Looks like my website was hacked. - 2.0.9

[tjbalon]

I'd first off say, if someone has a great deal of experience and wouldn't mind contacting me privately - that would be appreciated, just PM me details.

I just finished reviewing the our logs, especially for HTTP GET requests; they were filled with failed sql injections. Though - last night around midnight; someone was able to grant their account into one of my staff-usergroups. After deleting and banning the account, this user came back 4 hours later changing our banner, got into our awards system, and was able to hijack a users account, change their name, and start posting.

I'm not sure where this attack fully came from, nor am I positive I've solved the issue. My webhost is a good friend of mine, we spent a long time looking through everything, and nothing has come up so far. So I've decided to turn to the SMF community.

Forum Version: 2.0.9

[kat]

For me, it would be logical to compare the files with ones that you have in a recent backup. I'm surprised that your host doesn't have raw access logs, to figure-out who's been messing with your site, though...

[tjbalon]

Through sourcebans he was able to inject some control panel. This is a joke, but for now we think we're secure.


All databases were leaked though. SMF is Sha-1 Salted correct?

[Illori]

http://wiki.simplemachines.org/smf/I_think_I_have_been_hacked

[tjbalon]

http://wiki.simplemachines.org/smf/I_think_I_have_been_hacked

Thank you for that, I've already followed the steps needed on there, just have to have my members reset passwords.

[Illori]

no you have not, you have not made a security report with the requested information.

http://www.simplemachines.org/about/security.php

[tjbalon]

Scratch that.

Issue still persists.

[kat]

Which issue?

If this twat's still getting in, somehow, you really need to work with your host. As far as we're aware, there aren't any security holes in SMF v2.0.9.

[tjbalon]

Somehow he was able to get a file called /templating.php in our SMF directory. After that, he used a c99shell through our sourcebans on a file called /page.unban.protest.php - to blend in with current sourcebans files such as page.protest.php.

The HTTP get requests, showed him trying to upload a template called /Moving_Company/ to our website for whatever reason.

At this time, he hasn't gotten back in as we've now moved sourcebans offsite to another account, and left SMF in our main account, with anything custom we've programmed. Updated any modifications, etc.

K@ is there anyone on this forum that would be willing to look at the logs to see how he got in? Or look at our website? I've had recommendations to move to vB or IPB - but as long as we ensure he's not getting back in, I'd much rather stay with SMF. I've used SMF for years now.

I have replaced most of the SMF critical files, still working on a few due to mods making edits - I've been transferring over code before doing the updates.


I appreciate your help.

[Illori]

i could be wrong, but it sounds like the person was able to get admin access or able to hack an admin account and upload a theme/mod. check the admin logs in the error log section and see if it says anything was uploaded/changed around the time you noticed the hack.

[tjbalon]

i could be wrong, but it sounds like the person was able to get admin access or able to hack an admin account and upload a theme/mod. check the admin logs in the error log section and see if it says anything was uploaded/changed around the time you noticed the hack.

I am the only one with an admin account, I have 2 co-owner accounts which do not have that privilege. None of the 3 accounts were hacked anyway. cPanel was not hacked either. It's really strange. (I checked the admin logs for a long time, same with errors.) There wasn't even anything when he switched from Registered User to a staff account as far as usergroups go. He had database access by that point by being able to hack into the directories of the website.

[kat]

Again, this is largely down to your host, coz he'd be able to control things like CHOWN. If that was locked down, so that only you can access things, you should be OK. It doesn't matter what software you use. If this tosser can get in, he can screw ANY software, not just SMF. Even basic CHMOD access should keep him out, up to a point.

From what I can gather, you need your file permissions sorted out.

I might well be missing something. But, I don't think I am...

I saw the security report that you submitted. I'd assume someone with the required skills is looking at it, or soon will be. As it's holiday time, though, you might need to be patient. As I suspect you know, we're all volunteers, here. So...

[tjbalon]

Again, this is largely down to your host, coz he'd be able to control things like CHOWN. If that was locked down, so that only you can access things, you should be OK. It doesn't matter what software you use. If this tosser can get in, he can screw ANY software, not just SMF. Even basic CHMOD access should keep him out, up to a point.

From what I can gather, you need your file permissions sorted out.

I might well be missing something. But, I don't think I am...

I saw the security report that you submitted. I'd assume someone with the required skills is looking at it, or soon will be. As it's holiday time, though, you might need to be patient. As I suspect you know, we're all volunteers, here. So...

Well understood. If the issue isn't resolved by Monday anyway I'll be heading down to the Cyber Forensics dept at my University. I currently work with the team, but only being a freshmen... there's some people that know way more than me. Hell 2 of them have FBI internships for this winter-break.

We think we've found his actual IP, but for now we have found some stuff that may turn into a compelling legal case.

Again, I thank you all for your help.


I'll post back a fix, if we find one. Still have over 1m log entries for December to skim through.

[kat]

Thanks. If they come up with something, maybe we can add something to our own arsenals, too.

[Illori]

i could be wrong, but it sounds like the person was able to get admin access or able to hack an admin account and upload a theme/mod. check the admin logs in the error log section and see if it says anything was uploaded/changed around the time you noticed the hack.

I am the only one with an admin account, I have 2 co-owner accounts which do not have that privilege. None of the 3 accounts were hacked anyway. cPanel was not hacked either. It's really strange. (I checked the admin logs for a long time, same with errors.) There wasn't even anything when he switched from Registered User to a staff account as far as usergroups go. He had database access by that point by being able to hack into the directories of the website.

did you check anyway?

[tjbalon]

i could be wrong, but it sounds like the person was able to get admin access or able to hack an admin account and upload a theme/mod. check the admin logs in the error log section and see if it says anything was uploaded/changed around the time you noticed the hack.

I am the only one with an admin account, I have 2 co-owner accounts which do not have that privilege. None of the 3 accounts were hacked anyway. cPanel was not hacked either. It's really strange. (I checked the admin logs for a long time, same with errors.) There wasn't even anything when he switched from Registered User to a staff account as far as usergroups go. He had database access by that point by being able to hack into the directories of the website.

did you check anyway?

I've checked multiple times.

[Arantor]

So if he got in through Sourcebans, the file permissions were already somewhat screwed up and that doesn't imply a vuln in SMF in itself...

[tjbalon]

So if he got in through Sourcebans, the file permissions were already somewhat screwed up and that doesn't imply a vuln in SMF in itself...

We're almost positive we've found the issue. Making the necessary changes, then will post back here to confirm on our side if we think it was or wasn't SMF.

What we know:
They accessed my account
They added a "theme" (not really) to upload a .php file without having prior cPanel access.
With access, they then proceeded to use c99 shell to grant basically root access on our site upload/remove files etc.

[Black Tiger]

With access, they then proceeded to use c99 shell to grant basically root access on our site upload/remove files etc.

OMG I know that one.
It could also very well be that maybe your pc is infected with spyware and they got your ftp password that way.

Anyway, I would strongly suggest that you or rather your host, uses Maldetect to scan for problems, because with that shell you never know what they have infected. There is a big chance other files are infected or some include lines and/or iframe is added to files etc..

[Arantor]

I always do the comparison against known clean files for that sort of thing, still icky though.

[tjbalon]

I've been - will continue to compare all the SMF core files, and then any modifications. Though we will run a scan. Thanks.