"Administration Login Attempt!"

[css_script_writer]

Hi everyone

First of all, we are using SMF 2.0 RC3. I'm seeing frequent errors under the "critical" section of the logs that read "Administration Login Attempt!". These errors always originate from one member visiting another member's profile. In other words, the referrer is always a profile but not usually (if ever) the profile of the member who caused the error.

I have attempted to reproduce the error in a number of ways and am unable to. Obviously, this is of concern to me and I can't imagine what could be causing it. When I have looked at the profiles of the members who actually caused the errors, some I didn't know but others were people I know to be very nice people who I can't imagine ever trying to access the forum for some sort of dubious reasons.

Can anyone here please provide me with some insight into what might be causing this and what I might do to troubleshoot and perhaps even prevent it from occurring again in the future?.

Thanks so much, CSS

[Kill Em All]

There are currently no known security holes in RC3. Just make sure all your sites software and SMF is constantly up to date. That is the best thing you can do. This is probably someone just snooping around looking for ways to get into the admin. If you are still concerned, make daily back ups of your database. This way if it happens, it won't be to big of a loss.

[flapjack]

hopefully, people responsible for this attacke were not using any unknown holes: http://krebsonsecurity.com/2010/05/fraud-bazaar-carders-cc-hacked/

[Kill Em All]

hopefully, people responsible for this attacke were not using any unknown holes: http://krebsonsecurity.com/2010/05/fraud-bazaar-carders-cc-hacked/

If that was meant as sarcasm towards me, you should note that I said in RC3, I'm not talking about other software.

[flapjack]

sorry for not claryfying: this site was powered by rc3

[Kill Em All]

That doesn't mean however though that SMF was at fault. Poorly configured server, other software... bad virus protection...

carders.cc is not exactly known for good protection either...
http://www.mywot.com/en/scorecard/carders.cc

[flapjack]

hopefully, people responsible for this attacke were not using any unknown holes: http://krebsonsecurity.com/2010/05/fraud-bazaar-carders-cc-hacked/

That doesn't mean however though that SMF was at fault. Poorly configured server, other software... bad virus protection...

carders.cc is not exactly known for good protection either...
http://www.mywot.com/en/scorecard/carders.cc

their reputation doesnt come from their protection. it's a website for people trading stolen cc numbers and other illegal stuff. I just mentioned it here, as it's quite recent and the site was powered by SMF 2.0 rc3

[Kill Em All]

Ok... it may have been ran by it, but that is just a coincidence.

[Kill Em All]

Admin>Maintenance>Logs>Administration Logs

[Kill Em All]

No, it doesn't log that because your not changing a setting.

[Kill Em All]

There might be a log or something that your host might keep... this is unlikely though. But it could have the IP of the person, than you can just find the IP from the members list to find out who downloaded it.

Please note any administrator can make a back up of it.

[Kimmie]

I have had similar errors in my log as well. Errors that I never saw until I upgraded to RC3. I will assume that there is a new "hole" that folks can attempt to access that was not there before. Here is all the info on the two I have in there now. The first one (profile u=1) is MY profile. What I would like to know is just what are they doing to cause this error exactly?

mrmagoo1965
114.73.14.197   
Yesterday at 11:37:11 PM
9cf478fb4107d9abee0d568be223dfcc
Type of error: Critical

http://patriotgames2.info/index.php?action=profile;u=1

Administration login attempt!
Referer: http://patriotgames2.info/index.php?action=profile;u=1
User agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6.4; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; OfficeLiveConnector.1.5; OfficeLivePatch.1.3)
IP: 114.73.14.197

==========================


jabarg
75.103.130.207   
Yesterday at 04:37:02 PM
956fb9a0fce474228086fd1ee420f8b5
Type of error: Critical

http://patriotgames2.info/index.php?action=profile;u=7508

Administration login attempt!
Referer: http://patriotgames2.info/index.php?action=profile;u=7508
User agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; InfoPath.2; .NET CLR 1.1.4322)
IP: 75.103.130.207

[Kill Em All]

There are no known security holes in RC3. They are probably just poking around.

What did you upgrade from and what mods are installed?

[Kimmie]

I have used just about every version of SMF since 1.1 in the past - and this one is RC 3 - upgrading from RC 1.2 and have the same mods installed that I had then (just not as many of them since not all are compatible):

1.   Hide Tag BBC Image   1.0.1   [ Uninstall ]
2.   Hide Tag   2.3.6   [ Uninstall ]
3.   Aeva ~ Auto-Embed Video & Audio   7.0   [ Uninstall ]
4.   Join date in Posts   1.0   [ Uninstall ]
5.   New Style Message Icon   1.1   [ Uninstall ]
6.   Automatic Index 2.1   2.1   [ Uninstall ]
7.   Tagging System   2.2.1   [ Uninstall ]
8.   Thank-O-Matic   2.0 RC2   [ Uninstall ]
9.   Bookmarks   2.3   [ Uninstall ]
10.   Welcome Topic Mod   2.1   [ Uninstall ]
11.   Tidy Child Boards   1.3   [ Uninstall ]
12.   New Topic Button   1.0   [ Uninstall ]
13.   Global Headers Footers   2.0   [ Uninstall ]
14.   Users Online Today   1.5.6   [ Uninstall ]
15.   Justify BBCode   2.3.1   [ Uninstall ]
16.   SimplePortal   2.3.2


I know they are "poking around" but I (as the admin) need to know exactly how they are doing it. I have had people try and hack my password before but those are peolpe trying to actually "log into the forum in general" as me. These are them obviously having access to admin areas while simply viewing someones profile because they are already logged in as themselves (really scary to tell you the truth). I have never had a problem with this on any other version of SMF so there is something different that is giving them the ability to attempt to access my admin account by other means (means that were not accessible in the past).

What I think it probably is, is someone logs in to their "own" account, and then types in the address bar, the "extension" (the action= part) to take them to the admin area, and then they are trying to log in to that area. Them being able to even get to that page is a security hole in itself. They should not be allowed to even view that page unless they are in the Admin membergroup. That page uses the exact same password as the one that is used for admins to log into the site in general - which I never understood because making an admin use an entirely seperate password for that admin area, helps to secure that area even more from intruders who use brute force to hack site log in passwords and gain access to the admins account in general. Once hacked if they still have to figure out what the admin area pasword is, would make it alot more secure (just my opinion..lol) Regardless, I have banned both accounts because snooping is just as bad as actually trying to hack. And if you think about it, they didnt just "snoop", they attempted to log into the admin area.

If that is indeed whats happening, Its scary as well to look back and think about all the other SMF versions I (and others) have used because we never saw error one from anyone doing that..lol.

[Kill Em All]

I'm not sure what mod might cause it to be honest. I would suggest creating a test forum, and installing each mod one by one and trying it out.

[Kimmie]

Its not a mod. I signed in with my test account (who is in the newbie membergroup), changed the "action" portion of the url to "admin" and it took me right to that page to log in.




NOT good..lol.

When I attempted to put in a bogus password, I checked the error in my log. The general error is the same (administration log in attempt), the only difference is the "action" portion of it. Athough that still doesnt really tell me what they were doing in terms of trying to access my account or what they were doing in terms of the other errors I have, it DOES tell me that there is a vulnerability within smf that needs to be addressed because folks who are not in the Admin group shouldnt even be allowed to access that page regardless if they put that action in their url or not. There has got to be a way to fix that - or set it up so that that password is completely different from the account password. .

Anyone who is familar with SMF knows those "action" keywords

[Kill Em All]

lol. ohhhh. That is normal... that is a security check. so they would have to get the admin's password correct to get in.

You are fine as far as security goes. Just a couple rotten children trying to think that they are cool.

[Kimmie]

lol. ohhhh. That is normal... that is a security check. so they would have to get the admin's password correct to get in.

You are fine as far as security goes. Just a couple rotten children trying to think that they are cool.

well to save us admins a whole lot of headache (from that "trying"), it would be alot easier if when folks tried to access that page, they merely saw a message that says "You do not have permission to access this area" - just like when you have denied access to a specific board for a membergroup. It tells them that very same thing. Giving someone access to type in a password allows for the use of brute force. Why even give them that opportunity? To me, that screams "security issue". (of course, granted, I have a secondary admin account just for that very reason, however, we could atleast sleep a little better knowing that is one less area they have access to lol). Anyone other than admins having access to that log in page should not be "normal".

[YogiBear]

If it's the same person there is a mrmagoo1965 supposedly 44 year old male from Scotland but the IP resolves to Queensland, Australia. Someone of that name also signed to a Warez (!!) site yesterday.

As KEA said, probably some kid trying its luck.

[Kill Em All]

There is not known security issue with that in either 2.0 or 1.1.x.

I can say with confidence that there is nothing to worry about for that.