[NOTICE] How to secure your site against recent attacks

[dl75]

I got hacked into again!!! I have kapcha and black list check upon registration- This really stinks!!!

[Uhura!]

How?

Pls post details!

[dl75]

I know VERY little about any of this stuff. The code tht displayed on the page (while I couldn't log in ) is the same code that was displayed last week, first time I got hacked. I called the server company, and they told me it was in fact the hack.

A friend of mine just looked at it and he thinks it comes from the gallery. Coppermine is bridged with my SMF forum.

[Trubble]

I've set registration to admin approval until I get around to installing harsher registration methods, since I discovered we'd been hacked yesterday and that it had been there for two weeks! I noticed my avatar was gone, but most other people host theirs offsite so figured it was a glitch. Someone tried to attach something and flagged it as not working, had a peek in the FTP and noticed all the modified file dates were the same. Checked the files, lo and behold...

Deleted everything and uploaded a fresh install, removed crap from database. Banned the krisbarteo account, thought I did the IP but guess not because it just tried to register another account! Rebanned. Changed registration settings.

Cannot believe the cheek of some people. Why not use these skills for something worthwhile?! Gah.

We got hacked a couple of months ago, they got shell access somehow and had this file where you could see everything. Never quite worked out how they got that up there though, and completely deleted everything then too. Getting annoyed, that same week on another server entirely my wordpress blog got hacked. Bored of cleaning up after these people! Our members are none too happy either.

[lurkalot]

Deleted everything and uploaded a fresh install, removed crap from database. Banned the krisbarteo account, thought I did the IP but guess not because it just tried to register another account! Rebanned. Changed registration settings.

Put the name krisbarteo in your reserved names list, then he won't be able to register in that name.   You'll also see if krisbarteo tries to sign up, cause it will be in your forum error log.

[Don Peters]

My website too had been hacked. I'm surprised a bot could do it, since I had set my CAPCHA to the highest difficulty level, and hadn't had a bot access for 30 days, since I set it to that level. So either a human was involved, or the bot's OCR skills have improved.

I hadn't done a backup, figuring my website host could do it. They could - for $75! Not wanting to spend the money, I first disabled uploads of avatars and attachments, as suggested here. Then I backed up my corrupted website to my local PC (just in case), and downloaded 1.1.8 to my local PC. Since my website was infected yesterday, all corrupted files had that day's timestamp on them, helping me identify them. I updated all corrupted files and deleted the new corrupted files added by the bot.

The only glitch was to heed the warning not to mess with file 'settings.php'. But it was corrupted too. So I downloaded it via FTP, brought it into the Wordpad editor on my Windows PC, stripped off the first line, which was corrupted, and copied the result back to my website.

To my relief, my settings were still intact, as was the database of subjects. The log file also stopped recording its usual volume of error messages due to the hack. In summary, I believe I'm back to normal. OH, and after confirming things were back to normal, I immediately made my first website backup!

[JBlaze]

My website too had been hacked. I'm surprised a bot could do it, since I had set my CAPCHA to the highest difficulty level, and hadn't had a bot access for 30 days, since I set it to that level. So either a human was involved, or the bot's OCR skills have improved.

I hadn't done a backup, figuring my website host could do it. They could - for $75! Not wanting to spend the money, I first disabled uploads of avatars and attachments, as suggested here. Then I backed up my corrupted website to my local PC (just in case), and downloaded 1.1.8 to my local PC. Since my website was infected yesterday, all corrupted files had that day's timestamp on them, helping me identify them. I updated all corrupted files and deleted the new corrupted files added by the bot.

The only glitch was to heed the warning not to mess with file 'settings.php'. But it was corrupted too. So I downloaded it via FTP, brought it into the Wordpad editor on my Windows PC, stripped off the first line, which was corrupted, and copied the result back to my website.

To my relief, my settings were still intact, as was the database of subjects. The log file also stopped recording its usual volume of error messages due to the hack. In summary, I believe I'm back to normal. OH, and after confirming things were back to normal, I immediately made my first website backup!

Glad to hear the good news!

On another note, I am taking a little break from resolving hacks once the patch is issued. Please respect this fact and do not ask me for support. There are other team members and community members that would be as willing to help as me.

Regards,
JBlaze

[babjusi]

My website too had been hacked. I'm surprised a bot could do it, since I had set my CAPCHA to the highest difficulty level, and hadn't had a bot access for 30 days, since I set it to that level. So either a human was involved, or the bot's OCR skills have improved.

I hadn't done a backup, figuring my website host could do it. They could - for $75! Not wanting to spend the money, I first disabled uploads of avatars and attachments, as suggested here. Then I backed up my corrupted website to my local PC (just in case), and downloaded 1.1.8 to my local PC. Since my website was infected yesterday, all corrupted files had that day's timestamp on them, helping me identify them. I updated all corrupted files and deleted the new corrupted files added by the bot.

The only glitch was to heed the warning not to mess with file 'settings.php'. But it was corrupted too. So I downloaded it via FTP, brought it into the Wordpad editor on my Windows PC, stripped off the first line, which was corrupted, and copied the result back to my website.

To my relief, my settings were still intact, as was the database of subjects. The log file also stopped recording its usual volume of error messages due to the hack. In summary, I believe I'm back to normal. OH, and after confirming things were back to normal, I immediately made my first website backup!

Glad to hear the good news!

On another note, I am taking a little break from resolving hacks once the patch is issued. Please respect this fact and do not ask me for support. There are other team members and community members that would be as willing to help as me.

Regards,
JBlaze

Some smf rehab time JBlaze

[JBlaze]

Yes, babjusi, I'm heading to the SMF Asylum for some quiet time

[catfished]

4) Install Anti-Spam measures
This is important, as it will save your forum in the long run.

Install the Stop Spammer mod.

• This mod will prevent spam signups as it cross-checks all registrations with the Spam Blacklist.
• Any registrations that check positive will be sent to the Admin approval bin.

Install the reCAPTCHA for SMF mod.

• This mod provides better captcha verification.
• It will stop MOST spam and hackers from registering.

Regards, JBlaze

I would like to try registrating on a forum where both mods are installed.
Who has both mods installed (link)?

I have both mods installed... Go ahead and register if you want... (you arent a spammer right?) 

I tried to register but it said it's waiting for admin approval. I'm sure as heck not a spammer. If it makes all registrations subject to admin approval, it defeats the purpose, I could just set that up in the admin CP.

[JBlaze]

catfished, all it takes is for your username to come up blacklisted. Like I said earlier, sometimes you have to sacrifice functionality for security.

[Yahmez]

4) Install Anti-Spam measures
This is important, as it will save your forum in the long run.

Install the Stop Spammer mod.

• This mod will prevent spam signups as it cross-checks all registrations with the Spam Blacklist.
• Any registrations that check positive will be sent to the Admin approval bin.

Install the reCAPTCHA for SMF mod.

• This mod provides better captcha verification.
• It will stop MOST spam and hackers from registering.

Regards, JBlaze

I would like to try registrating on a forum where both mods are installed.
Who has both mods installed (link)?

I have both mods installed... Go ahead and register if you want... (you arent a spammer right?) 

I tried to register but it said it's waiting for admin approval. I'm sure as heck not a spammer. If it makes all registrations subject to admin approval, it defeats the purpose, I could just set that up in the admin CP.

I just authorized you.... But I uninstalled the re-capcha in favor of smf's capcha.

[catfished]

catfished, all it takes is for your username to come up blacklisted. Like I said earlier, sometimes you have to sacrifice functionality for security.

OK but I seriously doubt the username "catfished" is blacklisted anywhere. It's certainly not a common username, in fact I've never ran across anyone else using it and I've been using it since 1999. I have never done anything that would warrant blacklisting me.

[babjusi]

It seems like that stop spammers mod blocks any username.

[catfished]

I just authorized you.... But I uninstalled the re-capcha in favor of smf's capcha.

Yeah, I just noticed that, thanks but I was simply testing the registration with the mods as you offered to the other op. I still don't understand why it blacklisted me in the first place.

[Yahmez]

catfished, all it takes is for your username to come up blacklisted. Like I said earlier, sometimes you have to sacrifice functionality for security.

OK but I seriously doubt the username "catfished" is blacklisted anywhere. It's certainly not a common username, in fact I've never ran across anyone else using it and I've been using it since 1999. I have never done anything that would warrant blacklisting me.

Relax catfished. You did not come up as a spammer. I have it set up for an admin to approve all accounts, spammer or not. I still use the anti spam measures though because it means I do not have manually check each new member against the stop forum spam database.

[catfished]

It seems like that stop spammers mod blocks any username.

Yeah, that's kind of what I thought so then we can just enable admin approval in the admin CP to do the same thing.

[ScopeXL]

Thank you for this, I was recently exploited with the avatar glitch, and lost my data, luckily I had backups

[JBlaze]

Thank you for this, I was recently exploited with the avatar glitch, and lost my data, luckily I had backups

Glad you got it sorted. That is why we stress "Backup, backup, backup!"

[mashby]

I've now had krisbarteo register on 3 sites I help out with. In all three cases, it just signed up, did the avatar thing and no damage was done to the files on the site. Deleted the accounts. And because the trend seems to be registering under krisbarteo, I simply went to Admin > Registration > Set Reserved Names and added krisbarteo. I realize it's a shot in the dark as the user name for this exploit could change, but so far krisbarteo is the username being registered. Also banned the IP as that seems to be consistent.