Advertisement:

Author Topic: 2 hacking attempts in 4 days - help greatly appreciated  (Read 1454 times)

Offline Jubal

  • Newbie
  • *
  • Posts: 8
2 hacking attempts in 4 days - help greatly appreciated
« on: October 04, 2017, 10:13:57 AM »
OK, our site (exilian.co.uk) has had two hack attempts recently. Both cases appear to have had the same characteristics/MO though with slightly different actions.

The main features of these attacks seem to be the changing of the password on account #1 (my main admin account), and then attempts to use the admin panels to edit themes or system files. Both attempts have had Indonesian/SE Asian IP addresses (recent one was 112.215.244.50).

Attack one, on Oct 2nd:
  • Changed password on main account, changed email address of main account to Tuyulnya.Penjahat@gmail.com
  • Did some minor edits to a theme we don't actually use - no obvious malicious code involved, just deleted some apparently random lines of code.

After this we did security checks, rolled back files, changed passwords, etc, but we couldn't identify the source of the breach. I also moved the whole forum to use HTTPS and HTTPS cookies as well.

Attack two, today (literally 40 mins ago):
  • Changed password on main account & logged in
  • Installed what appears to be this mod (or at least files with the same name): http://custom.simplemachines.org/mods/index.php?mod=351
  • I caught this one while it was happening and rapidly took all the permissions away from User #1 (after the first time I made sure I had a secondary admin account of my own as a precaution). I'm thusly not sure what it was hoping to do next!

The site is: exilian.co.uk

I have server logs from both attempts saved, but I'm not managing to discover much from either about how this hacker is actually getting into the forum. Am really quite worried on behalf of my users' data and would massively appreciate any help.

Also, we seem to have had recent problems with session tracking and some users using the login thing from the main board index recently rather than the full login page. Not sure if this is related, but it cropped up around the same time as the initial attack.

Offline Sir Osis of Liver

  • SMF Hero
  • ******
  • Posts: 7,089
  • 'Tis the gift to be simple
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #1 on: October 04, 2017, 12:49:00 PM »
Have you changed ALL your passwords - cpanel, ftp, databases, admins?  The login failure is probably due to session check missing from your theme's index.template.php, a common 2.0.14 problem, and not related to hack.

Offline Jubal

  • Newbie
  • *
  • Posts: 8
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #2 on: October 04, 2017, 01:12:25 PM »
I've just changed the main db password: I'd already changed everything else.

Thanks for the information re. session checking - is there a guide for how to fix this anywhere? I've tried searching the error message both on this forum and google and not come across a definite solution.

Offline Sir Osis of Liver

  • SMF Hero
  • ******
  • Posts: 7,089
  • 'Tis the gift to be simple
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #3 on: October 04, 2017, 01:17:32 PM »
In your theme's index.template.php -

Find this -

Code: [Select]

<input type="hidden" name="hash_passwrd" value="" />


Do this -

Code: [Select]

<input type="hidden" name="hash_passwrd" value="" />
<input type="hidden" name="', $context['session_var'], '" value="', $context['session_id'], '" />



Offline Jubal

  • Newbie
  • *
  • Posts: 8
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #4 on: October 04, 2017, 02:58:51 PM »
Thanks :) That's one issue solved!

Anyhow, I'm not sure what to do at this point on the main issue. I could just watch and see if it comes back, but I can't be monitoring the forum 24/7 and I don't know what the attacking person/bot will do if it does return. I could leave User 1 blocked from admin access in the hope that the attacker is a bot and will keep trying to target the same acct, but I'd quite like to not abandon my main account. I'm also not sure what might explain the patterns of activity during the hacks. :/

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,106
  • Gender: Male
    • Kindred-999 on GitHub
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #5 on: October 04, 2017, 08:21:09 PM »
What mods do you have installed? Any other software running on the site?
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Sir Osis of Liver

  • SMF Hero
  • ******
  • Posts: 7,089
  • 'Tis the gift to be simple
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #6 on: October 04, 2017, 10:49:28 PM »
Offhand I can think of two ways to change password in an admin account.  One is using another admin account, which would be pointless if you already have admin access.  The other is by having access to the database.  Based on what the hacker is doing once he gets in, this doesn't seem like a very sophisticated attack, more likely it's a former member with some knowledge of SMF causing trouble.  Are you seeing his ip in logs?  Who is your host?


Offline Jubal

  • Newbie
  • *
  • Posts: 8
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #7 on: October 05, 2017, 06:14:14 AM »
It's not a former staffer, though I did consider that possibility; the database password had been reset a couple of months before the attack anyway when we moved hosts, so none of our ex-admins would've had access to it. The forum's admin logs don't show the password change. Also, none of our former Admins are Indonesian, and the email address I quoted in the first post was found elsewhere online as being embedded in credit-card detail skimming code. As such, we are definitely talking an actual hack rather than internal problem. We're on Vidahost.

Thoughts on ways to reset passwords: those are two, the third is to use the password reminder system, though I can't see how someone would do that in a way that didn't involve a) email being reset by method 1 or 2 (which it doesn't seem to have been anyway, the second time), or b) me getting emailed about the password reset, which I wasn't.

For both attacks, I have the server logs of GET/POST requests etc, and the perpetrator IP shows up: 115.178.255.119 was attack 1, 112.215.244.50 was attack 2. It doesn't seem to make lots of login attempts, so it's not brute-forcing or working down a long list or anything, it just seems to click round the forum a bit and then suddenly boom, logged in. I'm not very used to reading server logs though so I may be missing something.

Here's the list of mods: some are installed but have most features turned off (we don't actually use social login for example and we don't use all the different captcha systems). No other software really except a small home-made piece of historical research kit, but that uses a completely separate database/passwords/everything to the forum and doesn't seem to have been involved or accessed at all according to the server logs.

Offline Illori

  • Project Manager
  • SMF Master
  • *
  • Posts: 48,063
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #8 on: October 05, 2017, 06:50:12 AM »
if you think you were really hacked fill out https://www.simplemachines.org/about/smf/security.php

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,106
  • Gender: Male
    • Kindred-999 on GitHub
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #9 on: October 05, 2017, 06:51:37 AM »
can you list the mods as a text list in the post rather than an  image attachment?
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Jubal

  • Newbie
  • *
  • Posts: 8
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #10 on: October 05, 2017, 06:58:30 AM »
Ilori - will try and do that this evening after work, thankyou for the link. I'm not sure I can see any other explanations beside the possibility that it was a genuine hack, at this point.

@Kindred, sure, the list in text format (in reverse order of installation, most recent item at the bottom) is:

KeyCaptcha for SMF
Password Protect Boards
Spoiler Tag
Member Color Link
Member Awards
SMFPacks Shoutbox
Additional Polls
TablePlus BBCodes
Google Analytics Code
Arantor CAPTCHA
Misc Anti-Spam
reCAPTCHA for SMF
ACPS (Ajax continuous post scrolling) -> This is not used/turned on
Ohara YouTube Embed
Social Login -> This is not used/turned on
Enhancements to reattribute posts
Float BBCODE
Soundcloud BBcode

And of course all the core SMF updates from 2.0.3 through to 2.0.14 :)

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,106
  • Gender: Male
    • Kindred-999 on GitHub
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #11 on: October 05, 2017, 07:40:23 AM »
Hmmm.... So, social login is not turned on, but it is installed?

If you don't use it, you should uninstall it.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline ziycon

  • Support Specialist
  • SMF Hero
  • *
  • Posts: 2,667
  • Gender: Male
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #12 on: October 05, 2017, 07:06:57 PM »
Are you on a shared hosting package? I would raise it with you host as it could be that your sites not compromised but the hosting companies server is. Raise a security tag with your host giving them as much detail as possible.

Offline Jubal

  • Newbie
  • *
  • Posts: 8
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #13 on: October 06, 2017, 03:13:57 AM »
Woke up this morning, and most of our database is missing. Doesn't even seem to have been replaced with anything obvious, just the whole thing is gone.

*sounds of hair being torn out*

Restored a backup now, but this is clearly, to say the least, serious.

Direct database access is obvious: no files other than the db appear to have been changed at all this time, just all the tables of posts, users, etc had vanished completely. I tried to flag it up with Vidahost but they were as helpful as a damn chocolate teapot. I just feel sick about the whole thing, honestly.

Offline ziycon

  • Support Specialist
  • SMF Hero
  • *
  • Posts: 2,667
  • Gender: Male
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #14 on: October 06, 2017, 03:42:36 AM »
Direct database access is obvious:
Don't assume anything, for all you know there could be a SQL injection vulnerability in one of the packages or in any custom code you might have. With that said if they gained access to your files then they would have your database password.

I would keep at your host to investigate the possibility of your hosting server being comprimised.

With that said, are you responsibile for maintaining your server or is your host?

Also I would remove the two mods that aren't turned on, no need to have them if there not used.
  • ACPS (Ajax continuous post scrolling) -> This is not used/turned on
  • Social Login -> This is not used/turned on

Offline Jubal

  • Newbie
  • *
  • Posts: 8
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #15 on: October 06, 2017, 03:54:40 AM »
Our host is; we're on VidaHost's normal cloud hosting package.

They didn't even change my password this time (and I can't find evidence of them accessing any of the other admin accounts either), which is weird; the first two times they seem to have done so, and yet this time - after I changed the DB password - they didn't. I can see access from an IP similar to the last rogue one through parts of the night on the logs, but how they then jumped from that to "bye-bye most of your data" is an utter mystery to me.

Offline Sir Osis of Liver

  • SMF Hero
  • ******
  • Posts: 7,089
  • 'Tis the gift to be simple
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #16 on: October 06, 2017, 12:42:20 PM »
Run, don't walk, to a different host, before you lose everything.

Offline lup1n2

  • Newbie
  • *
  • Posts: 3
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #17 on: October 07, 2017, 02:22:39 AM »
Our host is; we're on VidaHost's normal cloud hosting package.

They didn't even change my password this time (and I can't find evidence of them accessing any of the other admin accounts either), which is weird; the first two times they seem to have done so, and yet this time - after I changed the DB password - they didn't. I can see access from an IP similar to the last rogue one through parts of the night on the logs, but how they then jumped from that to "bye-bye most of your data" is an utter mystery to me.

This has just set alarm bells ringing in my head,  we in the last week have had our site compromised and the site was made to mine hxxp:coinhive.com/ [nonactive] anyone who visited our site would have their cpu maxed out to 100% we also are on vidahost normal cloud hosting package and we also dont know how they got in.

Does anyone know of a good quality low cost host for a UK Based community?

Offline Steve

  • Support Specialist
  • SMF Hero
  • *
  • Posts: 3,930
  • Gender: Male
  • I have not yet begun to procrastinate.
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #18 on: October 07, 2017, 08:54:04 AM »
Does anyone know of a good quality low cost host for a UK Based community?

Take a look here: https://www.simplemachines.org/community/index.php?board=4.0
Please do not PM me for support.

Offline Jubal

  • Newbie
  • *
  • Posts: 8
Re: 2 hacking attempts in 4 days - help greatly appreciated
« Reply #19 on: October 09, 2017, 08:19:53 AM »
So, a few days on and we've had no further problems - my current working theory is now that the main hole was probably in the OneAll Social Login mod.

We moved to Vidahost from GoDaddy, because we can get the features we need for about half the cost with them (we're running on an absolute shoestring), GoDaddy had such outdated server software that we couldn't install 2.0.14, and VidaHost seems to have a better & more accessible database backup service, which in fairness to them was pretty helpful - we keep our own backup system on separate servers though as well, so we should be fairly safe on a losses front whatever happens. Are there particular reasons people tend to avoid Vida? None of the people I know who've dealt with them have reported any major issues at all - at least, certainly no more than you get with any of the bigger, cheaper hosts.