Site is being hacked as we speak

Illori · December 26, 2013, 12:55:16 PM

that is editing the thread, not the message. you need to look for the messages table and look for message with id of 256089 you should see the code

Code Select

<head><link href=http://getpremiumminecraft.com/font/sa3ek/InG.css  type=text/css rel=stylesheet></head>

somewhere in the message body, remove that and only that.

Kindred · December 26, 2013, 01:02:24 PM

however, unless something is VERY wrong, posting html in a post like that should **NOT** have the effect that is having...

Illori · December 26, 2013, 01:03:50 PM

Quote from: Kindred on December 26, 2013, 01:02:24 PM
however, unless something is VERY wrong, posting html in a post like that should **NOT** have the effect that is having...

well if you go to a page like the help page etc that does not load recent posts [via simple portal?] this page does not show up, so somehow someone got this content into this one post.

Kimmie · December 26, 2013, 01:16:23 PM

Quote from: Illori on December 26, 2013, 12:55:16 PM
that is editing the thread, not the message. you need to look for the messages table and look for message with id of 256089 you should see the code

Code Select Expand
<head><link href=http://getpremiumminecraft.com/font/sa3ek/InG.css  type=text/css rel=stylesheet></head>

somewhere in the message body, remove that and only that.

Sorry had to step away from pc for a minute. Let me do that real quick and see what happens

Kimmie · December 26, 2013, 01:22:47 PM

Ok I cleared that out of that post.

Illori · December 26, 2013, 01:25:12 PM

that seemed to fix it on that thread. maybe simple portal has some cache somewhere?

the forum index has the code

Code Select

<td class="info">
						<a class="subject" href="http://patriotgames2.info/index.php?board=173.0" name="b173">Games - Patriot Force</a>&nbsp;<a href="http://patriotgames2.info/index.php?action=autoindex;sa=board;id=173"><img width="20" height="20" style="vertical-align:middle" src="http://patriotgames2.info/Themes/default/images/auto-index.png" alt="Automatic Index" title="Automatic Index" /></a>

						<p><head><link href=http://getpremiumminecraft.com/font/sa3ek/InG.css  type=text/css rel=stylesheet></head></p>

somewhere.

Kimmie · December 26, 2013, 01:35:29 PM

Quote from: Illori on December 26, 2013, 01:25:12 PM
that seemed to fix it on that thread. maybe simple portal has some cache somewhere?

the forum index has the code

Code Select Expand
<td class="info"> <a class="subject" href="http://patriotgames2.info/index.php?board=173.0" name="b173">Games - Patriot Force</a> <a href="http://patriotgames2.info/index.php?action=autoindex;sa=board;id=173"><img width="20" height="20" style="vertical-align:middle" src="http://patriotgames2.info/Themes/default/images/auto-index.png" alt="Automatic Index" title="Automatic Index" /></a> <p><head><link href=http://getpremiumminecraft.com/font/sa3ek/InG.css type=text/css rel=stylesheet></head></p>

somewhere.

Found it and deleted it (Board 173)

Illori · December 26, 2013, 01:37:25 PM

and

Code Select

</td>
					<td class="info">
						<a class="subject" href="http://patriotgames2.info/index.php?board=293.0" name="b293">Games</a>&nbsp;<a href="http://patriotgames2.info/index.php?action=autoindex;sa=board;id=293"><img width="20" height="20" style="vertical-align:middle" src="http://patriotgames2.info/Themes/default/images/auto-index.png" alt="Automatic Index" title="Automatic Index" /></a>

						<p><head><link href=http://getpremiumminecraft.com/font/sa3ek/InG.css  type=text/css rel=stylesheet></head></p>

Kimmie · December 26, 2013, 01:39:45 PM

Quote from: Illori on December 26, 2013, 01:37:25 PM
and

Code Select Expand
</td> <td class="info"> <a class="subject" href="http://patriotgames2.info/index.php?board=293.0" name="b293">Games</a> <a href="http://patriotgames2.info/index.php?action=autoindex;sa=board;id=293"><img width="20" height="20" style="vertical-align:middle" src="http://patriotgames2.info/Themes/default/images/auto-index.png" alt="Automatic Index" title="Automatic Index" /></a> <p><head><link href=http://getpremiumminecraft.com/font/sa3ek/InG.css type=text/css rel=stylesheet></head></p>

Done

Kimmie · December 26, 2013, 01:43:47 PM

Not sure at what point we got it, but that big purple image is gone now - no response from host yet so not sure if they did anything in terms of that.

Kimmie · December 26, 2013, 02:01:13 PM

Ok I have decided (without them even responding) that I am going to look for a new host after the holidays. What is the best way to ensure all my files are clean before I get them moved?

Storman™ · December 26, 2013, 02:10:40 PM

As previously advised in this topic:

http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files

Kimmie · December 26, 2013, 02:12:40 PM

Quote from: Storman™ on December 26, 2013, 02:10:40 PM
As previously advised in this topic:

http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files

Thats just it. I can't make a backup until I know those files are clean.

Kimmie · December 26, 2013, 02:14:10 PM

Quote from: Kimmie on December 26, 2013, 02:12:40 PM
Quote from: Storman™ on December 26, 2013, 02:10:40 PM
As previously advised in this topic:

http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files

Thats just it. I can't make a backup until I know those files are clean.

I will have to skip the backup part.. and if something goes wrong, I can use one of my prev backups to do the move.

Storman™ · December 26, 2013, 04:10:05 PM

Suggest you reread it again properly

Concentrate on backing up your database. The only files you need to keep are the ones like attachments, any custom themes/graphics. etc. You'll be replacing all your other files from the package.

Kimmie · December 27, 2013, 07:47:05 AM

I finally got a response from my host and this is what it was. BE HONEST with me here... are they really this stupid or am I?

I am asking because I need to know how to respond to them. Basically they are "mostly" blaming you all for it and I need to know if I should have your back or not..lol. We pretty much figured out that the first 2 times I was hacked it was because they had the wrong permissions on the folders/files (they still refused to give back to me, the ability to change those settings but I made sure they changed them all for me) - so I am already leery about keeping them as my host.. however, it takes a lot of time and money to move and I also have to consider the fact that I have been with them for 2 years and have never had any real major issues with them until now. I went and looked at when I upgraded to 2.0.6 and it was on October 28th. I started getting hacked 2 weeks later so I have to also wonder if there indeed is a whole in that version somewhere.

Bottom line is, if I have to move, I need to know it is for the right reasons before I go through all this. If it is their fault and something they either refuse to fix, or are too dumb to know how to fix - that would be the right reasons because they are incompetent.

kat · December 27, 2013, 07:58:07 AM

Basically, if they can explain what they believe this "Hole" is, it'll benefit not just you, but every SMF user on the planet.

But, I have to say, I believe they're talking crap^TM.

Kimmie · December 27, 2013, 08:01:01 AM

Quote from: K@ on December 27, 2013, 07:58:07 AM
Basically, if they can explain what they believe this "Hole" is, it'll benefit not just you, but every SMF user on the planet.

But, I have to say, I believe they're talking crap^TM.

This is what I think too but I want to make sure. This is what I told them

"If that is true, most hosts should be able to tell me where this hole is and how they got in because if I can't tell SMF how it happened, how do you expect them to fix it? SMF does not have control over your server, you do. "

Kindred · December 27, 2013, 08:02:18 AM

See, here's the deal.

1- There are currently no KNOWN vulnerabilities in SMF (if you were running 2.0.6).
2- Now, we know that you were running a bunch of mods... Our customization team reviews every mod submitted to this site - but there may have been a vulnerability exposed in one of the mods that we don't know about.

Were you running ANYTHING else on your site, other than SMF?

3- --- and this is the most important thing --- The host should have been able to look at the logs (especially since you were able to narrow the time of the attack down to a few hours). Those logs SHOULD have told them *EXACTLY* what vector the attackers used. Now... it might not tell them specifically how they used it... but the host should be able to tell you the time (to the second) and the first URL that the hacker used to gain the first access.

randomly blaming the software by saying "there is a hole in your SMF, somewhere" is either lazy or incompetent.

Kimmie · December 27, 2013, 08:08:36 AM

Quote from: Kindred on December 27, 2013, 08:02:18 AM
See, here's the deal.

1- There are currently no KNOWN vulnerabilities in SMF (if you were running 2.0.6).
2- Now, we know that you were running a bunch of mods... Our customization team reviews every mod submitted to this site - but there may have been a vulnerability exposed in one of the mods that we don't know about.

Were you running ANYTHING else on your site, other than SMF?

3- --- and this is the most important thing --- The host should have been able to look at the logs (especially since you were able to narrow the time of the attack down to a few hours). Those logs SHOULD have told them *EXACTLY* what vector the attackers used. Now... it might not tell them specifically how they used it... but the host should be able to tell you the time (to the second) and the first URL that the hacker used to gain the first access.

randomly blaming the software by saying "there is a hole in your SMF, somewhere" is either lazy or incompetent.

As for running anything else on my site, nothing, outside of the mods you mentioned. They are listed below

Wanna know something scary? This particular tech person is in Canada. Home of "healthcare.gov" - and we all know how that one turned out LMAO

News:

Site is being hacked as we speak

kat