News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

My SMF forum has just got hacked!.

Started by cjohn, April 13, 2005, 02:38:18 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

cjohn

April 13, 2005, 02:38:18 AM
This afternoon, my forum somehow got hacked. They hacked into my forum admin area, banned my IP, created a couple categories, and changed censored words that messed up all the posts in my forum. Fortunately, I've just installed the forum and had no member yet, so I turned off my forum and tried to fix it. Luckily the hacker didn't do any major damage to my board yet. How does this happen?.
I have a pretty secured password, and I use different password for each server cpanel, database, forum, etc.
I have a small group of friends and purposely created the forum to communicate with my friends, so I enabled permission for guest posting, reply, and attachment. Does this leave some weakness/hole for hackers to attack my forum somehow?. This is the only forum in my new webserver and I don't have any mod installed. Please advise me any kind of setting in my forum to make it more secured. Thanks.

Trekkie101

#1
April 13, 2005, 02:46:10 AM
I dont know how this happned myself but the guys here are going to ask you next to provide some logs, you can get them in cPanel under the raw logs section, please get the relevant timings and post them here.

Juvenall Wilson

#2
April 13, 2005, 05:20:49 AM
* Juvenall Wilson will assume you are running the current version of SMF

On a new board with no members, the odds of someone not only finding your install, but using an unknown exploit to gain access to your admin center would be slim-to-none at best. My very first guess in this case would be to look "internally".  In all my years of working in this "industry", the vast majority of these style of "hackings" fall into one of two groups (both with the same cause).

1) Someone in your family or with access to your computer found your admin sesson still open and started playing around with settings not knowing what was going on. I had one case in my early days with YaBB where this guy's father hopped on the PC and thought the Admin Center was some sort of computer setting he needed to play with to access the internet.

2) If you've ever accessed your install from a public computer (say, at school or a library), the same thing can apply but with a total stranger. I can't begin to tell you how many email accounts, cPanels, bank accounts, school registration forms, credit applications, etc I have PERSONALLY seen simply by using the back button in the browsers of these systems. If you didn't log out, someone could have come in and found it funny to tinker.

2a) Far more rare (I've only heard of it happening like this once at YaBB) are the public systems that have some keylogger installed on them. About a year ago, I was talking with a user of YaBB about her "hacked" board. After about a week of going through the motions, she finally figured it out. Her school's computers  had very relaxed security. Another student and installed SubSeven (a well known script kiddie tool) on all of the systems and was having a little fun with the data he collected.

Not that it's impossible you had a real hack, but like I said, considering how new you said it was, it's just highly improbable. I would still check/post your logs to see what IP addresses had accessed your admin center. That will narrow down where the break-in took place.

(please forgive typos/spelling errors. It's 5:21am here and I'm crazy tired..lol)

Sloth_Boy

#3
April 13, 2005, 08:04:20 AM
Do yuo tend to use the same password for everything???

cause if you do, then someone may have seen yuo use a password then gone to your forums and seen if it works or not???

I know i use the same password for everything i do (slight varaitions, like numbers a the end and stuff).

IchBin™

#4
April 13, 2005, 10:42:17 AM
Quote from: cjohn on April 13, 2005, 02:38:18 AM
I have a pretty secured password, and I use different password for each server cpanel, database, forum, etc.

Make sure that your passwords are also hard coded with upper/lower case and numbers etc.
IchBin™        TinyPortal

[Unknown]

#5
April 13, 2005, 10:52:16 AM
Another thing to look at is your email.  The number of times people have been "hacked" because someone got to their email account is... well, it's so many that it's not even so funny anymore.

In any case, if you have an access log we can probably determine exactly what happened.

-[Unknown]

cjohn

#6
April 13, 2005, 01:39:40 PM
Thank you all very much for your help.
Yesterday, right after my forum got hacked, I downloaded the log from my cpanel and found these 2 strange IP: "69.143.140.39" and  "61.155.107.56".
besides my own IPs. I'm sure they weren't my friends' because I did an IP location check on website dnsstuff.com [nofollow], and found those IP located outside California where I and my friends are in. Following is the log that shows their IPs and activities. Please take a look. For your info. My forum is located at URL: http://216.193.254.123/forum [nofollow]. This is a new forum I've installed and had no member yet.

69.143.140.39 - - [11/Apr/2005:17:10:10 -0700] "GET /forum/index.php?topic=24.0 HTTP/1.1" 200 15822 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:10 -0700] "GET /forum/Themes/default/script.js HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:10 -0700] "GET /forum/Themes/classic/style.css HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:10 -0700] "GET /forum/CViet.js HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/smflogo.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/bg_under_header.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
(continue ...)

cjohn

#7
April 13, 2005, 01:41:09 PM
(continued from above ...)

69.143.140.39 - - [11/Apr/2005:17:10:10 -0700] "GET /forum/index.php?topic=24.0 HTTP/1.1" 200 15822 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:10 -0700] "GET /forum/Themes/default/script.js HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:10 -0700] "GET /forum/Themes/classic/style.css HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:10 -0700] "GET /forum/CViet.js HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/smflogo.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/bg_under_header.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/english/sendtopic.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/sep.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/english/print.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/english/home.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/english/search.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/english/calendar.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/english/login.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/english/register.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/catbg.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/topic/normal_post.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/staradmin.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/useroff.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/english/reply.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/Male.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/avatar-admin.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/post/xx.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/english/quote.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/ip.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /forum/Themes/classic/images/blank.gif HTTP/1.1" 304 - "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:11 -0700] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:28 -0700] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
(to be continued ...)

cjohn

#8
April 13, 2005, 01:41:57 PM Last Edit: April 13, 2005, 01:43:53 PM by cjohn
(continue ...)

69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 HTTP/1.1" 200 24007 "http://216.193.254.123/forum/index.php?topic=24.0 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/Themes/classic/images/bbc/center.gif HTTP/1.1" 200 284 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/Themes/classic/images/bbc/bold.gif HTTP/1.1" 200 298 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/Themes/classic/images/bbc/italicize.gif HTTP/1.1" 200 290 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/Themes/classic/images/bbc/strike.gif HTTP/1.1" 200 299 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/Themes/classic/images/bbc/underline.gif HTTP/1.1" 200 303 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/Themes/classic/images/bbc/shadow.gif HTTP/1.1" 200 308 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/Themes/classic/images/bbc/glow.gif HTTP/1.1" 200 455 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/Themes/classic/images/bbc/move.gif HTTP/1.1" 200 2347 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/Themes/classic/images/bbc/pre.gif HTTP/1.1" 200 281 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/Themes/classic/images/bbc/left.gif HTTP/1.1" 200 280 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/Themes/classic/images/bbc/right.gif HTTP/1.1" 200 280 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/Themes/classic/images/bbc/hr.gif HTTP/1.1" 200 288 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/Themes/classic/images/bbc/size.gif HTTP/1.1" 200 316 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/Themes/classic/images/bbc/face.gif HTTP/1.1" 200 320 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/Themes/classic/images/bbc/flash.gif HTTP/1.1" 200 528 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/Themes/classic/images/bbc/img.gif HTTP/1.1" 200 487 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/Themes/classic/images/bbc/url.gif HTTP/1.1" 200 506 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:33 -0700] "GET /forum/Themes/classic/images/bbc/email.gif HTTP/1.1" 200 472 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Themes/classic/images/bbc/ftp.gif HTTP/1.1" 200 452 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Themes/classic/images/bbc/table.gif HTTP/1.1" 200 327 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Themes/classic/images/bbc/tr.gif HTTP/1.1" 200 325 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Themes/classic/images/bbc/td.gif HTTP/1.1" 200 333 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Themes/classic/images/bbc/sup.gif HTTP/1.1" 200 300 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Themes/classic/images/bbc/sub.gif HTTP/1.1" 200 301 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Themes/classic/images/bbc/tele.gif HTTP/1.1" 200 467 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Themes/classic/images/bbc/code.gif HTTP/1.1" 200 317 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Themes/classic/images/bbc/quote.gif HTTP/1.1" 200 324 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Themes/classic/images/bbc/list.gif HTTP/1.1" 200 296 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Smileys/default/smiley.gif HTTP/1.1" 200 382 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Smileys/default/wink.gif HTTP/1.1" 200 381 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Smileys/default/grin.gif HTTP/1.1" 200 395 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Smileys/default/cheesy.gif HTTP/1.1" 200 389 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Smileys/default/angry.gif HTTP/1.1" 200 394 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Smileys/default/sad.gif HTTP/1.1" 200 383 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Smileys/default/shocked.gif HTTP/1.1" 200 1481 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Smileys/default/huh.gif HTTP/1.1" 200 409 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Smileys/default/cool.gif HTTP/1.1" 200 379 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Smileys/default/rolleyes.gif HTTP/1.1" 200 1040 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Smileys/default/tongue.gif HTTP/1.1" 200 390 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Smileys/default/embarassed.gif HTTP/1.1" 200 396 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Smileys/default/lipsrsealed.gif HTTP/1.1" 200 389 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Smileys/default/undecided.gif HTTP/1.1" 200 390 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:34 -0700] "GET /forum/Smileys/default/kiss.gif HTTP/1.1" 200 536 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:35 -0700] "GET /forum/Smileys/default/cry.gif HTTP/1.1" 200 751 "http://216.193.254.123/forum/index.php?action=post;quote=33;topic=24.0;num_replies=0;sesc=b67ff119f98cd8cb2cb26db6bc0098d1 [nofollow]" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:36 -0700] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
69.143.140.39 - - [11/Apr/2005:17:10:41 -0700] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; QS 4.1.2.2; Maxthon; .NET CLR 1.1.4322)"
61.155.107.56 - - [11/Apr/2005:18:12:57 -0700] "GET /cgi-bin/awstats.pl HTTP/1.0" 404 - "-" "-"

Sorry, this forum doesn't allow me to post attachment, and also not longer than 2000 characters, so I had to break them into a few posts.
Thank you very much.

[Unknown]

#9
April 13, 2005, 01:50:49 PM
That's just someone posting.  Nothing done wrong there.

61.155.107.56 - - [11/Apr/2005:18:12:57 -0700] "GET /cgi-bin/awstats.pl HTTP/1.0" 404 - "-" "-"

Are you certain awstats.pl was not an older (insecure) version?

-[Unknown]

cjohn

#10
April 13, 2005, 02:00:52 PM Last Edit: April 13, 2005, 02:02:43 PM by cjohn
I downloaded the version 1.0.2 then upgraded to 1.0.3 thru my forum admin center.
If that was the file that caused problem, should I re- download only that file and replace the existing file with that new file?. Oh, and is that file, awstats.pl [nofollow] , part of the forum files?.
Thanks.

[Unknown]

#11
April 13, 2005, 02:42:27 PM
I'm afraid that awstats, which recently had some security vulnerabilities, has nothing to do with SMF whatsoever.  That said, it may also have nothing to do with your problem, either.

I would suggest changing all of your passwords.

-[Unknown]

[darksteel]

#12
April 13, 2005, 02:46:21 PM
awstats.pl have one bug, Remote File Inlcusion, the intrussion probably Server root or like says, RemoteFileInclusion...



Luis "[darksteel]" Alvarado.
Spanish Support
¿Qué es el repair_settings?
No doy soporte por PM, publica tu duda en el foro y tendras respuestas mas rapidas.		My forum:
www.caamboard.com

Fizzy

#13
April 13, 2005, 02:59:25 PM
Just as a thought, are you on a shared server?
If so, could it be that someone hacked the server and then helped themselves to your site through root?
"Reality is merely an illusion, albeit a very persistent one." - A.E.

[darksteel]

#14
April 13, 2005, 03:05:02 PM
Evite root exploit activating Safe Mode ( on ).

darksteel-



Luis "[darksteel]" Alvarado.
Spanish Support
¿Qué es el repair_settings?
No doy soporte por PM, publica tu duda en el foro y tendras respuestas mas rapidas.		My forum:
www.caamboard.com

cjohn

#15
April 13, 2005, 03:47:17 PM
Yes, I'm on the shared server. I believe that my webhost at lunarpages.com [nofollow] has very secured servers, so I don't think their servers might be easily hacked, but I will check with them to find out if they use the lastest version for that file: awstats.pl [nofollow] or so.
Thanks again for all your inputs and helps.  Have a great day!.

Yonkey

#16
April 13, 2005, 03:58:25 PM Last Edit: April 13, 2005, 04:06:17 PM by Yonkey
If I were you, I would just site ban those IP addresses.  One is from a Comcast account in NJ and the other is from China Telecom in China.  I believe both of these are broadband ISP's, so they're most likely static IP's.

The post spam looks Chinese, so I would definitely: ban that guy first, change Admin and Database passwords, drop the databases and then reinstall the forum.

HoTmetal

#17
April 13, 2005, 08:36:08 PM
What version of awstats has this ulnerability??

[Unknown]

#18
April 13, 2005, 08:41:18 PM
I don't know.  Just be sure you have the latest:

http://awstats.sourceforge.net/

-[Unknown]

Fizzy

#19
April 15, 2005, 06:04:24 PM
Lunarpages ? ? ? :o

Oh jeez :(

Comiserations.

You might want to check their help forum. Now i'm going to shut my mouth before I get in to trouble.
"Reality is merely an illusion, albeit a very persistent one." - A.E.
Print
Go Up Pages1
User actions
Advertisement: