News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

2 hacking attempts in 4 days - help greatly appreciated

Started by Jubal, October 04, 2017, 10:13:57 AM

Previous topic - Next topic

Jubal

OK, our site (exilian.co.uk) has had two hack attempts recently. Both cases appear to have had the same characteristics/MO though with slightly different actions.

The main features of these attacks seem to be the changing of the password on account #1 (my main admin account), and then attempts to use the admin panels to edit themes or system files. Both attempts have had Indonesian/SE Asian IP addresses (recent one was 112.215.244.50).

Attack one, on Oct 2nd:

  • Changed password on main account, changed email address of main account to [email protected]
  • Did some minor edits to a theme we don't actually use - no obvious malicious code involved, just deleted some apparently random lines of code.

After this we did security checks, rolled back files, changed passwords, etc, but we couldn't identify the source of the breach. I also moved the whole forum to use HTTPS and HTTPS cookies as well.

Attack two, today (literally 40 mins ago):

  • Changed password on main account & logged in
  • Installed what appears to be this mod (or at least files with the same name): http://custom.simplemachines.org/mods/index.php?mod=351
  • I caught this one while it was happening and rapidly took all the permissions away from User #1 (after the first time I made sure I had a secondary admin account of my own as a precaution). I'm thusly not sure what it was hoping to do next!

The site is: exilian.co.uk [nofollow]

I have server logs from both attempts saved, but I'm not managing to discover much from either about how this hacker is actually getting into the forum. Am really quite worried on behalf of my users' data and would massively appreciate any help.

Also, we seem to have had recent problems with session tracking and some users using the login thing from the main board index recently rather than the full login page. Not sure if this is related, but it cropped up around the same time as the initial attack.
Chair of Exilian [nofollow], digital humanities & history academic, writer, nerd-of-all-trades, etc.

Sir Osis of Liver

Have you changed ALL your passwords - cpanel, ftp, databases, admins?  The login failure is probably due to session check missing from your theme's index.template.php, a common 2.0.14 problem, and not related to hack.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Jubal

I've just changed the main db password: I'd already changed everything else.

Thanks for the information re. session checking - is there a guide for how to fix this anywhere? I've tried searching the error message both on this forum and google and not come across a definite solution.
Chair of Exilian [nofollow], digital humanities & history academic, writer, nerd-of-all-trades, etc.

Sir Osis of Liver

In your theme's index.template.php -

Find this -



<input type="hidden" name="hash_passwrd" value="" />



Do this -



<input type="hidden" name="hash_passwrd" value="" />
<input type="hidden" name="', $context['session_var'], '" value="', $context['session_id'], '" />



Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Jubal

Thanks :) That's one issue solved!

Anyhow, I'm not sure what to do at this point on the main issue. I could just watch and see if it comes back, but I can't be monitoring the forum 24/7 and I don't know what the attacking person/bot will do if it does return. I could leave User 1 blocked from admin access in the hope that the attacker is a bot and will keep trying to target the same acct, but I'd quite like to not abandon my main account. I'm also not sure what might explain the patterns of activity during the hacks. :/
Chair of Exilian [nofollow], digital humanities & history academic, writer, nerd-of-all-trades, etc.

Kindred

What mods do you have installed? Any other software running on the site?
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Sir Osis of Liver

Offhand I can think of two ways to change password in an admin account.  One is using another admin account, which would be pointless if you already have admin access.  The other is by having access to the database.  Based on what the hacker is doing once he gets in, this doesn't seem like a very sophisticated attack, more likely it's a former member with some knowledge of SMF causing trouble.  Are you seeing his ip in logs?  Who is your host?

Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Jubal

It's not a former staffer, though I did consider that possibility; the database password had been reset a couple of months before the attack anyway when we moved hosts, so none of our ex-admins would've had access to it. The forum's admin logs don't show the password change. Also, none of our former Admins are Indonesian, and the email address I quoted in the first post was found elsewhere online as being embedded in credit-card detail skimming code. As such, we are definitely talking an actual hack rather than internal problem. We're on Vidahost.

Thoughts on ways to reset passwords: those are two, the third is to use the password reminder system, though I can't see how someone would do that in a way that didn't involve a) email being reset by method 1 or 2 (which it doesn't seem to have been anyway, the second time), or b) me getting emailed about the password reset, which I wasn't.

For both attacks, I have the server logs of GET/POST requests etc, and the perpetrator IP shows up: 115.178.255.119 was attack 1, 112.215.244.50 was attack 2. It doesn't seem to make lots of login attempts, so it's not brute-forcing or working down a long list or anything, it just seems to click round the forum a bit and then suddenly boom, logged in. I'm not very used to reading server logs though so I may be missing something.

Here's the list of mods: some are installed but have most features turned off (we don't actually use social login for example and we don't use all the different captcha systems). No other software really except a small home-made piece of historical research kit, but that uses a completely separate database/passwords/everything to the forum and doesn't seem to have been involved or accessed at all according to the server logs.
Chair of Exilian [nofollow], digital humanities & history academic, writer, nerd-of-all-trades, etc.

Illori


Kindred

can you list the mods as a text list in the post rather than an  image attachment?
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Jubal

Ilori - will try and do that this evening after work, thankyou for the link. I'm not sure I can see any other explanations beside the possibility that it was a genuine hack, at this point.

@Kindred, sure, the list in text format (in reverse order of installation, most recent item at the bottom) is:

KeyCaptcha for SMF
Password Protect Boards
Spoiler Tag
Member Color Link
Member Awards
SMFPacks Shoutbox
Additional Polls
TablePlus BBCodes
Google Analytics Code
Arantor CAPTCHA
Misc Anti-Spam
reCAPTCHA for SMF
ACPS (Ajax continuous post scrolling) -> This is not used/turned on
Ohara YouTube Embed
Social Login -> This is not used/turned on
Enhancements to reattribute posts
Float BBCODE
Soundcloud BBcode

And of course all the core SMF updates from 2.0.3 through to 2.0.14 :)
Chair of Exilian [nofollow], digital humanities & history academic, writer, nerd-of-all-trades, etc.

Kindred

Hmmm.... So, social login is not turned on, but it is installed?

If you don't use it, you should uninstall it.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

ziycon

Are you on a shared hosting package? I would raise it with you host as it could be that your sites not compromised but the hosting companies server is. Raise a security tag with your host giving them as much detail as possible.

Jubal

Woke up this morning, and most of our database is missing. Doesn't even seem to have been replaced with anything obvious, just the whole thing is gone.

*sounds of hair being torn out*

Restored a backup now, but this is clearly, to say the least, serious.

Direct database access is obvious: no files other than the db appear to have been changed at all this time, just all the tables of posts, users, etc had vanished completely. I tried to flag it up with Vidahost but they were as helpful as a damn chocolate teapot. I just feel sick about the whole thing, honestly.
Chair of Exilian [nofollow], digital humanities & history academic, writer, nerd-of-all-trades, etc.

ziycon

Quote from: Jubal on October 06, 2017, 03:13:57 AM
Direct database access is obvious:
Don't assume anything, for all you know there could be a SQL injection vulnerability in one of the packages or in any custom code you might have. With that said if they gained access to your files then they would have your database password.

I would keep at your host to investigate the possibility of your hosting server being comprimised.

With that said, are you responsibile for maintaining your server or is your host?

Also I would remove the two mods that aren't turned on, no need to have them if there not used.

  • ACPS (Ajax continuous post scrolling) -> This is not used/turned on
  • Social Login -> This is not used/turned on

Jubal

Our host is; we're on VidaHost's normal cloud hosting package.

They didn't even change my password this time (and I can't find evidence of them accessing any of the other admin accounts either), which is weird; the first two times they seem to have done so, and yet this time - after I changed the DB password - they didn't. I can see access from an IP similar to the last rogue one through parts of the night on the logs, but how they then jumped from that to "bye-bye most of your data" is an utter mystery to me.
Chair of Exilian [nofollow], digital humanities & history academic, writer, nerd-of-all-trades, etc.

Sir Osis of Liver

Run, don't walk, to a different host, before you lose everything.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

lup1n2

Quote from: Jubal on October 06, 2017, 03:54:40 AM
Our host is; we're on VidaHost's normal cloud hosting package.

They didn't even change my password this time (and I can't find evidence of them accessing any of the other admin accounts either), which is weird; the first two times they seem to have done so, and yet this time - after I changed the DB password - they didn't. I can see access from an IP similar to the last rogue one through parts of the night on the logs, but how they then jumped from that to "bye-bye most of your data" is an utter mystery to me.

This has just set alarm bells ringing in my head,  we in the last week have had our site compromised and the site was made to mine https://coinhive.com/ [nofollow] anyone who visited our site would have their cpu maxed out to 100% we also are on vidahost normal cloud hosting package and we also dont know how they got in.

Does anyone know of a good quality low cost host for a UK Based community?

Steve

DO NOT pm me for support!

Jubal

So, a few days on and we've had no further problems - my current working theory is now that the main hole was probably in the OneAll Social Login mod.

We moved to Vidahost from GoDaddy, because we can get the features we need for about half the cost with them (we're running on an absolute shoestring), GoDaddy had such outdated server software that we couldn't install 2.0.14, and VidaHost seems to have a better & more accessible database backup service, which in fairness to them was pretty helpful - we keep our own backup system on separate servers though as well, so we should be fairly safe on a losses front whatever happens. Are there particular reasons people tend to avoid Vida? None of the people I know who've dealt with them have reported any major issues at all - at least, certainly no more than you get with any of the bigger, cheaper hosts.
Chair of Exilian [nofollow], digital humanities & history academic, writer, nerd-of-all-trades, etc.

Advertisement: