According to my host, your forum is NOT secure, and is easily Cracked!

[tpgames]

I had a cracker that is ignoring firewalls completely and is attempting to hack the server and the database.
Banning by IP address does NOT work, when the idiot uses the BANNED IP and gets through!
I am in tears.
My new forum that I was the primary poster in, is toast!
I want that cracker DEAD! But, that is slightly illegal.
I can handle spam posts! He isn't doing that!
I can handle simply removing useless crap and other garbage.
Why do I have to be the one who gets Kosovo terrorists and Crackers who tries to bring down the entire server?
Why do I get the crackers who Project Honey Pot and Stop Forum Spam doesn't even know about?
Why do I get the crackers who are on abuseipdb.com?
Why do I have to get the nutters who are so evil, that you'd think I was Target or some other major company? I'm not.

Anything you can do to secure your coding? I don't use a lot of mods on purpose. Mods are not updated very well, and might be a easy gateway in.

My security passwords use more than just english, numbers, symbols.
My security verification questions and answers are insane! They aren't guessable.
Brute Force attacks can easily find a weak spot when the Database requires ENGLISH ONLY!
Or limits the password length to something stupid! (Anything less then 150 characters is stupid in my books).

I have deleted the forum because this cracker is not obeying firewalls and T35 does not know what to do. And, SMF does not know where the vulnerability is either, probably, at this point. And no, his IP addresses are NOT listed at the "usual" sites. Plus, this cracker is NOT your "local spammer of the day". He is a pro who wants vengence! I suspect he is the same duolingo cracker that was banned, but not sure. And, if he is, then he is out for revenge.

If SMF wants to, they can contact T35 to see if they can get some info, on where T35 thinks the forum is not secure! I have no clue!

[tpgames]

By the way, my forum was a Foreign Language forum. You can guess as to what level of accumin my members had (not me, of course). I can come up with the insane passwords, etc., but we all know my brain doesn't always function well.

I did put the forum's directory behind a wall, and put the forum in maintenance mode. I will delete forum if that does not do the trick with a couple hours. I think he is behind the scenes, which makes me suspect I should just delete and start over again. Advise? What do you think? I stayed up til 4am trying to figure this out!

[LiroyvH]

Despite the rather lengthy post, I'm unsure exactly what your problem is.
Are you saying that someone signed up to your forum and made many spam posts or is there another problem?

[Sir Osis of Liver]

You should run, not walk, to a different host with better security and support.

[Kindred]

ignoring firewalls?
What firewalls did you put in place that he is ignoring?

Is the cracker posting?

How did you ban his IP?
(and banning IPs is generally a waste of time, since anyone can use a proxy to mask their IP or just reboot their router to get assigned a new one.)

HoneyPot and SFS are for spammer registration, not hacker/cracker - neither of them will generally stop a live person



There are no known vulnerabilities in 2.0.14
-- and you/your host have yet to present any evidence of even actual details about what this person did and how it was the SMF script's fault.

[tpgames]

Kindred - exactly my problem! This was a live cracker and not a spammer.

And, yes I am aware that T35 is part of the problem! I can't afford to go elsewhere. And, some hosts are worse then T35! If I could do dedicated server that I controlled, I wouldn't be in this mess! Thats because I would have had the IT department to make some phone calls to the right ISP people. I did contact. OVH.com. They happen to control 99% of the ISP that were used!

Firewalls can only be as good as a shared server is allowed to be. The problem is that he can not and will not ban "France" because the cracker using all France ISP is only attacking my site.

CoreISP - He did NOT bother trying to sign up. And he is not posting spam because he can't. He did print off pages to get information so that he could do a Port Attack. That is just basic hacking 101. He did try to post, but my verification questions are so sadistic that he failed them all. Literally failed!

SMF -  According to T35, your forum is not secure. This is strictly THEIR opinion, and NOT mine! However, he did manage to use a banned IP address, which in my opinion, means that the T35 rules as to what passwords are legal for a database is NOT PROPER! I told T35 that too! This is why, I agree that I need a different host and will no longer be recommending T35! I want a host that limits directory passwords to 250 characters instead of 32 characters. I want a host that recognizes "if its a language spoken by man and is not a fantasy language, then we support those characters used in a password".  Most crackers, in my unprofessional opinion, can't crack a website's password that uses 50 different language's unique characters very quickly.

Problem 1:
"Who's online logs"
It did take him over two weeks to get this far, only managing to use a banned IP address to view a webpage, and also to view many pages. The problem is that if I go to a page and get a Log IN please, it still shows up that "I have succeeded in viewing that page".

Problem 2:
The other problem is that he has successfully got to where he can do start posting, but never succeeded in getting post submitted.
Guest (51.255.65.89)   June 05, 2017, 07:17:18 PM   Posting in Ladino Language Learning - the best.
Guest (164.132.161.60)   June 05, 2017, 11:54:41 PM   Posting in Ulpan Quizlet Teacher Link.
Guest (51.255.65.45)   June 05, 2017, 11:39:10 PM   Posting in Dwarvish, Neo-Khuzdul Language sites.
Guest (217.182.132.80)   June 05, 2017, 11:24:26 PM   Posting in שלום Silly me! Forgot to make the Hebrew forum til now! .
Guest (217.182.132.72)   June 05, 2017, 11:05:41 PM   Posting in Japanese Club for the extremely newbie. Guilty!.

Thanks!
.ps I have successfully stopped him from being able to do anything by locking the directory. Forum still exists. I was going to delete it, but decided to lock the directory and see what gives. 2:30:15 was his last attempt. And, it still says 27 guests.

[LiroyvH]

Oh, you base this on looking at the whois online?
Then fear not. This happens when they follow direct links. If the IP is banned, it will still show a message they're banned. You should be able to see this back in the error log of your forum, that it constantly hits a "Sorry, you're banned from using this forum" message. The whois online will still say he/she/it is performing a specific action.

[Colin]

Firewalls can only be as good as a shared server is allowed to be.

What do you mean? What is the firewall in place?

He did NOT bother trying to sign up. And he is not posting spam because he can't. He did print off pages to get information so that he could do a Port Attack. That is just basic hacking 101. He did try to post, but my verification questions are so sadistic that he failed them all. Literally failed!

That doesn't make any sense. Ok so he didn't register an account, but did a basic port scan? So what? What did he use that information to exploit?

[tpgames]

He tried to do a brute force attack to guess a password of a user.
Somehow, he only shows up once. I know for a fact that all the other IPs are under his control! Research has shown that several of those IPs have been known under Port attack and or Brute Froce, Bad web.

Firewall: I have no idea what firewall T35 uses, except that it is linux based. They don't do Windows crap!

Registration: He didn't even attempt to register that I can find. Instead, he just decided to do brute force and port attacks instead.

The Log:
Apply Filter: Only show the error messages of this member Guest
Apply Filter: Only show the error messages of this IP address 68.191.158.84   
   Reverse chronological order of list Today at 01:48:24 PM
Apply Filter: Only show the error messages of this session b088df1555e73af56de5bffd22d6b423
Apply Filter: Only show the errors of this type Type of error: User
Apply Filter: Only show the error messages of this URLhttp://globalwritersclub.com/foreign-language-portal/index.php?action=login2Apply Filter: Only show the errors with the same messagePassword incorrect - Lunnu

I set it to disallow any attempts after 2.

The exploition: I know that he is trying to use it to crack into the website. I can't prove this, beyond he tried to post in several threads that don't allow posting as a guest. Those threads don't allow guests to view either.

He can't post because he can't figure out how to get past my verification questions. Anyone wants verification questions and answers that are spam proof, see me. Yes, they are member proof to, but can't have everything.   

Any other questions that silly me can attempt to answer? I admit I am bad at this, but much better at complicated verification questions.

[tpgames]

I just found out that Firefox either does not allow 32 character long PWs to be sent (in directory access verification) or that it disallows certain foreign characters. I suspect it is the latter issue. Chrome has no issue with this. Even when I get rid of certain characters that might cause issues, still Firefox refuses to allow me to log in. However, Firefox will show if someone is "hidden" or not, where Chrome will not show that.

[Kindred]

you have missed the point.

Just because he shows up in the who's online logs as "viewing topic X" or "posting in topic Y" does not actually mean that he is seeing or posting in the topic.
It just means that he HIT that URL (usually through direct access).  If he is not a user, (and your require users to be logged in to be able to post or view) then all he saw was the banned or "you must login" message.  He never saw the post or made a post...

[tpgames]

Okay, so when it says he is "posting" then he guessed the URL for "posting" but was never actually really on the page to post? Odd. Anyway, I did delete users who were not posting. And deleted the 1 account he was trying to guess the password too, and the parent account (I know them personally, so I can help them create better passwords!) and then am making a more secure password for the only other account. After that, I guess there is nothign I can do, but keep it behind wraps for a while and see if he gets bored and finally moves on. Thanks!

[Elmacik]

No, he is not actually "posting". If you take a look at the URL parts; you will see that when you click on something in forum, it will lead you to an address like; index.php?action=SOMETHING

In according to this; who's online section will show you as doing "SOMETHING". That's all. As CoreISP told; at that time he is facing the error "sorry, you are banned"; but since he has visited an action named "post"; you see him as "posting"; while he is actually not.

Plus; banning an IP from the forum administration panel won't prevent him visiting your website. Banning from the forum has no effect on server side. That means, server is not aware of the situation; it doesn't even know you banned him. Banning occurs after he successfully connects to your website. Then SMF checks for his IP and shows him a message that he's banned.

So he will always be able to browse your web site; but will not see the actual content. You can check that in the forum logs. You can also try banning your mobile phone's IP and try to browse the forum from your phone. (Don't do that while you are on wireless connection; you can lock yourself out )

Edit: I always thought that SMF should tweak this behaviour; because as you see here; it confuses some people.

[tpgames]

No, I banned him from the cPanel and not the forum side. I knew better.
He tried to Brute Force attack my admin password, but failed, as I knew he would SMF is way more secure the cPanel's databases will ever be!

Solution: cPanel is part of the problem. I found out that their (edited out for sensitive ears) database password allowance is ONLY english, numbers and some symbols and nothing else. And, there password generator gives me a 12 character long pw! that is 1/4th the length I'd use for a db, if I was in a hurry to create a pw. I prefer ridiculous length pws instead.  I thought this was  cPanel's issue and not SMF's installation issues.

Database Username limited to the name you used to get onto cPanel in the first place, underscore and then 8 additional characters.

Going with a dedicated server does not help me, as I need my own server that is in my own building with my own version of "cpanel" that makes cpanel look like 1970s security! But I have a solution to make cPanel more secure! I am going to advertise how insecure they are! Problem with my idea is that I believe that all crackers knows how insecure cPanel is!

Last issue is that .htaccess on my 2.4 apaches is so slow that it doesn't work. I had to delete the file! I didn't ban half the planet either! However, I am going to upload a new one.

[Colin]

I literally can't follow your posts at this point...

Also, define cracker please.

[tpgames]

"Cracker" is the official name of what everyone else calls a "hacker". Hacker was the "good guys". "Cracker" was the bad guys. But, because the layment refused to learn the terms, hacker is used for both good and bad guys trying to do dastardly things to websites. 

cPanel is what I use to go behind the scenes and view various folders and do other stuff that I can't do through SMF as easily.

When you set up SMF, you do have to create a database username, (often times its the log in to your server with smf and some number - completely crap! I usually change the smf bit to something totally random so that its not guessable. I forgot to do this for some reason. )

Why own my own server outright? I can't afford this option, but if I could (ignoring the fact that server is old term and they are trying to do something called "cloud" which I hate for security reasons).  I would be able to hire an entire IT team that would create a database that allows all chracters known to man and as many symbols as possible in that password.

I was asked by someone who was trying to get answers for me, why I would need it to be so secure? I said that in 2017, crackers are trying to hack all websites no matter what useless information they have on it. They don't care. That is why we need to step up to the plate and have more secure databased!

Did you know that if we were to guess the database username (which is NOT difficult given the known parameters), guessing the password would take a computer program only 1 hour or at most 2 hours? This would be especially true, if we were to use the silly "generate password" solution, which I only used a few times to find out which symbols WERE allowed! I would never use a password 12 characters long! That is just silly! Those are the type of passwords that are cracked in an hour or less!

htaccess file simply wasn't working. Every page load with it installed took 3 minutes. However, I did have a cracker on my website.

UPDATE: Forum deleted so that I could get cracker OFF my website. I had no choice! He was trying to crack into the admin panel (unsucessfully, but still!) I wasn't taking any chances, as he might have somehow gotten some script somewhere to capture any pw I changed it too, so I just deleted the forum. The 2 people who were not posting, are not immediate friends, and the only other members were immediate household and 1 friend. This is when it is easy to delete a forum and start over. None of my other forums are cracked because no one knows they exist. (I deleted the one forum that was guessable and recreated that one under a insane unguessable name so that it wouldn't be cracked, as it only served as a holding spot for two people to plan crap that won't ever see the light of day.)

I am starting a new topic with 1 question for SMF to consider. I don't think it is possible, but it doesn't fit unde this topic.

[Arantor]

Did you know that if we were to guess the database username (which is NOT difficult given the known parameters), guessing the password would take a computer program only 1 hour or at most 2 hours?

Nonsense.

Almost every single MySQL server only responds to connections from the same machine that it's currently on. You can't just connect from your computer directly to MySQL on your website's server, so whatever you think you know, you really don't.

Assuming your host isn't so incompetent as to not set up MySQL correctly (and frankly, you have to go out of your way to set this up this badly), you'd have to get onto the server in the first place. If you're already on the server, you already by definition have access to the PHP file where the connection data is stored. Meaning that you don't need to brute force anything because you can just GO FIND IT DIRECTLY.

Everything falls apart in your theory at that point. Take it from someone who knows about security, like advising actual security firms about security, you're overreacting and clutching at straws of problems that aren't there.

[Colin]

Why own my own server outright? I can't afford this option, but if I could (ignoring the fact that server is old term and they are trying to do something called "cloud" which I hate for security reasons).

Server isn't an old term and why do you hate cloud for security reasons?

I would be able to hire an entire IT team that would create a database that allows all chracters known to man and as many symbols as possible in that password.

More complex passwords aren't the answer, multi-factor authentication is.

Did you know that if we were to guess the database username (which is NOT difficult given the known parameters), guessing the password would take a computer program only 1 hour or at most 2 hours? This would be especially true, if we were to use the silly "generate password" solution, which I only used a few times to find out which symbols WERE allowed! I would never use a password 12 characters long! That is just silly! Those are the type of passwords that are cracked in an hour or less!

That's not true and there is brute force protection.

Edited to remove unnecessary closing quote tag ~ Steve

[Kindred]

He hates Cloud servers because a) he doesn't actually understand what the cloud is...  and b) he doesn't actually understand network and site security.

[Arantor]

@Colin, you can't TFA between SMF and its database which is what the OP wants for "security".

[Colin]

Sure, but you can assume that they are on the same server (for his situation) so that isn't the issue. The issue he was pointing out was some hacker brute forcing the password remotely and in that case for non 127.0.0.1 connections you can have some form of TFA.

[tpgames]

I do understand that they are trying to make the cloud safer and more crack proof then what we have now. I just am not seeing it as a reality due to the ingenious sophistication that modern day crackers have. Crackers just get better with the technology. Maybe someday the cloud will be so secure that crackers have a very tough time of negatively impacting other computers. Maybe someday, trojans and viruses won't be so easily transmitted between computers. I just don't see that as I see crackers as humans with brains that keep getting better and better. Thats all.

[Arantor]

You see threats that don't exist because you think that breaking into computers is like it is on TV. It really isn't.

When a certain antivirus vendor got their forum broken into, it wasn't because of anything sophisticated but simply the admin used a weak password that was already leaked elsewhere from another site that had been broken into. This was then used to log into the forum, make changes to the theme because admins can do that, to get a malicious piece of code onto the server, from where the server was compromised.

No DB password was touched.

[tpgames]

I'm glad that they think "no db pw" were cracked. All I know is that despite 50 character long passwords using all characters available to me, I was cracked and pages were changed. Nothing I can do about it. He did get onto my website and did change 2 files and did this AFTER SMF was deleted! Oh well, this is closed now. We can't do anything beating a dead horse. This happens. I'll have to take my other forum, and somehow run a fix as it didn't upgrade properly despite using the packet manager and seeing no "errors" to warn me of a potential conflict if I upgrade. Yep, I am having the issue that others have had. However, I'm assuming that the issue is with a mod. I can't remember which forum had the mod that I uninstalled, and think it might have been this one. I want to copy the look and feel of the theme and convert default to give me something similar anyway in preparation for 2.1 getting out of beta. Currently, I can't even log in to the forum.   I very nearly didn't update too. Oh well. 
Update: I have to change the theme's coding to be compliant with new rules, then I should be fine. lol

[Arantor]

If they'd changed files, it's nothing whatsoever to do with the database!

It could be that your host hasn't secured permissions properly and another user on the same server messed up or broke in deliberately.

Stop chasing ghosts and jumping at shadows and get someone who can actually assess your situation.

[tpgames]

I got it working and tested it, but just got back here and was going to update my answer again. But here is my update:  I just replaced the files back to the 2.0.13 version. I'm going to change themes to SMF default so that I won't have issues upgrading in the future. I did look at the code and realized that the issue was the files that were replaced was incompatible with how metin blue was coded. I was wondering if this was it in the first place.  No worries. Thanks!

[tpgames]

If they'd changed files, it's nothing whatsoever to do with the database!

It could be that your host hasn't secured permissions properly and another user on the same server messed up or broke in deliberately.

Stop chasing ghosts and jumping at shadows and get someone who can actually assess your situation.

I've contacted IC3 ( FBI's agency for Cybersecurity). T35 did what they are going to do. Its done. T35 did suggest I go with dedicated server. I can't afford that yet so I'll just let it be and start the forum a new. The other forum works fine (different domain name). Its okay. Its not like I collect $Euro£ or anything. Its just a hobby site. Thanks though! I do appreciate your help!

[Kindred]

SO... you really have no clue.
You have watched too many movies and have no actual knowledge of reality.

What exactly do you think "the cloud" is?

as for you having issues with 2.0.14 --  that, right there, is suggestive of part of your issue.
2.0.14 will have those issues that you described if your host is running php 5.3 (or earlier)
since php 5.3 is not supported by even php any more, including security patches, there's a good chance that your HOST has an issue in that they are running an insecure server.

This has nothing to do with passwords.
This has nothing to do with SMF.
This has nothing to do with Cpanel or mySQL.


You need to STOP....   stop assuming that you have any clue at all and LISTEN to the people who know what they are talking about - because, so far, your explanations have just proven that what you THINK is your "knowledge" is just plain wrong.