
  • he is able to change my account's info such as username, password, etc as said in above paragraphs
  • my account has a member_id of 1 and is first in the members table, which we believe may pose some significance related to his code injections
  • even when maintenance mode was set to 2, he was able to drop tables in my database
  • originally I thought he exploited through a theme that was made for SMF RC1-3, but since he sql injected again after the fresh installation, that must not be it
  • The current SMF2.0 RC5 installation is vanilla except for the mod 'Forum Firewall' and the attachments folder, which I restored from previous backups. All other folders such as smilies, avatars, themes, etc, are untouched.
  • Forum logs shows nothing suspect
  • PHP logs shows lines such as:
  • [15-Mar-2011 09:05:00] PHP Warning:  mysql_real_escape_string() expects parameter 2 to be resource, boolean given in /home/***/public_html/forums/Sources/Subs-Db-mysql.php on line 143 (about 60k+ occurences)
  • PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 237170684 bytes) in Unknown on line 0
  • [14-Mar-2011 06:03:12] PHP Fatal error:  Call to undefined function  db_fatal_error() in /home/***/public_html/forums/Sources/Subs-Db-mysql.php on line 77
  • I ran the kb_scan.php tool both on the site and on the forums, nothing was infected
  • The other admin and I both have home PCs, and we're pretty sure we're not affected by keyloggers/trojans, etc. And, both of our usernames (member_id) and our display names are different

Considering that a fresh installation of RC5 didn't stop this hacker from easily altering my account info in the database, I'm out of ideas as to what to do to improve my forum's security to remove this vulnerability. Anybody got any ideas?

Thanks

Road Rash Jr.

Interesting, have you talked with your service provider? What did they say?
Never argue with an Idiot like myself, they just drag you down to their level then beat you with experience.

SlammedDime

Have you asked your host if anyone else on the same server is having problems?  If he's compromised someone else and the server isn't setup properly, he could easily get to anyone on the server, including you.  There are no known security holes in RC5 that could cause anything like this.

Do you have website access logs (normally available through cPanel)?  If he was using any part of SMF to hack in, this would be revealed in the access logs.  If there is no trace of him in the access logs, he's into the server itself somehow, which your host will have to look into.
SlammedDime
Former Lead Customizer
BitBucket Projects
GeekStorage.com Hosting
                      My Mods
SimpleSEF
Ajax Quick Reply
Sitemap
more...
                     

Karlanse

#3
I've talked to InMotion (the host)'s customer support twice. Each time they've said the generic you-know-what's when dealing with a hacker, and I just talked to a rep again and he said no the other accounts have no problems, it seems to be isolated to just your forums. And I do see him in the raw access logs. His IP changes constantly, so it's hard to track him.


Bluearrow

Maybe the reseller or vps account which your shared account belongs has been compromised. It sounds lot like somethings wrong with hosting side rather than forum.

I know its kind of really troublesome but how about move your forum to another hosting account with a fresh installation and see if you still have the problem. 

Also there might be a tiny possibility of having a keylogger in your pc.

SlammedDime

Can you attach the raw access logs to your post and kinda point out which IP's are his?
SlammedDime
Former Lead Customizer
BitBucket Projects
GeekStorage.com Hosting
                      My Mods
SimpleSEF
Ajax Quick Reply
Sitemap
more...
                     

Xarcell

Quote from: Bluearrow on March 16, 2011, 01:26:07 AM
Maybe the reseller or vps account which your shared account belongs has been compromised. It sounds lot like somethings wrong with hosting side rather than forum.

I know its kind of really troublesome but how about move your forum to another hosting account with a fresh installation and see if you still have the problem. 

Also there might be a tiny possibility of having a keylogger in your pc.

I agree with this.

I once kept getting hacked. I later found out that I didn't update filezilla(like for over a year), and I was comprised through it, in which the hacker got my username & password. He never really hacked through the forum itself, but rather he hacked me through filezilla. There are so many ways you can be hacked, do't always assume it's the software.

I had about 7 sites at the time, he hacked all of them. Now I use a different username/password for every domain FTP, and DB. In case it happens again, he won't be able to hack all my sites at once.

kat

Sadly, Filezilla saves your password in plain text. It's not even encrypted. :(

http://visibleblog.blogspot.com/2010/07/filezilla-security-issues-hackers-are.html

One reason that I use Total Commander, instead. ;)

Karlanse

#8
How could I be hacked through FileZilla? He's got to send me a trojan or something?
This time when he hacked it he edited the index.php file in the main forum directory to advertise himself. Is there a file permission problem?

Update: Apparently he can modify files outside of the /forums folder. He changed my www/index.html file. So he was able to change my site's main page. Does this mean it's something hacked outside of SMF? Or can SMF access files outside of the forums directory?



Arantor

QuoteHow could I be hacked through FileZilla? He's got to send me a trojan or something?

FileZilla holds the passwords to your FTP in plain text. Any other program, like a trojan, can then access it - and log into the server as you to hack the files.

redone

Switch webhosts, certainly always run the most recent copy of any FTP client. Use decent username and passwords for every site you have.

I have used Filezilla for years with no issues at all. If you have been comprised once then who knows what they left behind.

Might not even be directly your fault - could of been an issue with the host too, who knows. Very seldom is SMF to blame for such things.

~RedOne

Karlanse

Quote from: Arantor on March 20, 2011, 01:43:53 PM
QuoteHow could I be hacked through FileZilla? He's got to send me a trojan or something?

FileZilla holds the passwords to your FTP in plain text. Any other program, like a trojan, can then access it - and log into the server as you to hack the files.

I never download anything and I've scanned my computer with multiple scanners right after the hacking occured and they all showed nothing. If he put a trojan on my PC I think he could have gotten alot more than just FTP passwords to my site, he could have also gotten my FTP password to my server. He could even have keylogged me and gotten all infos like credit card info.

kat

Seems, to me, like you want to change your host.

Like NOW!

safeacid

I had a similar story

But the guy just created and uploaded index.html with his records... cracked by bla bla bla

I have used this time FTP PRO with crack, probably there was a hole

Did u use 3rd party programs to upload any files into you host ???
My be the problem with you provide us somebody mention above

Arantor

If you use cracked software, you should typically expect bad things. I use WinSCP personally and don't have such issues...

Karlanse

I use FileZilla and it's open source freeware.

safeacid

#16
I do not thrust to all those programs
as you aware FTP is not secured at all, best solution to use FTPS
Any way many worms, trojans are now available, your computer could be infected and sending all typed  info from you PC  to bad boys

use Linux and  control panel of your host provider

SURE YOU ARE SAFE !

Karlanse

so considering he has access to my WWW folder, it means he has access to my FTP? or cPanel?


Arantor

Likely both on the basis that in most cases the password is the same.

Karlanse

Well I guess I phrased my question not exactly clear; I wanted to ask that given we know this hacker's ability/access to replace/edit files in my main www folder, does this mean the ONLY way to do it is through the FTP or control panel file manager? Is there other ways to edit files in the www folder without knowing login credentials? Like, is there a way to include a script or install a backdoor shell on the hosting account and access it via those methods?



Advertisement: