News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Hacker in SMF?

Started by pepf, October 08, 2019, 09:02:16 PM

Previous topic - Next topic

pepf

Had a specific forum up for five years without major problem. Today, Inmotion contacting me to tell me that the forum was removed/quarantined because of a hacker. The only information I could extract from support  is that  there was abnormal outward bound activity detected.
Strangely only some 36 hours ago I installed a second SMF forum that was not configured yet. Could that have been used to get in? Is it easy to crack an SMF password?

LiroyvH

"abnormal outward bound activity" is rather vague. Actually, it's useless. Surely they can give you more details?

Quote
Is it easy to crack an SMF password?

That primarily depends on the strength of your password really.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Biology Forums

The new forum, I doubt, was detected or picked up by any crawler within 48 hours *especially* if the URL is unknown. Even if it was (let's say it was), bots could register, but that's all they'd be able to accomplish on stock settings. It's probably an automated response by the server heads.

Sent you a PM

pepf

Thanks for answering. The host support person I contacted could not give me more details than that outward activity was abnormal. There is no outward activity usually. And yes, I know from trying other forums before SMF that the bots do pick up new forums and register with astonishing speed.
When I heard outward activity I could only think of some trojan, but can something like this be uploaded via images?
Bots have never been able to sign up until now although I have sometimes seen two dozen or more guest IPs from the same IP ranges being shown. They are apparently hanging there without being able to get past registration.
With the forum configuration even if someone is registered, they can only answer posts, look at boards and upload images. Anyway to get control this way?

Aleksi "Lex" Kilpinen

So, if they can't say what it was, how can they tell it was abnormal?
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

pepf

There should be NO outbound activity at all, really, when posting??? The forum does not send out messages or anything normally.
The forum is up again, now. Not sure if these are the culprits but the ban log shows a long list of access attempts by banned IPs last night, a very large part of which are the same two IP ranges. Looks as if someone who got banned for forum spam tried to get in again.

Aleksi "Lex" Kilpinen

SMF does try to fetch information from simplemachines.org on a schedule, that would be an outbound connection I think.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Illori

if your host cant give you a detailed answer as to why they shutdown your forum, i would suggest you start looking for a new host as this is not acceptable.

Sir Osis of Liver

Does your cpanel have a security scan (it should)?  If not, your host should be able to scan your account.  Otherwise, do what Illori suggested.

Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

drewactual

way back in likely 2007~8 i had a SMF 1.x forum shut down by my then host because of massive bandwidth being consumed. 

after looking into it, it was due to someone or a group of someone's (if not an automated process) 'uploading and downloading' entire movies and music albums.  apparently these nefarious types would pre-stage memberships with a host of forums (specifically), and then break in and steal movies from re-sellers or studio's, plant them on several forums (upload them through attachments) and then move them to another 'round' of forums.. exponentially speaking, after the seventh 'bounce' it was impossible to track? Or, maybe better said it was too taxing to follow.. these movies were deleted as soon as they were transferred.  these guys relied on the then not too widely used limits on uploads.  i don't know if it was only SMF they targeted but iirc it was not- it was just 'free to join/general audience' forums.   

of course all of that was known after the fact, but 'during' these crazy bandwidth events? all my host knew was that my site was off the charts with i/o and bandwidth.

your host should be able to look at the apache status and see the usage reports, not only specifically what IP, but what request and what kind of traffic. 

question:  how did you install the 'new' SMF on this server?  did you upload a package and unzip it there or did you use an automated 'auto' function provided by your host?  what i'm getting at is if you did 'auto' load it, the server making a request and as a result of that request and the ensuing 'traffic' could have tripped a sensor, so to speak, and alerted your host of 'strange' behavior as you 'usually' don't do that or they usually don't see that kind of traffic from you..... just a thought. 

edited to add: 

after thinking about it a minute, i'm thinking it wasn't SMF or forums that were targeted... back them i had a phpIMG (or something like that) image/album site on the same server as the SMF... or maybe it was coppermine or something named like that- but as i'm starting to recall i think it was a image/album engine and not SMF... the same premise holds, but... iirc even smf 1.x had a throttle on uploads where the image engine expected large files to be uploaded and downloaded.

pepf

Thanks for the additional info. I have been taking other possibilities into consideration too, including the possibility that it was not SMF...but that is what the host indicated. Their message to me was:

<quote>
Our System Administration team has discovered your website security was compromised and 'hacks' inserted into your account. These 'hacks' were loaded onto your account through through a vulnerability in the website software hosted on your account or a weak CMS password.

We identified the following hacked files:
Running outbound attacks, full quarantine of /home/xxxxxx/public_html/discussion

We have quarantined those malicious files. Due to the nature of the compromise, we cannot guarantee that your website is completely clean or does not contain exploitable vulnerabilities. Most frequently, hacks the result of out-of-date software installations; any outdated installation on the account can result in hacks on any site on the account. Please note that while upgrading the outdated software is recommended and may close existing vulnerabilities, it will not remove any hacks that have already been injected into the site. Therefore, you should have a developer or someone familiar with the website review the account thoroughly. Please note that if the security issues are not addressed, your site may be disabled. </unquote>

Actually they took down the whole directory in which the forum is; they reinstalled it from a backup made only a short while before the incident. Not sure what I can do more now, except watching. I disabled a few plugins, that is all.

Aleksi "Lex" Kilpinen

That is unbelievably vague.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Sir Osis of Liver

Translation:  Our servers have crappy security, but don't blame us if you're hacked. :P
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Illori

if they are restoring your files and not asking you ahead of time, i would suggest you look for a new host. your host should not restore or touch your files or database without letting you know first.

also by them restoring the backup it does not let you check the files to see what may have been touched and possibly provide files to us to check what may have happened.

Arantor

The fact they can't actually tell you what the problem is, is a really bad sign.

Aleksi "Lex" Kilpinen

A hack is a very ambiguous term, which in itself will provide very little insights into what exactly happened, and any professional host shouldn't really even use that word in the way it is used here....
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

pepf

#16
>your host should not restore or touch your files

It is me who told them to restore the forum using an earlier backup; they had removed the whole thing.

And yes, I have been considering whether they might know more and do not want to tell because their  servers might have been compromised, rather than that forum only. I moved from another host that has been going down for the past few years, and provided almost no support anymore. This one (Inmo***) was recommended and has provided excellent support.


L2Scarlet

STOP using any website based on CMS (including forum engines) and write your web pages from 0 .. Then you'll be safe :)

Antechinus

^ Posts on a forum to tell people to not use a forum.

Ok.

Aleksi "Lex" Kilpinen

Quote from: L2Scarlet on October 12, 2019, 05:04:27 PM
STOP using any website based on CMS (including forum engines) and write your web pages from 0 .. Then you'll be safe :)

Except for the fact that most probably that wouldn't be the case at all. You would either end up with relatively the same, worse or a whole lot worse off in terms of security, depending on your level of expertise and what functionality you really want to have on your site...
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

Quote from: L2Scarlet on October 12, 2019, 05:04:27 PM
STOP using any website based on CMS (including forum engines) and write your web pages from 0 .. Then you'll be safe :)


I assume you never ever want interaction from anyone else other than to read. No posts, no comments, no purchases, no ads. Also, let me know how you ever manage 500+ posts without some kind of content manager to help because updating 500+ pages by hand gets real tedious, real fast.

pepf

Thank you all for your answers. The forum is on a separate host and has otherwise no connections that could be used to get access.
Is there anything else that can be done to prevent certain IPs from access, other than banning them via admin? At the moment there are again a dozen access tries from the same IP range. They have tried repeatedly over the past months. Most likely a bot or bots, because they can't login. Is the VPN protection mod any good for this type?

a10

2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

pepf

Inmotion has taken the forum down again, this time everything, even an unrelated website and directories containing nothing than a few images and image files.  They claim that the SMF forum was not updated since 2014 and therefore must be the culprit. Looks like they are on a witch hunt.
Already two different support personnel have claimed this. Looks as if they are on a witch hunt to discourage people from using SMF.
The say they are just taking sites down and don't look at what is causing the problem. There mention of the cause was extremely vague. Moved there because the original host SMF was provided almost no support anymore.
What do I do now.

The data are in quarantine on Inmotion, but the huge backup file is difficult to download. I would like to save settings and anything that is useful. Which files are most important for user data, etc.?

Illori

the database and attachments folder.

SMiFFER

Quote from: Arantor on October 10, 2019, 05:21:56 AM
The fact they can't actually tell you what the problem is, is a really bad sign.

True. That is the type of US-hosters who only have employees in India.
I made exactly such experiences with IPAGE.COM.
Quote of the day: A troll is an obstinate bloke who only hungers for your attention. If you feed him, he will puke all over you!

pepf

Quote from: Arantor on October 10, 2019, 05:21:56 AM
The fact they can't actually tell you what the problem is, is a really bad sign.

I have been thinking this too.

One more question, because this relates to their possible problem.
I installed phpMyAdmin in a directory temporarily just now, because their installed version seems to be lacking something. I just installed it and made two or so login attempts with the wrong password. After rectifying this I got it and found this notification displayed within phpmyAdmin just now, together with two similar failed login notifications of myself.

>>mysqli_connect(): (28000/1045): Access denied for user 'cpses_eazo77jh2e'@'localhost' (using password: YES)

This is not the user name of the site; does this mean someone tried to get in just in the few minutes I fumbled with the password?
(I immediately uninstalled, but if this is someone from outside, how can they be so quick?)

Looking

@pepf, looks like you need proper hosting.

pepf

Hi Looking, yes I think so. So you think also that was a login attempt by someone who should not even have gotten the opportunity to get near phPMyAdmin in my account? After I wrote that above another attempt, different code name, occurred. I have changed all account passwords.
I started using Inmotion only this year, bought two years of hosting. But this thing made me decide looking elsewhere.


I just wonder, is it possible to inject code into a dB that can act like a script or allow someone access from outside? While reinstalling SMF I have also experienced forum spam within minutes while reinstalling the forum, while I still was still configuring it. Too soon for my taste. Not sure if this is related to the host, but if SMF had a function allowing to prevent any access before configuration and a test run is done ...that would be nice.

GigaWatt

Quote from: pepf on October 23, 2019, 09:22:43 PM
I installed phpMyAdmin in a directory temporarily just now, because their installed version seems to be lacking something. I just installed it and made two or so login attempts with the wrong password. After rectifying this I got it and found this notification displayed within phpmyAdmin just now, together with two similar failed login notifications of myself.

>>mysqli_connect(): (28000/1045): Access denied for user 'cpses_eazo77jh2e'@'localhost' (using password: YES)

This is not the user name of the site; does this mean someone tried to get in just in the few minutes I fumbled with the password?
(I immediately uninstalled, but if this is someone from outside, how can they be so quick?)

Judging by the username (cpses_eazo77jh2e), it's probably just some automatically generated username by cPane (cPanel Session = cpses, the rest is probably just a random string or a hash string generated by cPanel/WHM).

So, I don't think there's anything to worry about. It's like those "security alert" emails you get when you log in on your Gmail acccount from a different PC/device, that's all ;).

Quote from: pepf on October 24, 2019, 10:29:26 PM
I started using Inmotion only this year, bought two years of hosting. But this thing made me decide looking elsewhere.

Out of curiosity, could you post your current hosting plan and price? Thanks :).

Quote from: pepf on October 24, 2019, 10:29:26 PM
I just wonder, is it possible to inject code into a dB that can act like a script or allow someone access from outside?

Yes, it is possible... just very unlikely.

I mean, unlikely if you keep your forum up to date... but, it will become more and more likely if your forum is left unattended for years (without security updates/patches).

Quote from: pepf on October 24, 2019, 10:29:26 PM
While reinstalling SMF I have also experienced forum spam within minutes while reinstalling the forum, while I still was still configuring it. Too soon for my taste.

This is completely normal nowadays, especially if you're using the same domain and/or cPanel account (server) for two or more websites/domains. If it's a subdomain, crawlers pick that up within seconds, especially if your site is heavy on trafic... and then the spam bots pick up on the results from the crawlers and then they start hammering on your forum ::). It's a PITA, I know, but it's just how things work these days ::).

Quote from: pepf on October 24, 2019, 10:29:26 PM
Not sure if this is related to the host, but if SMF had a function allowing to prevent any access before configuration and a test run is done ...that would be nice.

Yes, it does have a function like that ;). It's called Maintenance Mode: Admin --> Configuration --> Server Settings --> General --> Enable Maintenance Mode ;). Only admins are allowed to log in in maintenance mode ;).
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

pepf

Thanks, I hope you are right with the cPanel. That message appeared together with two others which clearly showed they were results from my login error. I'm a bit nervous because the host initially told me that the site was hacked, the forum not being updated for years, etc., which is not true.  Everything is updated as good as I can, but still having at times dozens of bots knocking on the door of the forum at the same time is getting a bit of a problem.
The forum has been always on the newest status, but SMF was the first that the jost people accused. But they could or did not tell what really made them think so. It went well for half a year, but shortly after I installed a second forum the problem started.

It's the Power Plan, it was around 200 for two years, good enough for a completely free site.

Thanks for reminding me of the Maintenance mode. I could see nothing saying it allows only admin, though. Instead, on installation I went to Registration - Settings to prevent any registrations while testing.

It's back up running now, hope it remains that way.

GigaWatt

Quote from: pepf on October 26, 2019, 01:36:34 AM
It's the Power Plan, it was around 200 for two years, good enough for a completely free site.

For that kind of support, you could've paid a lot less.
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

a10

Quote from: GigaWatt on October 26, 2019, 08:44:33 AM
Quote from: pepf on October 26, 2019, 01:36:34 AM
It's the Power Plan, it was around 200 for two years, good enough for a completely free site.

For that kind of support, you could've paid a lot less.

yes, or they should give you the money back and offer 2 years for free as an excuse for the destructive non-support.
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

pepf

#33
Problems again.
Just switched on computer and there were two emails telling me that the forum was inaccessible, a few moments later everything was back to normal. Nervous from the previous problems I checked and found:

1. Checked Who's Online and it shows two IPs that are banned via htaccess from accessing the forum directory and the entire website. They are also listed in the SMF ban list. These two IPs have attempted access to the forum many times, one of the more than 4000.
Deny from 74.91.*.*
Deny from 167.100.*.*

Shouldn't they not have access to the forum index page, if they are banned via htaccess?

2. Opened the Ban log and there are three entries. Same IP three times, all within 20 minutes:
188.163.109.153          October 31, 2019, 11:45:46 AM
Does this mean they were identified as banned and could not get access? A web search shows that the IP is in the Ukraine. It also listed in the SMF ban list.

If the ban log means that entry of IP  188.*** was prevented, but the other two (74. and 167.) do not show up in the log, despite access being tried only minutes ago, that is no entry in the log, while 188 which is older has an entry.
188.*** is not listed in htaccess but is listed in the ban log, while the other two (74 and 167) do not show up in the ban log, but are listed both in SMF ban list and htaccess?

More:
While I am writing this I tried to reload both the ban log and ban list; the both repeatedly were inaccessible for a short time with the message:
Connection Problems
"Sorry, SMF was unable to connect to the database. This may be caused by the server being busy. Please try again later. "
Is this due to dB maintenance? In all this happened about five times.

What is wrong, and what should I do now?

Aleksi "Lex" Kilpinen

The DB error message most commonly is a sign of either your database being super busy with something (backups, maintenance, heavy usage) or more likely you being on a bad overcrowded host.

What you see in the ban log has reached SMF, and has triggered a ban.
What is blocked in htaccess should never reach SMF, and should never show up in ban logs.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

I don't recall the syntax being "deny from 1.2.*.*", I thought it was "deny from 1.2"

In any case your host might be using Apache 2.4 which has different syntax, "Require not ip 1.2".

a10

imo, "Sorry, SMF was unable to connect to the database" many times, regularly, = go away from that hosting company.

Am sure the htaccess generator posted earlier does not make errors, so how was it possible for these * to end up there :O)
Its Deny from 74.91. & Deny from 167.100.

About the 'normal' daily spam bot visits (can be 100's or even 1000's daily), forget about ip blocking (have tried that route, becomes chaos sooner or later). Use registration questions (search forum here for many ideas), then let the bots do whatever thay may try (and fail) to do, will do zero harm. 20 questions, 3 active.

For very special cases (ddos-like activity), use htaccess.
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

pepf

#37
Thanks Arantor, it is indeed Apache 2.4.41. Will be trying this syntax.


To a10:
Yes, it appears to be bots as they are stopping at the index page. They don't go past registration. But it makes me nervous when I see one or two dozen listed in Who's Online at a time, several times a day. I want to prevent that they can get to the index page, preferably. Considering serving up a 404 redirect or similar, if possible.

Will be looking for a new host; Inmotion was recommended, but now it seems they do not appear very security conscious. So I would like to take my time to find one that is more reliable.


a10

^^^ "it makes me nervous when I see one or two dozen listed in Who's Online at a time"

imo, as long as they can't register, forget about them, and spend time on something more constructive :O)

For example, my forum has been 'visited' for months by some utterly stupid botnet using (everchanging) tor ip's, getting hundreds of hits\ip's a day. They achieve absolutely nothing, could probably be 10 times more and it still would be nothing to bother about (either from my side or the hosting side).
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

GigaWatt

Quote from: a10 on November 01, 2019, 10:54:00 AM
imo, as long as they can't register, forget about them, and spend time on something more constructive :O)

Took the words right in front of my keyboard ;).

pepf, don't be over paranoid. Most of us have at least 100 spam bots trying to register on our forums... that's just how things are nowadays. Trust me, it's nothing to worry about, as long as they don't register ;).

a10 has written a pretty good questionnaire template, you should take a look at it ;).

https://simplemachines.org/community/index.php?msg=3776163

PS: I should put that link in my bookmarks :P :D.
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

pepf

Had a look at it....yes that is worth trying.
Up to now I have had only a few human spammers signing in, but virtually no bots entering, as far as I can see. They just stop at the board index.
I'm using number picking from an image and a simple question, currently.
These go well with the users, it appears, who seem to be in the age range of 40s up. The problem may be the attention span or patience; they often do not wait for the confirmation email to arrive and try to log in immediately before that is done.

Thanks for confirming that it is not only me with the constant knocking at the door by bots.

GigaWatt

Marking topic as solved ;).
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

Advertisement: