Our Site Forum has been hacked

icfsindia · tammikuu 27, 2008, 07:01:34 IP

This is the url http://nerpu.com/forum/ [nofollow]

It was fine a couple of days back and now ........this is the message that appears.

Can you please let us know ... how to take care to ensure such a possibility does not arise...

I am in the process of shifting servers and am in a dilemma whether to use the software or not for my forum.

Lainaa

<html>

<head>
<meta http-equiv="Content-Language" content="tr">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<title>Hacked By Cold1A | RNSGROUP.ORG [nofollow]</title>
</head>

<body link="#000000" vlink="#000000" alink="#000000" bgcolor="#000000" style="text-align: center; background-attachment: fixed">


Hacked By Cold1a
<div align="center">

<pre><img border="0" src="http://img124.imageshack.us/img124/2692/rnsgiulydemirzm21eu8.jpg [nofollow]" alt="Hacked By Giuly - Rns Group" width="750" height="562"></pre>

</div>

We
Are :  UnknowN - DeLiBeYaZ - Fuzbing - Cold1A - LifeLock - AydinKTL


Giuly - DistinguisheD - TURKBEY -  izleyici - piyanisT 


adry - Malatyalı - Happy_Sunny - HeLLFeaR



RYAN - kuLeLi - HeLLworM - kamashira - Hayalet
RNSGROUP.ORG 

<<BGSOUND src=http://www.suaritmaci.net/cache/vadisinirotesi.mp3 [nofollow] width=0 height=0 >



</body>

</html> 
Notice: Undefined variable: sourcedir in /hsphere/local/home/icfsindi/nerpu.com/forum/index.php on line 49 

 
Warning: main(/QueryString.php): failed to open stream: No such file or directory in /hsphere/local/home/icfsindi/nerpu.com/forum/index.php on line 49 
 
Fatal error: main(): Failed opening required '/QueryString.php' (include_path='.:/usr/local/lib/php:/usr/local/share/pear') in /hsphere/local/home/icfsindi/nerpu.com/forum/index.php on line 49

The above is the content of the web page source

The orange color mark indicates the end of a page.

The next line is the beginning of the content (an error message)
main(/QueryString.php): failed to open

Lainaa

<?php
/**********************************************************************************
* index.php *
***********************************************************************************
* SMF: Simple Machines Forum *
* Open-Source Project Inspired by Zef Hemel ([email protected]) *
* =============================================================================== *
* Software Version: SMF 1.1.4 *
* Software by: Simple Machines (http://www.simplemachines.org) *
* Copyright 2006-2007 by: Simple Machines LLC (http://www.simplemachines.org) *
* 2001-2006 by: Lewis Media (http://www.lewismedia.com [nofollow]) *
* Support, News, Updates at: http://www.simplemachines.org *
***********************************************************************************
* This program is free software; you may redistribute it and/or modify it under *
* the terms of the provided license as published by Simple Machines LLC. *
* *
* This program is distributed in the hope that it is and will be useful, but *
* WITHOUT ANY WARRANTIES; without even any implied warranty of MERCHANTABILITY *
* or FITNESS FOR A PARTICULAR PURPOSE. *
* *
* See the "license.txt" file for details of the Simple Machines license. *
* The latest version can always be found at http://www.simplemachines.org. *
**********************************************************************************/

/* This, as you have probably guessed, is the crux on which SMF functions.
 Everything should start here, so all the setup and security is done
 properly. The most interesting part of this file is the action array in
 the smf_main() function. It is formatted as so:

 'action-in-url' => array('Source-File.php', 'FunctionToCall'),

 Then, you can access the FunctionToCall() function from Source-File.php
 with the URL index.php?action=action-in-url. Relatively simple, no?
*/

$forum_version = 'SMF 1.1.4';

// Get everything started up...
define('SMF', 1);
@set_magic_quotes_runtime(0);
error_reporting(E_ALL);
$time_start = microtime();

// Load the settings...
require_once(dirname(__FILE__) . '/Settings.php');

// And important includes.
require_once($sourcedir . '/QueryString.php');
require_once($sourcedir . '/Subs.php');
require_once($sourcedir . '/Errors.php');

The above is the content of the file index.php at the root of the forum
nerpu.com/forum/index.php ........in our case

That indicates the file Settings.php is the only one that has been processed and that should have been changed.

Lainaa

<html>

<head>
<meta http-equiv="Content-Language" content="tr">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<title>Hacked By Cold1A | RNSGROUP.ORG [nofollow]</title>
</head>

<body link="#000000" vlink="#000000" alink="#000000" bgcolor="#000000" style="text-align: center; background-attachment: fixed">


Hacked By Cold1a
<div align="center">

<pre><img border="0" src="http://img124.imageshack.us/img124/2692/rnsgiulydemirzm21eu8.jpg [nofollow]" alt="Hacked By Giuly - Rns Group" width="750" height="562"></pre>
</div>

We
Are :  UnknowN - DeLiBeYaZ - Fuzbing - Cold1A - LifeLock - AydinKTL


Giuly - DistinguisheD - TURKBEY -  izleyici - piyanisT 


adry - Malatyalı - Happy_Sunny - HeLLFeaR


RYAN - kuLeLi - HeLLworM - kamashira - Hayalet
RNSGROUP.ORG 

<<BGSOUND src=http://www.suaritmaci.net/cache/vadisinirotesi.mp3 [nofollow] width=0 height=0 >



</body>

</html>

On verification .....the above is the content of the Settings.php file that we found..

青山素子 · tammikuu 28, 2008, 12:04:21 AP

There are currently no know vulnerabilties in SMF. However, we take security seriously. Can you please answer the following questions?

Do you have any server logs at around the time this happened?
What other software was running on the site?
Is this a shared server, or dedicated?
What operating system is it running? (It seems to be using very old versions of PHP and Apache.)

For private information, you can e-mail [email protected] or use the security form under the "About" area of this site.

icfsindia · tammikuu 28, 2008, 03:18:23 AP

I dont have the server logs

The only information i can provide is relating to the file .......

it was modified on 24th Jan..

All the permissions on the file have been set to enabled... 777

At the time of installation of the software, this file permission issue is a puzzle always

777 and 566

When the software installation guidelines advice us to set the permission to 566 we on account of the confusion in interpreting these permissions and the related numbers set it to 777 ... which obviously should work as it contains all the permissions relating to 566 and more..

Is this an issue?

I dont remember what the permission set for that file was !!!

It would be very much helpful if greater precaution is advised where setting 777 instead of 566 and making it work would be risky.

I am tyring to collect the server info .... i will pass it on as soon as i get it ...

BTW, we had Wordpress, Moodle also installed which were not disturbed.

青山素子 · tammikuu 28, 2008, 02:01:08 IP

I think you missed two questions (or I didn't see the answer:

Were you on shared hosting or dedicated?
What operating system is it running?

Lainaus käyttäjältä: icfsindia - tammikuu 28, 2008, 03:18:23 AP
When the software installation guidelines advice us to set the permission to 566 we on account of the confusion in interpreting these permissions and the related numbers set it to 777 ... which obviously should work as it contains all the permissions relating to 566 and more..

Is this an issue?

I dont remember what the permission set for that file was !!!

It would be very much helpful if greater precaution is advised where setting 777 instead of 566 and making it work would be risky.

As for permissions, 566 seems a bit backwards. It means the owner can only read and execute the file while everyone else has write permission. (5 = read(4) + execute(1); 6 = read(4) + write(2))

If you want to be totally secure from file changes, you could set everything to 444, but you'd lose package manager functionality, the ability to edit base server settings through SMF, and upload capabilities (avatars + attachments). Depending on things, you can adjust permissions to allow one or more of these.

Also, if you have anything in your SMF log from around the time the file was changed, it would be appreciated if you'd send it to the security address I mentioned above (along with the URL for this topic so it can be matched).

Also, I have two new questions to ask.
- Were you allowing file uploads (attachments / avatars)?
- Did you have "Encrypt stored filenames" checked (this is the default selection)?

Lainaus käyttäjältä: icfsindia - tammikuu 28, 2008, 03:18:23 AP
BTW, we had Wordpress, Moodle also installed which were not disturbed.

Are you sure? Check carefully, you might just not have noticed anything and there could be a backdoor for the attacker in there.

Simple Machines Community Forum

Uutiset: