News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

My forum got hacked!

Started by PokémonS, June 21, 2013, 12:13:30 PM

Previous topic - Next topic

PokémonS

SMF 2.0.4

Hi,

My SMF got hacked. Someone who register a new account, suddenly got their admin access as administrator, and deleted me... and do the SQL Injection which drop all my SMF database... This was happened 3x! Yesterday 1x, today 2x.

Luckily I still have backups.

Help please? :(

(kindred edit - title changed)
きみと手をつなごう つらいときはもっと
ゼロからはじめよう ほら ほら 手をつなごう
みんな手をつなごう つらいときはもっと
力を合わせよう ほら ほら 手をつなごう

margarett

AFAIK, there are no known vulnerabilites (that serious!) in SMF 2.0.4. Are you using the latest version?
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

PokémonS

I already say that I use SMF 2.0.4 in the thread.

Also, I use email activication for registration.
きみと手をつなごう つらいときはもっと
ゼロからはじめよう ほら ほら 手をつなごう
みんな手をつなごう つらいときはもっと
力を合わせよう ほら ほら 手をつなごう

margarett

Ups sorry :P

The registration method is irrelevant for your problem... The important thing is, he probably accesses your database directly or through an administrator account.
Change all your passwords (Cpanel, MySQL, forum Administrator) when you restore your backup (again)
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

Chalky

You haven't deleted the 0 post membergroup have you?  Just trying to think how it could have happened....

NanoSector

Quote from: ChalkCat on June 21, 2013, 12:48:43 PM
You haven't deleted the 0 post membergroup have you?  Just trying to think how it could have happened....
You can't delete that group Chalky :P
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Illori

Quote from: Yoshi on June 21, 2013, 12:50:31 PM
Quote from: ChalkCat on June 21, 2013, 12:48:43 PM
You haven't deleted the 0 post membergroup have you?  Just trying to think how it could have happened....
You can't delete that group Chalky :P

you can through the database

NanoSector

Quote from: Illori on June 21, 2013, 12:51:13 PM
Quote from: Yoshi on June 21, 2013, 12:50:31 PM
Quote from: ChalkCat on June 21, 2013, 12:48:43 PM
You haven't deleted the 0 post membergroup have you?  Just trying to think how it could have happened....
You can't delete that group Chalky :P

you can through the database
Then you force it to delete the group, for which we cannot give support.
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Chalky

But if that was done it would explain how a new member gained admin powers  ;)

PokémonS

I have deleted that fake admin and restore my admin membergroup via phpMyAdmin. I have deleted it and the fourm is still fine, but shortly after 5 minutes, my forum got SQL Injection. Luckily I still have backups. Now I disable the "Drop" privilages for SMF databases.

4-5 hours later, the hacker came back to my forum, create an account which suddenly can access as administrator, and edits my account...
きみと手をつなごう つらいときはもっと
ゼロからはじめよう ほら ほら 手をつなごう
みんな手をつなごう つらいときはもっと
力を合わせよう ほら ほら 手をつなごう

margarett

Do you have the mentioned membergroup? Did you change ALL you passwords?
Disable the drop previledges will not help, I think...
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

emanuele

Did you contact and inform your host?


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

PokémonS

Quote from: margarett on June 21, 2013, 01:07:26 PM
Do you have the mentioned membergroup?
Can you please make a more clear question? I don't understand.

Quote from: margarett on June 21, 2013, 01:07:26 PM
Did you change ALL you passwords?
I will try...

Quote from: emanuele on June 21, 2013, 01:07:47 PM
Did you contact and inform your host?
I already contacted the host yesterday, they said "We don't changes anything in your website, such as databases. It most likely your website got hacked / SQL Injection.".

Also there are no file recent edits in File Manager.
きみと手をつなごう つらいときはもっと
ゼロからはじめよう ほら ほら 手をつなごう
みんな手をつなごう つらいときはもっと
力を合わせよう ほら ほら 手をつなごう

Burke ♞ Knight

Who is your webhost?
If you can find the IP of the hacker in your logs, maybe you can ban the IP from the hosting cPanel, or have the host do it for you.

Chalky

In your membergroups you should have a postcount group with required post count of 0.  If you don't have that group for whatever reason then that can cause new members to be assigned to the admin group.  Just check how many posts are required for your lowest post count membergroup and let us know.

margarett

A new SMF installation looks like attached.
That's the "Newbie" group.

edit: anyway, I removed that group via phpmyadmin and registered a new user. No admin previledges are obtained, it's just another user. As for permissions goes (if post count group permissions are enabled), he gets the "Regular Members" permissions, so that's not the case.

So, either you have serioulsy messed up permissions (try to register a test user yourself, see how that goes) or, as I think, you are not "hacked" directly. Or someone got an important password from you or it's host related...
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

emanuele

Quote from: PokémonS on June 21, 2013, 01:15:13 PM
Quote from: emanuele on June 21, 2013, 01:07:47 PM
Did you contact and inform your host?
I already contacted the host yesterday, they said "We don't changes anything in your website, such as databases. It most likely your website got hacked / SQL Injection.".

Also there are no file recent edits in File Manager.
Well, an host whose only answer is that deserves to be changed no matter what IMHO.
But, before, what did you ask them exactly?

Do you have mods or custom code installed?
Can you provide the serve logs? If so, please send a security report (better use that channel) and when we will answer send us the logs. If you don't have them, please contact your host and try to find the logs related to the period of the hacking.

Most of the hacking are related to old un-patched vulnerabilities not necessarily from SMF.
Do you have other applications like joomla, wordpress, etc.?
I suppose you have a shared hosting, if that's the case then it may be another site hosted on your site that is compromised and the hacker is using that vulnerability to attack your site too.

There are many factors to take in consideration.


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

PokémonS

Quote from: BurkeKnight on June 21, 2013, 01:21:39 PM
If you can find the IP of the hacker in your logs, maybe you can ban the IP from the hosting cPanel, or have the host do it for you.
Got the IP, and omg I know 100% who's the hacker... srsly. :/
I don't want to kill him, I want to get more secure my forum.

Quote from: margarett on June 21, 2013, 01:34:59 PM
So, either you have serioulsy messed up permissions (try to register a test user yourself, see how that goes) or, as I think, you are not "hacked" directly. Or someone got an important password from you or it's host related...
I haven't messed anything in membergroup.
I already checked many times for permissions, and tested a new account.

Attachement added.
Quote from: emanuele on June 21, 2013, 02:13:17 PM
Quote from: PokémonS on June 21, 2013, 01:15:13 PM
Quote from: emanuele on June 21, 2013, 01:07:47 PM
Did you contact and inform your host?
I already contacted the host yesterday, they said "We don't changes anything in your website, such as databases. It most likely your website got hacked / SQL Injection.".

Also there are no file recent edits in File Manager.
But, before, what did you ask them exactly?

"SQL Databases suddenly dropped.

Hi, all SQL databases in http://pokemonstars.com/ suddenly dropped. I don't do anything before this problem.

Can you explain why it happened?

Thx."


Quote from: emanuele on June 21, 2013, 02:13:17 PM
Do you have mods or custom code installed?
A lots of mod...

One question, is this mod probably cause this problem?
http://custom.simplemachines.org/mods/index.php?mod=1804

Quote from: emanuele on June 21, 2013, 02:13:17 PM
Do you have mods or custom code installed?
Can you provide the serve logs? If so, please send a security report (better use that channel) and when we will answer send us the logs. If you don't have them, please contact your host and try to find the logs related to the period of the hacking.
No logs but IP adresses.

Quote from: emanuele on June 21, 2013, 02:13:17 PM
Do you have other applications like joomla, wordpress, etc.?
No, only SMF.
きみと手をつなごう つらいときはもっと
ゼロからはじめよう ほら ほら 手をつなごう
みんな手をつなごう つらいときはもっと
力を合わせよう ほら ほら 手をつなごう

Kindred

well, do what emanuele said then.

Without a clear report and the server logs, we can't do much to figure out what actually happened.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

emanuele

Quote from: PokémonS on June 21, 2013, 02:33:20 PM
Quote from: emanuele on June 21, 2013, 02:13:17 PM
Do you have mods or custom code installed?
A lots of mod...

One question, is this mod probably cause this problem?
http://custom.simplemachines.org/mods/index.php?mod=1804
Guess is useless in these cases.
What "we" need are first and foremost: server logs covering the period the user has *apparently* hacked your system.
Without those nobody can do anything.
Because we are not even sure it is an hacking (it may just be a user that stolen a password).


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Advertisement: