Hacking Security Issue

Started by netmatrix, June 21, 2009, 10:39:06 PM

Previous topic - Next topic

netmatrix

I don't know if this would be the right area to post this one at, but I did find that there is a hacking security issue on 2.0RC1-1 through the usercp.  My site was able to be hacked yesterday afternoon and the person that logged in through my account which my password is impossible to figure out because of what it was was able to get in on my name, and pretty much delete the boards, topics, etc.  This is just to make users and SMF staff aware of this problem.

I also want to let everyone know that there is NO modifications on my site right now EXCEPT for the one to track the IP Address.
(whoznext.net) WhoZ NeXt Gaming Clan

sombra

wow thats real awfull  ::)

are you sure was by smf ? or coud this be by other methods like an email hacked?

well hope someone helps you out good luck

netmatrix

It wasn't a e-mail hack.  I know exactly who hacked my site thankfully.  He's been doing it for over a year now which is one reason why I switched to SMF cause I had vbulletin before.  He has studied the software and tore it apart to learn how to hack it.  He goes through the usercp (profile) to hack.
(whoznext.net) WhoZ NeXt Gaming Clan

simmer

u may be right netmatrix bt check ur server wt if dre is a shell uploaded some how on ur server or dre might be a keylogger on ur pc :) please update asap we are waiting this may be a new private exploit that user is using.

netmatrix

Checked it, and had the hosting company run through the server I'm on, and there isn't any kind of shell on there that was uploaded.  Plus the server I'm on now is a completely different company i had to transfer the DB to the new server, and most of the files from the last server stayed on there.  With a keylogger on my PC that one I doubt because I'm running a Linux Operating System, and with all the work it would take for a keylogger to be put on a Linux machine it is almost impossible to do.  I know how this guy works with his hacking.  He is a sub-part of the Assasins Hackers team that hacks websites for a living from what I understand.  The more information that I get on exactly how my board was hacked, and what measures were used to hack it I will let everyone know about them.  Right now as far as I know it's just through the profile same way you do it on vBulletin...  Sadly I hate people like this that take pride in hacking a website.
(whoznext.net) WhoZ NeXt Gaming Clan

Ben K

#5
QuoteChecked it, and had the hosting company run through the server I'm on, and there isn't any kind of shell on there that was uploaded.  Plus the server I'm on now is a completely different company i had to transfer the DB to the new server, and most of the files from the last server stayed on there.  With a keylogger on my PC that one I doubt because I'm running a Linux Operating System, and with all the work it would take for a keylogger to be put on a Linux machine it is almost impossible to do.  I know how this guy works with his hacking.  He is a sub-part of the Assasins Hackers team that hacks websites for a living from what I understand.  The more information that I get on exactly how my board was hacked, and what measures were used to hack it I will let everyone know about them.  Right now as far as I know it's just through the profile same way you do it on vBulletin...  Sadly I hate people like this that take pride in hacking a website.
1. Keylogger on linux is old thing, trust me, it's easy as put your hand on mouse.
2. Bugs in profile in VB & SMF, strange .....
3. Ask your hoster to give you all web server logs, it could give u some more info.
4. Hope u hade a backup...

Thanks, Ben K.

_Anthony_

Quote from: netmatrix on June 22, 2009, 03:12:04 AM
Checked it, and had the hosting company run through the server I'm on, and there isn't any kind of shell on there that was uploaded.  Plus the server I'm on now is a completely different company i had to transfer the DB to the new server, and most of the files from the last server stayed on there.  With a keylogger on my PC that one I doubt because I'm running a Linux Operating System, and with all the work it would take for a keylogger to be put on a Linux machine it is almost impossible to do.  I know how this guy works with his hacking.  He is a sub-part of the Assasins Hackers team that hacks websites for a living from what I understand.  The more information that I get on exactly how my board was hacked, and what measures were used to hack it I will let everyone know about them.  Right now as far as I know it's just through the profile same way you do it on vBulletin...  Sadly I hate people like this that take pride in hacking a website.
Sounds like a bull******ter, he probably has your pass...

Ben K

QuoteSounds like a bull******ter, he probably has your pass...
Well, as good as i know now, he really got hacked.
About 129 Posts & 72 topics was deleted from his site. (The one in sign..)

netmatrix

Quote from: _Anthony_ on June 22, 2009, 03:35:44 AM
Quote from: netmatrix on June 22, 2009, 03:12:04 AM
Checked it, and had the hosting company run through the server I'm on, and there isn't any kind of shell on there that was uploaded.  Plus the server I'm on now is a completely different company i had to transfer the DB to the new server, and most of the files from the last server stayed on there.  With a keylogger on my PC that one I doubt because I'm running a Linux Operating System, and with all the work it would take for a keylogger to be put on a Linux machine it is almost impossible to do.  I know how this guy works with his hacking.  He is a sub-part of the Assasins Hackers team that hacks websites for a living from what I understand.  The more information that I get on exactly how my board was hacked, and what measures were used to hack it I will let everyone know about them.  Right now as far as I know it's just through the profile same way you do it on vBulletin...  Sadly I hate people like this that take pride in hacking a website.
Sounds like a bull******ter, he probably has your pass...

Trust me he doesn't know my password.  My password on anysite I'm a member of gets changed almost daily.  I've already contacted the State Police Computer Crimes Division and they are going to be contacting my server, and contacting the guy that hacked it.

Yeah I do have a back-up of my server.  Just waiting for the server to run the back-up to get my board put back together.
(whoznext.net) WhoZ NeXt Gaming Clan

karlbenson

If you have any logs/evidence to suggest a bug / security issue with SMF please file a report
http://www.simplemachines.org/about/security.php

Thankyou.

netmatrix

The only thing I have right now through logs is the IP address that was doing the hacking on my site.  I'm still looking to find more logs and everything, but right now it's just through the profile.  I will fill that out as soon as I get all the logs needed for it.
(whoznext.net) WhoZ NeXt Gaming Clan

netmatrix

The good news on this topic is the police did contact me earlier today as well as the person's internet service provider.  He has been arressted for felony computer crimes.  Him messing with my site wasn't the only one.  Sadly the police are still investigating his computer to see what tools he had used to hack into several websites.  Through the forum software I know for a fact on the vBulletin software he hacked through was through the usercp and portal page.  With the SMF site I think it was through the profile, but since the police is still investigating what tools were used I'm not sure how it was done.  I will keep this topic posted as soon as I find out more information about it to help SMF incase there is a security problem that will need to be addressed and fixed to help other SMF users.
(whoznext.net) WhoZ NeXt Gaming Clan

Norv

Why do you think it was using the profile page?

Either way, thank you for keeping us updated!
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

netmatrix

Quote from: Norv on June 23, 2009, 11:19:36 PM
Why do you think it was using the profile page?

Either way, thank you for keeping us updated!

I don't remember exactly what it is called, but there is a way to breech the log in data to log into someone's account.  I was told about it when it was happening to me before when I had vBulletin, but I don't remember exactly what it was called.
(whoznext.net) WhoZ NeXt Gaming Clan

simmer


Norv

vBulletin code and SMF code don't have practically anything in common. While the end result seems similar in that both have specific pages for a "user profile", they're not similar in their inner workings.

I'm not aware of SMF being vulnerable to XSS.
Either way, I'm afraid more information is needed before concluding something. Keep in mind that this guy could also find a way to breach your host security. Thanks again for keeping us updated.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

netmatrix

I'm with a new server that has a whole lot more security in it than I had on the last server.  I'm not sure how he was able to breech the site at all.  I'm just taking a guess on the profile deal.  I know VB and SMf are completely different on the inners.  The server did a complete scan of my server, and they couldn't find anything that was breeched as far as shells, etc. 
(whoznext.net) WhoZ NeXt Gaming Clan

Aleksi "Lex" Kilpinen

One way this could possibly be done on any software, is by accessing your hosting control panel, or phpmyadmin by guessing, knowing or breaking the login and password - if either one are public to access through the web. ( And sadly this is usually the case with the control panel at least, as there is no good and reliable way to do it all otherwise. )

Access to either one, would let the hacker to either change your password, create a new admin user, empty out anything he want's etc.

Have you checked your forums error logs, moderation logs etc. for anything that could hint to the way all this happened? Also, the access logs of the server on the time the hacking was done, would be really good evidence, and would provide a lot more info on the way things were done.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Trekkie101

To link to the access logs above, since your host uses cPanel, you'll find them near the bottom of the cPanel screen, also in access_logs in your home folder when you FTP in :)

If you could send a copy of those to me [email protected] and to the security address if you have already sent a email there. I'll have a look through and see if we do have anything.

Advertisement: