Help with hack SouTHRaNDA wAs HeRE

Started by Scooby, January 02, 2012, 06:18:58 PM

Previous topic - Next topic

Scooby

Could anyone give me advice on how to recover from a hack by SouTHRaNDA wAs HeRE I am using linux and apache and SMF 2.0 RC5
Not sure if the hack was into linux or SMF but my SMF index.php was changed. but installing a new version does not help
More details of what I am using available if needed

Illori

there are several security issues with RC5, i would suggest you contact your host and upgrade to 2.0.2

sonnenblende

Hi,

I had the exact same issue with two older SMF sites today.

Best way to fix is:

a) restore index.php and Settings.php from last backup (you should always run backups!)

b) make sure your index.php and Settings.php are NOT world/group writable!

c) make sure your /tp-images folder is NOT world/group writable!

d) remove the directory "File" from /tp-images (that's where they seem to break in)

e) by all means CHANGE your database and administrator passwords (part of the hack is them trying to pull a dump of your members table!)

That should clear it. Most important thing is indeed they must not be able to use php code to overwrite your index.php and Settings.php - depends on your hosts setup if and how they can achieve that.

Regards,
Jerry

IchBin™

Quote from: sonnenblende on January 03, 2012, 01:07:33 PM
Hi,

I had the exact same issue with two older SMF sites today.

Best way to fix is:

a) restore index.php and Settings.php from last backup (you should always run backups!)

b) make sure your index.php and Settings.php are NOT world/group writable!

c) make sure your /tp-images folder is NOT world/group writable!

d) remove the directory "File" from /tp-images (that's where they seem to break in)

e) by all means CHANGE your database and administrator passwords (part of the hack is them trying to pull a dump of your members table!)

That should clear it. Most important thing is indeed they must not be able to use php code to overwrite your index.php and Settings.php - depends on your hosts setup if and how they can achieve that.

Regards,
Jerry

I should note that I fixed the security issue with tp-images/ folder back in TP 1 rc1.2. If you are not running TP on or after that version you are vulnerable.
IchBin™        TinyPortal

Scooby

I have checked and made sure I have it all set as you suggest, I did have an old version of TP, I am not using it but the directories and files are there, So I will sort that. I don't however have a file directory under tp-images, so I would guess they broke in some other way.

Do you know if this hack does get them the members table? I will email all the members anyway
Thanks for the help

IchBin™

If any hacker gains access to your files system, you can count on them getting database access from your Settings.php file. There have only been two security exploits to TinyPortal that I can recall. One that I fixed that I mentioned in RC1.2. And the other one was from the FCKeditor that was exploited when TinyPortal included that as part of it's code. If you have such an old version that still has the FCKeditor folder in it, I'd highly suggest you remove it or update your mod install.
IchBin™        TinyPortal

badping

#6
I wanted to add a couple of things to this thread based on my experience this morning with this. After overwriting my settings file and index file I still had to overwrite my SSI file as well.
At that point I looked into my Packages for updates of my forum. I was informed I was running an outdated forum version.
I had 1.1.15 and needed to update to 1.1.16
In my attempt, two PHP files failed in my Sources folder, Packages.php and MessageIndex.php

So i overwrote those from the same back up I had prior to getting hacked - reran the update test and both then passed with success and I updated. I then went and changed my admin PW and my database PW

Looks like I am back up and running, and all seems good.

Final thoughts, are that I think you would need to also fix those two other PHP files in the Sources folder as they are somehow affected by the hack. I see no other way since the update passed after I fixed them from a recent backup.

Oh another note: Checking into my "File" folder in tp-images I saw a list of crazy html pages.

So I think that the goal is to shut your site down, harvest emails and host their own webpages containing whatever  was on them. I did not want to visit any of the sites, just move on with my life.

Good luck and hope you do not have to deal with this - its a waste of a couple of hours of your life but at least it appears to be recoverable...

Intangir

does anyone know how it actually works?
is it the SMF code it exploits? does the new patch fix it?
or could it be a mod? i have tiny portal

i was also hacked and im doing a full restore just to be safe, but while its running i dont want to be hacked again (i put forum into maintnance mode, but i dont know if that will stop it)

full restore is taking forever ;()

has anyone been hacked again since updating? do they get member passwords or anything?

wow on another note it took me about 12-13 'new images' before i could possibly comprehend the verification image... wtf?

Illori

this was an issue in tinyportal as ichbin posted, if there were further issues related to this it would have been posted in the tinyportal support thread.

Intangir

when i try to upgrade to 1.1.16 from 1.1.15 it says:

The package you are trying to download or install is either corrupt or not compatible with this version of SMF

Illori

if you do a search on the forum for that message you will find the fix it has been posted several times.

Intangir

any more direction than that? because i DID do a search, i found TONS Of posts, and most of them either saying, it doesnt work, or it did work

a few say rezip it, which i tried, that didnt work

theres gotta be more help out there than "it works" "it doesnt work" "i rezipped it"

because that is really not very useful

JimM

@ Intangir - Did you get that message after clicking on the link in the admin center?  If you did, try downloading the update file from here > http://custom.simplemachines.org/mods/downloads/smf_patch_1.0.22_1.1.16.tar.gz and install it like a mod with the Package Manager.
Jim "JimM" Moore
Former Support Specialist

slvreagl

Son of a **** I got hit with this today.....

slvreagl

#14
Quote from: slvreagl on April 08, 2012, 11:53:23 PM
Son of a **** I got hit with this today.....

So I did the above recommendations and found my SSi.php was also attacked, after deleting and restoring all three files from a known good backup I am back up and running and my database was not affected (I use a different password for database access) They attacked via FTP and simply overwrote my files that were writable *stupid mistake! Not sure how they got my ftp password but they have all been changed.

Also should also note I got attacked running SMF 2.0.2 and TinyPortal 1.107

MrPhil

Quote from: slvreagl on April 09, 2012, 10:11:39 PM
Not sure how they got my ftp password but they have all been changed.
Very easily if you have spyware on any PC used to administratively access your site. With a keystroke logger or password sniffer, a hacker knows your new password as soon as you type it in. Be sure to do a thorough spyware scan on your PC(s), and to change passwords again if the scan reveals any spyware. And of course, you have a firewall to stop unauthorized data transfers (such as sending out a captured password), right?

Note that ftp sends its password in clear text. That can be another route for grabbing your password. You may want to ask your host if they support SFTP (encrypted) file transfer.

Quote
Also should also note I got attacked running SMF 2.0.2 and TinyPortal 1.107
Probably irrelevant information, if they got in by knowing your FTP password.

IchBin™

Quote from: slvreagl on April 09, 2012, 10:11:39 PM
So I did the above recommendations and found my SSi.php was also attacked, after deleting and restoring all three files from a known good backup I am back up and running and my database was not affected (I use a different password for database access) They attacked via FTP and simply overwrote my files that were writable *stupid mistake! Not sure how they got my ftp password but they have all been changed.

Also should also note I got attacked running SMF 2.0.2 and TinyPortal 1.107

A couple of things to note. If you are on shared hosting, it often happens that a hacker can compromise another site on the same server that you are on, which then gives them access to the rest of the sites on the server because the host doesn't have everything properly configured.

It's best to fill out a security report and to provide ALL the information asked for on that form.
http://www.simplemachines.org/about/smf/security.php
IchBin™        TinyPortal

Lord Anubis

Blah, this bastard got me too :o

Downloading my backup from 5 days ago, gonna take a bit since its 300 GB.... LMFAO

IchBin™

IchBin™        TinyPortal

Lord Anubis

Thanks Brad, think I did remove the FCKeditor when I read about the vulnerability in the past. 

Also noticed this hacker added 404.php files in a few folders (so others might want to look for that as well)

- Root
- Themes
- Sources

I already cleared these files from my server, and I didn't save them (so I can't post them up)

Advertisement: