Hacker in SMF?

pepf · October 08, 2019, 09:02:16 PM

Had a specific forum up for five years without major problem. Today, Inmotion contacting me to tell me that the forum was removed/quarantined because of a hacker. The only information I could extract from support is that there was abnormal outward bound activity detected.
Strangely only some 36 hours ago I installed a second SMF forum that was not configured yet. Could that have been used to get in? Is it easy to crack an SMF password?

LiroyvH · October 08, 2019, 09:25:11 PM

"abnormal outward bound activity" is rather vague. Actually, it's useless. Surely they can give you more details?

Quote
Is it easy to crack an SMF password?

That primarily depends on the strength of your password really.

Biology Forums · October 08, 2019, 10:10:23 PM

The new forum, I doubt, was detected or picked up by any crawler within 48 hours *especially* if the URL is unknown. Even if it was (let's say it was), bots could register, but that's all they'd be able to accomplish on stock settings. It's probably an automated response by the server heads.

Sent you a PM

pepf · October 08, 2019, 10:59:05 PM

Thanks for answering. The host support person I contacted could not give me more details than that outward activity was abnormal. There is no outward activity usually. And yes, I know from trying other forums before SMF that the bots do pick up new forums and register with astonishing speed.
When I heard outward activity I could only think of some trojan, but can something like this be uploaded via images?
Bots have never been able to sign up until now although I have sometimes seen two dozen or more guest IPs from the same IP ranges being shown. They are apparently hanging there without being able to get past registration.
With the forum configuration even if someone is registered, they can only answer posts, look at boards and upload images. Anyway to get control this way?

Aleksi "Lex" Kilpinen · October 08, 2019, 11:18:53 PM

So, if they can't say what it was, how can they tell it was abnormal?

pepf · October 09, 2019, 02:45:34 AM

There should be NO outbound activity at all, really, when posting??? The forum does not send out messages or anything normally.
The forum is up again, now. Not sure if these are the culprits but the ban log shows a long list of access attempts by banned IPs last night, a very large part of which are the same two IP ranges. Looks as if someone who got banned for forum spam tried to get in again.

Aleksi "Lex" Kilpinen · October 09, 2019, 04:38:13 AM

SMF does try to fetch information from simplemachines.org on a schedule, that would be an outbound connection I think.

Illori · October 09, 2019, 05:08:25 AM

if your host cant give you a detailed answer as to why they shutdown your forum, i would suggest you start looking for a new host as this is not acceptable.

Sir Osis of Liver · October 09, 2019, 12:27:21 PM

Does your cpanel have a security scan (it should)? If not, your host should be able to scan your account. Otherwise, do what Illori suggested.

drewactual · October 09, 2019, 01:13:16 PM

way back in likely 2007~8 i had a SMF 1.x forum shut down by my then host because of massive bandwidth being consumed.

after looking into it, it was due to someone or a group of someone's (if not an automated process) 'uploading and downloading' entire movies and music albums. apparently these nefarious types would pre-stage memberships with a host of forums (specifically), and then break in and steal movies from re-sellers or studio's, plant them on several forums (upload them through attachments) and then move them to another 'round' of forums.. exponentially speaking, after the seventh 'bounce' it was impossible to track? Or, maybe better said it was too taxing to follow.. these movies were deleted as soon as they were transferred. these guys relied on the then not too widely used limits on uploads. i don't know if it was only SMF they targeted but iirc it was not- it was just 'free to join/general audience' forums.

of course all of that was known after the fact, but 'during' these crazy bandwidth events? all my host knew was that my site was off the charts with i/o and bandwidth.

your host should be able to look at the apache status and see the usage reports, not only specifically what IP, but what request and what kind of traffic.

question: how did you install the 'new' SMF on this server? did you upload a package and unzip it there or did you use an automated 'auto' function provided by your host? what i'm getting at is if you did 'auto' load it, the server making a request and as a result of that request and the ensuing 'traffic' could have tripped a sensor, so to speak, and alerted your host of 'strange' behavior as you 'usually' don't do that or they usually don't see that kind of traffic from you..... just a thought.

edited to add:

after thinking about it a minute, i'm thinking it wasn't SMF or forums that were targeted... back them i had a phpIMG (or something like that) image/album site on the same server as the SMF... or maybe it was coppermine or something named like that- but as i'm starting to recall i think it was a image/album engine and not SMF... the same premise holds, but... iirc even smf 1.x had a throttle on uploads where the image engine expected large files to be uploaded and downloaded.

pepf · October 09, 2019, 07:44:56 PM

Thanks for the additional info. I have been taking other possibilities into consideration too, including the possibility that it was not SMF...but that is what the host indicated. Their message to me was:

<quote>
Our System Administration team has discovered your website security was compromised and 'hacks' inserted into your account. These 'hacks' were loaded onto your account through through a vulnerability in the website software hosted on your account or a weak CMS password.

We identified the following hacked files:
Running outbound attacks, full quarantine of /home/xxxxxx/public_html/discussion

We have quarantined those malicious files. Due to the nature of the compromise, we cannot guarantee that your website is completely clean or does not contain exploitable vulnerabilities. Most frequently, hacks the result of out-of-date software installations; any outdated installation on the account can result in hacks on any site on the account. Please note that while upgrading the outdated software is recommended and may close existing vulnerabilities, it will not remove any hacks that have already been injected into the site. Therefore, you should have a developer or someone familiar with the website review the account thoroughly. Please note that if the security issues are not addressed, your site may be disabled. </unquote>

Actually they took down the whole directory in which the forum is; they reinstalled it from a backup made only a short while before the incident. Not sure what I can do more now, except watching. I disabled a few plugins, that is all.

Aleksi "Lex" Kilpinen · October 10, 2019, 12:17:45 AM

That is unbelievably vague.

Sir Osis of Liver · October 10, 2019, 12:29:59 AM

Translation: Our servers have crappy security, but don't blame us if you're hacked.

Illori · October 10, 2019, 05:17:03 AM

if they are restoring your files and not asking you ahead of time, i would suggest you look for a new host. your host should not restore or touch your files or database without letting you know first.

also by them restoring the backup it does not let you check the files to see what may have been touched and possibly provide files to us to check what may have happened.

Arantor · October 10, 2019, 05:21:56 AM

The fact they can't actually tell you what the problem is, is a really bad sign.

Aleksi "Lex" Kilpinen · October 10, 2019, 09:27:07 AM

A hack is a very ambiguous term, which in itself will provide very little insights into what exactly happened, and any professional host shouldn't really even use that word in the way it is used here....

pepf · October 10, 2019, 11:03:51 PM

>your host should not restore or touch your files

It is me who told them to restore the forum using an earlier backup; they had removed the whole thing.

And yes, I have been considering whether they might know more and do not want to tell because their servers might have been compromised, rather than that forum only. I moved from another host that has been going down for the past few years, and provided almost no support anymore. This one (Inmo***) was recommended and has provided excellent support.

L2Scarlet · October 12, 2019, 05:04:27 PM

STOP using any website based on CMS (including forum engines) and write your web pages from 0 .. Then you'll be safe

Antechinus · October 12, 2019, 05:14:03 PM

^ Posts on a forum to tell people to not use a forum.

Ok.

Aleksi "Lex" Kilpinen · October 12, 2019, 05:20:04 PM

Quote from: L2Scarlet on October 12, 2019, 05:04:27 PM
STOP using any website based on CMS (including forum engines) and write your web pages from 0 .. Then you'll be safe

Except for the fact that most probably that wouldn't be the case at all. You would either end up with relatively the same, worse or a whole lot worse off in terms of security, depending on your level of expertise and what functionality you really want to have on your site...

News:

Hacker in SMF?