Problems with my SMF forums

Started by domineaux, October 30, 2008, 11:39:11 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

domineaux

October 30, 2008, 11:39:11 PM
Just lost my forums to a hacker.

Are there any discussion groups available to discuss security for SMF sites.

I've got several more up, but they are on entirely different types of discussions.

--------------------------------------

I noticed several other forums in the same areas of discussion have also been hacked over the past few weeks.

Not quite sure how it was done, and mostly I don't know what to look for. 

I just deleted the folder, and restored from backup.  The problem is the vulnerability is still there.

I will be glad to dicuss in PM, but I don't want to give the friggin' ferret hacker any publicity.

So, I'll not mention anything specific in a posting.

Hey, I'd really feel bad if it was only my SMF forums, but several of the other forums I mentioned as hacked were VBulletins.

Anyway, I can handle some links or suggestions, or other help.

Thanks.

I don't think google is the best go for any help on this. I wouldn't doubt the hackers probably have further complications prepared for those that look for help.

Afterall, it's all a game to them.




metallica48423

#1
October 31, 2008, 12:41:20 AM Last Edit: October 31, 2008, 12:43:31 AM by metallica48423
If you know that SMF was the point of exploitation and/or know of a specific security issue to report, then please give us a security report at the url below:
http://www.simplemachines.org/about/security.php

Keep in mind that hackings can often originate on a single account on the server -- and it doesn't necessarily have to be yours -- if the server is setup in an insecure matter.   Other software on the server can also cause problems for all accounts on the site -- as you might have noted with the vbulletin forums that were also hacked.  It may also be host-specific or perhaps an actual exploit in the server's software.  You should contact your host to determine the point of entry.  Once that's determined, then you/they can determine how to plug that hole up.

But please do let us know if its something in SMF.
Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

QuoteMicrosoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"


Useful Links:
Online Manual!
How to Help us Help you
Search
Settings Repair Tool

domineaux

#2
October 31, 2008, 12:52:40 AM
Darn...

I've deleted the forums folder, the MySql.  I even deleted the account from the host server.  I have reseller account with WHM access.  I was planning to just reinstall the latest SMF and take some careful measures to assure security.  I do have backups, but I was thinking the twit may have corrupted more of the site than I am aware.

The forums did have a linking from the forums to a Joomla 1.0 where I had only a downloads section.  The downloads section, had an upload ability.  It did require approval of any uploaded files.  HTML was not permitted as a MIME type, but that could very well be the point of entry. 

Regardless, the pain will be felt rebuilding the forums.  I did notice a downloads module now for SMF, so that will probably be the course I take this time.

The SMF has been most excellent security for several years, so I guess I got a little lazy about security. 

青山 素子

#3
October 31, 2008, 04:03:59 AM
Quote from: domineaux on October 31, 2008, 12:52:40 AM
I have reseller account with WHM access.  I was planning to just reinstall the latest SMF and take some careful measures to assure security.  I do have backups, but I was thinking the twit may have corrupted more of the site than I am aware.

The level of intrusion really depends on the entry point and how well partitioned the sites were from each other (if the intrusion was through a site). I don't know how WHM/cPanel manages things so I can't comment on the security measures used by default.


Quote from: domineaux on October 31, 2008, 12:52:40 AM
The forums did have a linking from the forums to a Joomla 1.0 where I had only a downloads section.  The downloads section, had an upload ability.  It did require approval of any uploaded files.  HTML was not permitted as a MIME type, but that could very well be the point of entry. 

How old was the Joomla! install? There have been quite a few security issues over time in that software, and you could have been hit by something there.

Also, as a general rule, disable register_globals if you can. Even though it's been recommended to be off for years, it's still on by default with way too many hosts. Having that off can save you in a lot of cases, and at least will make software with poorer coding more obvious so you can replace it quicker.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.

domineaux

#4
November 01, 2008, 12:20:03 PM
Motoko-chan

There are nine more sites on the same hosting server.  It is a shared hosting.  I think the security is adequate, at least as far as this hack  is concerned.

All the other sites are up and working well.

The Joomla install was over 1 year old.  I installed it just about the time the 1.5 betas were being released.  As I recall, register_globals were off.   I will check that in the php.ini on the other sites for sure.

Print
Go Up Pages1
User actions
Advertisement: