News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

SMF 2.0.11 being hacked?

Started by Mr. Lee, June 05, 2016, 03:03:17 PM

Previous topic - Next topic

Mr. Lee

I am an administrator on a forum using this software and just began having this issue. This has happened to the forums 3 times in the last week where everyone who is on at the time shows up to have Romanian ip addresses, thus anyone who is on at the time can no longer sign back into the forum if they log out, it tells them that they are banned because I banned those Romanian ip addresses but they keep coming back with new Romanian ip addresses each time, is this a known problem and if so what is the fix. Below is our "who's online" from shortly after I caught the problem.
Thank you in advance,

Mr. Lee (5.254.110.26)
FM (5.254.110.22)
Bob (5.254.110.22)   
jj (5.254.110.22)   
bc (5.254.110.27)

Kindred

How is this a hack?

It's just spammers... Spammers have been a known problem for decades
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Mr. Lee

How does a spammer change every members ip address?

Kindred

#3
Ah, I misunderstood your comments.

You are right... It's not a spammer...  But it's unlikely to be a hack either. It sounds more like you signed up for a proxy service or installed a mod incorrectly.

Mods installed?
URL?
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Mr. Lee

No new mods installed in a very long time, two times it happened before we upgraded to 2.0.11 and we hoped the upgrade might fix it but it happened again yesterday. I am not a technical person, the person who was maintaining the forum stepped down quite a while back and I was asked to be one of the admins on it to just keep it going, so I have just been doing daily moderator functions.

LiroyvH

This can be caused by CloudFlare if its not properly configured or appropriate mods are in place, or when the host uses a reverse proxy setup like nginx in front of apache, but the mod_remoteip is failing or was not installed at all. That's if all online members, including you, show that IP.
It can also be caused by anti-DDoS CDN's provided by the company hosting the server.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Mr. Lee

Yes all online members who are on at the time show with that Romanian ip address, thank you for the suggestions, I will try to look into them but so far I have not seen either of those in any of the code I have searched.

Kindred

As one note...  You should,generally, not ban accounts by ip
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Mr. Lee

We generally don't, we only ban those from a couple of countries where the majority of spammers seem to be from.

LiroyvH

That IP is from a server provider judging by the whois data, so I'd have a chat with your host.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Mr. Lee

I have an email into them already, thank you, if it is only that then that would be great.

Advertisement: