Site hacked

[HackAl]

Hi.  My site was hacked. (www.hackensacknow.com)  See screen shot below.  Still assessing damage. Thanks for any help with this....

[colour]

You should contact your host about this before coming here because it could be server related rather than because of the software

[HackAl]

Host contacted too.  I'll update with their reply but wanted to alert as to potential vulnerabilities.  Apparently, the hacker was able to enter this code in each of the category descriptions:

Code Select Expand


.<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>


<meta http-equiv="Content-Language" content="tr">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<title>Hacked by m1l05 & pSyCh0 </title>
</head><body bgcolor="white">
<p align="center">&nbsp;</p>
<p align="center">&nbsp;</p>
<p align="center">
<img src="new_files/hex.png"></p>
<p align="center"><font color="black" face="IrisUPC" size="6"><strong>HACKED by m1l05 & pSyCh0</strong></font></p>
<p align="center"><font color="black" face="Verdana" size="2"><strong>Your server is vulnerable!</strong></font></p>
<p></p>
<div align="center">
<img src="http://blog.tigglobal.com/wp-content/uploads/2010/02/white_hat_seo.jpg" height="300" width="300"><br> 
<br>
<p align="center"><font color="black" face="square721 bt" size="3"><strong>KOSOVO IS SERBIA!</strong></font></p>
<p align="center"><font color="black" face="square721 bt" size="2"><strong>If you need help be free to contact me -  [email protected]</strong></font></p>
<p align="center"><font color="black" face="square721 bt" size="2"><strong>Greetz: T0r3x | d00mwalker| Th3 MMA</strong></font></p>
<p align="center"><b><font color="black" face="square721 bt" size="2">
<a href="http://palayos.com/root2010.htm"><font color="gray" face="square721 bt"></font></a></font></b></p>
<embed src="new_files/hex.mp3" type="audio/x-ms-wma" height="0" width="128">
</body></html>.


[Road Rash Jr.]

You are using SMF 2.0 Final or another version?

[HackAl]

2.0 Final.

I was able to remove the offending code in the category descriptions and am wondering where else I was hit. Still looking. 

My host sent it to "Abuse and Security Department".   

[mashby]

Unregardless of the version, this is likely the important part:

<strong>Your server is vulnerable!</strong>

Let's see how your host responds. Are you on a shared or dedicated plan?

[ARG01]

First thing to do would be to change your passwords for your hosting account, SMF databases and website admin.

[Road Rash Jr.]

2.0 Final.

I was able to remove the offending code in the category descriptions and am wondering where else I was hit. Still looking. 

My host sent it to "Abuse and Security Department".

I thought so. You may want to put your site in Maintenance Mode while you check it out incase there is some viral content that could affect your members.

Edited:And what Arg said.

[HackAl]

I'm on a shared server: Hostdime.

I changed all passwords.

Site is in maintenance mode.  I found nothing else unusual so far. 

If the hacker had access to change the category descriptions, I can assume he/she had full access, correct? Is there any reason why we think this would be a server breach as a opposed to a breack in SMF software? (just asking).

[Road Rash Jr.]

From what others have reported and issues I've experienced they were software related.
But in your case best to do what you can to confirm where your issue is.

[HackAl]

Aside from changing passwords, any other ways I can try to prevent this from happening again?  Is there a known vulnerability issue with 2.0 final?   So far, Hostdime can't find any issues on their end.

Thanks everyone for your help.

[Road Rash Jr.]

I re-installed my backup of SMF 2.0 RC5 and that fixed the problems I had.

[Aleksi "Lex" Kilpinen]

As far as I know, in order to change the board descriptions you either need direct DB access, or Admin level access in SMF.
2.0 to my knowledge, has no vulnerability allowing either one.

[HackAl]

Host reports: "I was unable to find anything in the server logs that indicated your account was compromised. Was your SimpleMachines Forum installation outdated until you logged in to make changes to it? We've found that the vast majority of issues like yours are caused by an outdated script that is exploited by an attacker."

[Aleksi "Lex" Kilpinen]

Well, even the hacker says your server is vulnerable....

[Road Rash Jr.]

Well, even the hacker says your server is vulnerable....

True but servers are vulnerable through software.

[Aleksi "Lex" Kilpinen]

That is true also, must admit that much.

[HackAl]

I asked host about changing passwords.  They replied:

"We can't say for certain that changing the password will prevent further attacks, however it would certainly help. It may also be a good idea to change the account's cPanel password as well as the password associated with the SMF MySQL database. We will continue to keep an eye on this and will let you know if anything is reported on our end."

I did this.  Has anyone else experienced this exact hack before (where category descriptions are changed and nothing else)? Maybe therein lies a clue.

Thanks again for all the replies and any additional suggestions about protection, patches, etc.

So far, all is well but I don't want to mark solved just yet.

[LiroyvH]

Check if they have something like suPHP, mod_security and importantly openbasedir protections in place.
If not, if someone elses account was hacked, they can upload a shellscript with which they can gain access to all your files. Just read Settings.php and voila they got your SQL password as well...
Doesnt have to be your account that's compromised, could be someone elses if their security measures are sh... err... Bad

[Kindred]

The interesting thing is the code that was added as the category description.

it's a full webpage.
What this IMPLIES (suggests, although not definitively) is that it was done through a direct database edit, since most of this code would be parsed out of an insertion done through SMF admin tools.

I will also note that, despite RR's claims, there are no known security issues with 2.0 right now. His reports have to do with spammers (which he conveniently mixes and matches with hackers) - which has nothing to do with database hacking or even site hacking. That is not to say that we may not discover an issue, and we are very interested in whatever information you or your host can give us.

1- What mods were you running on your SMF install?
2- Are you running ANY other software on your server? Do you have any other pages (at all) other than the forum? and directories other than the standard SMF installation directories?
3- The questions CoreISP asked about your host's server set up

4- check your site for additional files (do a sort-by-date, see if anything was modified or added recently)
5- if your host can provide us server logs for the targeted timeframe, you can send them via our security report (http://www.simplemachines.org/about/smf/security.php)

[twig/al]

Dumb question, if the hacker did get into the forum, would it not show him/her listed in the permissions section of the control panel as having either 'administrative or Moderator power?

[Illori]

not always, most hackers dont even need admin or moderator privileges to do what they need.

[Lum-chan]

You might want to change the password of your ftp-account too, just to be sure...