Guest accessing admin options - security issue?

[smoothboar]

I'm having some serious issues with guests being able to access parts of the forum that should be restricted to only administrators.  I've actually done two installations of SMF, and I blew the first one away because a guest immediately gained access to the administration section of the forum and began making changes to all kinds of things.  With that first installation, I had installed a few themes to see what I wanted to do with the forum visually, and I assumed that one of these themes was somehow responsible for the security issue.  So I completely removed the first installation, created a second install in a password-protected folder on the server, and removed all guest access in the SMF settings before unlocking the folder and allowing the users to re-register.  I have not added any mods or themes to this new installation (I made some modifications to the base theme myself, but only things like changing colors and fonts in the css and swapping out some images).

Everything looked good at first.  I saw that the same IP ranges that were accessing the admin sections of the site on the first installation were only able to get to the index page in the second installation.  For several days there were no more problems, but then today I started seeing a guest account accessing an admin section of the site again - see the first attached image below.  I verified that the action "Managing the attachments" in the Who's Online interface means that the account is at the Administration Center » Attachments and Avatars part of the site, which should clearly be restricted.  In fact, as far as I can tell all of the permissions and settings dealing with guests are set to the minimum possible level of access (see the other attachment below), and the "Allow guests to browse the forum" option is turned off - guests shouldn't be able to do anything more than hit the front page.

Here are some things to note about this installation:

• SMF Version: 2.0.14
• Installation method: Softaculous
• Host: Lunarpages

One thing that is worth noting is how quickly the forum got hacked after I completed the first installation.  The forum is set up on a small website and is intended for a small group of my friends and co-workers, so I don't know how somebody would have known or been notified that I had just installed the forum in order to start hacking it.  When I first noticed that a guest was accessing the admin section of the forum, it had only been online for maybe an hour or two.  I don't actually know just how soon after the install completed that one of these guests first got in, but these circumstances and the ease with which this person/these people are able to access secure sections of the forum is highly suspicious.

Any help about how to further secure the forum or insights into how this person might be gaining access would be appreciated.

[smoothboar]

So I believe I resolved my own issue.  I was going through the raw access logs to the site and was investigating exactly what people were doing when they were accessing the site, and I noticed that when I put some of these addresses into the a non-logged in browser, the "Who's Online" page showed my IP as a guest account with the same actions that I was seeing on the other sites.  So SMF reports that users are accessing admin sections of the site based purely on the address that gets hit, even if that user is actually getting a 403 error when trying that address.

Unfortunately, I didn't save anything when I blew away the first version of the forum, because I would like to go back and see if all the errors that I was seeing in the logs were a result of attempts to access restricted parts of the site, or from a guest account actually managing to get in.

Either way, the problem appears to be solved.

[Ronald_1938]

Thats good. But remember one things, spammers and spam bots scowl the Internet looking for forums to join, doesn't matter if there not invited, they'll find you with no problems..

Best to get Stop Spam installed and setup..

You'll probably get more good advice from the well established members from here.

[a10]

*******/index.php?action=admin etc will be the same for a million or so smf forums, so there may be someone or something poking around checking any existing\known forum for some mismanaged permission settings which gives access.

Like the firewall in my router where the security logs showing all kinds of stange ip's trying to do 'things' \ looking for ports.

If everything is well configured and updated, nothing to worry about.