Hacker in SMF?

Started by pepf, October 08, 2019, 09:02:16 PM

Previous topic - Next topic

Arantor

Quote from: L2Scarlet on October 12, 2019, 05:04:27 PM
STOP using any website based on CMS (including forum engines) and write your web pages from 0 .. Then you'll be safe :)


I assume you never ever want interaction from anyone else other than to read. No posts, no comments, no purchases, no ads. Also, let me know how you ever manage 500+ posts without some kind of content manager to help because updating 500+ pages by hand gets real tedious, real fast.

pepf

Thank you all for your answers. The forum is on a separate host and has otherwise no connections that could be used to get access.
Is there anything else that can be done to prevent certain IPs from access, other than banning them via admin? At the moment there are again a dozen access tries from the same IP range. They have tried repeatedly over the past months. Most likely a bot or bots, because they can't login. Is the VPN protection mod any good for this type?

a10

2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

pepf

Inmotion has taken the forum down again, this time everything, even an unrelated website and directories containing nothing than a few images and image files.  They claim that the SMF forum was not updated since 2014 and therefore must be the culprit. Looks like they are on a witch hunt.
Already two different support personnel have claimed this. Looks as if they are on a witch hunt to discourage people from using SMF.
The say they are just taking sites down and don't look at what is causing the problem. There mention of the cause was extremely vague. Moved there because the original host SMF was provided almost no support anymore.
What do I do now.

The data are in quarantine on Inmotion, but the huge backup file is difficult to download. I would like to save settings and anything that is useful. Which files are most important for user data, etc.?

Illori

the database and attachments folder.

SMiFFER

Quote from: Arantor on October 10, 2019, 05:21:56 AM
The fact they can't actually tell you what the problem is, is a really bad sign.

True. That is the type of US-hosters who only have employees in India.
I made exactly such experiences with IPAGE.COM.
Quote of the day: A troll is an obstinate bloke who only hungers for your attention. If you feed him, he will puke all over you!

pepf

Quote from: Arantor on October 10, 2019, 05:21:56 AM
The fact they can't actually tell you what the problem is, is a really bad sign.

I have been thinking this too.

One more question, because this relates to their possible problem.
I installed phpMyAdmin in a directory temporarily just now, because their installed version seems to be lacking something. I just installed it and made two or so login attempts with the wrong password. After rectifying this I got it and found this notification displayed within phpmyAdmin just now, together with two similar failed login notifications of myself.

>>mysqli_connect(): (28000/1045): Access denied for user 'cpses_eazo77jh2e'@'localhost' (using password: YES)

This is not the user name of the site; does this mean someone tried to get in just in the few minutes I fumbled with the password?
(I immediately uninstalled, but if this is someone from outside, how can they be so quick?)

Looking

@pepf, looks like you need proper hosting.

pepf

Hi Looking, yes I think so. So you think also that was a login attempt by someone who should not even have gotten the opportunity to get near phPMyAdmin in my account? After I wrote that above another attempt, different code name, occurred. I have changed all account passwords.
I started using Inmotion only this year, bought two years of hosting. But this thing made me decide looking elsewhere.


I just wonder, is it possible to inject code into a dB that can act like a script or allow someone access from outside? While reinstalling SMF I have also experienced forum spam within minutes while reinstalling the forum, while I still was still configuring it. Too soon for my taste. Not sure if this is related to the host, but if SMF had a function allowing to prevent any access before configuration and a test run is done ...that would be nice.

GigaWatt

Quote from: pepf on October 23, 2019, 09:22:43 PM
I installed phpMyAdmin in a directory temporarily just now, because their installed version seems to be lacking something. I just installed it and made two or so login attempts with the wrong password. After rectifying this I got it and found this notification displayed within phpmyAdmin just now, together with two similar failed login notifications of myself.

>>mysqli_connect(): (28000/1045): Access denied for user 'cpses_eazo77jh2e'@'localhost' (using password: YES)

This is not the user name of the site; does this mean someone tried to get in just in the few minutes I fumbled with the password?
(I immediately uninstalled, but if this is someone from outside, how can they be so quick?)

Judging by the username (cpses_eazo77jh2e), it's probably just some automatically generated username by cPane (cPanel Session = cpses, the rest is probably just a random string or a hash string generated by cPanel/WHM).

So, I don't think there's anything to worry about. It's like those "security alert" emails you get when you log in on your Gmail acccount from a different PC/device, that's all ;).

Quote from: pepf on October 24, 2019, 10:29:26 PM
I started using Inmotion only this year, bought two years of hosting. But this thing made me decide looking elsewhere.

Out of curiosity, could you post your current hosting plan and price? Thanks :).

Quote from: pepf on October 24, 2019, 10:29:26 PM
I just wonder, is it possible to inject code into a dB that can act like a script or allow someone access from outside?

Yes, it is possible... just very unlikely.

I mean, unlikely if you keep your forum up to date... but, it will become more and more likely if your forum is left unattended for years (without security updates/patches).

Quote from: pepf on October 24, 2019, 10:29:26 PM
While reinstalling SMF I have also experienced forum spam within minutes while reinstalling the forum, while I still was still configuring it. Too soon for my taste.

This is completely normal nowadays, especially if you're using the same domain and/or cPanel account (server) for two or more websites/domains. If it's a subdomain, crawlers pick that up within seconds, especially if your site is heavy on trafic... and then the spam bots pick up on the results from the crawlers and then they start hammering on your forum ::). It's a PITA, I know, but it's just how things work these days ::).

Quote from: pepf on October 24, 2019, 10:29:26 PM
Not sure if this is related to the host, but if SMF had a function allowing to prevent any access before configuration and a test run is done ...that would be nice.

Yes, it does have a function like that ;). It's called Maintenance Mode: Admin --> Configuration --> Server Settings --> General --> Enable Maintenance Mode ;). Only admins are allowed to log in in maintenance mode ;).
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

pepf

Thanks, I hope you are right with the cPanel. That message appeared together with two others which clearly showed they were results from my login error. I'm a bit nervous because the host initially told me that the site was hacked, the forum not being updated for years, etc., which is not true.  Everything is updated as good as I can, but still having at times dozens of bots knocking on the door of the forum at the same time is getting a bit of a problem.
The forum has been always on the newest status, but SMF was the first that the jost people accused. But they could or did not tell what really made them think so. It went well for half a year, but shortly after I installed a second forum the problem started.

It's the Power Plan, it was around 200 for two years, good enough for a completely free site.

Thanks for reminding me of the Maintenance mode. I could see nothing saying it allows only admin, though. Instead, on installation I went to Registration - Settings to prevent any registrations while testing.

It's back up running now, hope it remains that way.

GigaWatt

Quote from: pepf on October 26, 2019, 01:36:34 AM
It's the Power Plan, it was around 200 for two years, good enough for a completely free site.

For that kind of support, you could've paid a lot less.
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

a10

Quote from: GigaWatt on October 26, 2019, 08:44:33 AM
Quote from: pepf on October 26, 2019, 01:36:34 AM
It's the Power Plan, it was around 200 for two years, good enough for a completely free site.

For that kind of support, you could've paid a lot less.

yes, or they should give you the money back and offer 2 years for free as an excuse for the destructive non-support.
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

pepf

#33
Problems again.
Just switched on computer and there were two emails telling me that the forum was inaccessible, a few moments later everything was back to normal. Nervous from the previous problems I checked and found:

1. Checked Who's Online and it shows two IPs that are banned via htaccess from accessing the forum directory and the entire website. They are also listed in the SMF ban list. These two IPs have attempted access to the forum many times, one of the more than 4000.
Deny from 74.91.*.*
Deny from 167.100.*.*

Shouldn't they not have access to the forum index page, if they are banned via htaccess?

2. Opened the Ban log and there are three entries. Same IP three times, all within 20 minutes:
188.163.109.153          October 31, 2019, 11:45:46 AM
Does this mean they were identified as banned and could not get access? A web search shows that the IP is in the Ukraine. It also listed in the SMF ban list.

If the ban log means that entry of IP  188.*** was prevented, but the other two (74. and 167.) do not show up in the log, despite access being tried only minutes ago, that is no entry in the log, while 188 which is older has an entry.
188.*** is not listed in htaccess but is listed in the ban log, while the other two (74 and 167) do not show up in the ban log, but are listed both in SMF ban list and htaccess?

More:
While I am writing this I tried to reload both the ban log and ban list; the both repeatedly were inaccessible for a short time with the message:
Connection Problems
"Sorry, SMF was unable to connect to the database. This may be caused by the server being busy. Please try again later. "
Is this due to dB maintenance? In all this happened about five times.

What is wrong, and what should I do now?

Aleksi "Lex" Kilpinen

The DB error message most commonly is a sign of either your database being super busy with something (backups, maintenance, heavy usage) or more likely you being on a bad overcrowded host.

What you see in the ban log has reached SMF, and has triggered a ban.
What is blocked in htaccess should never reach SMF, and should never show up in ban logs.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

I don't recall the syntax being "deny from 1.2.*.*", I thought it was "deny from 1.2"

In any case your host might be using Apache 2.4 which has different syntax, "Require not ip 1.2".

a10

imo, "Sorry, SMF was unable to connect to the database" many times, regularly, = go away from that hosting company.

Am sure the htaccess generator posted earlier does not make errors, so how was it possible for these * to end up there :O)
Its Deny from 74.91. & Deny from 167.100.

About the 'normal' daily spam bot visits (can be 100's or even 1000's daily), forget about ip blocking (have tried that route, becomes chaos sooner or later). Use registration questions (search forum here for many ideas), then let the bots do whatever thay may try (and fail) to do, will do zero harm. 20 questions, 3 active.

For very special cases (ddos-like activity), use htaccess.
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

pepf

#37
Thanks Arantor, it is indeed Apache 2.4.41. Will be trying this syntax.


To a10:
Yes, it appears to be bots as they are stopping at the index page. They don't go past registration. But it makes me nervous when I see one or two dozen listed in Who's Online at a time, several times a day. I want to prevent that they can get to the index page, preferably. Considering serving up a 404 redirect or similar, if possible.

Will be looking for a new host; Inmotion was recommended, but now it seems they do not appear very security conscious. So I would like to take my time to find one that is more reliable.


a10

^^^ "it makes me nervous when I see one or two dozen listed in Who's Online at a time"

imo, as long as they can't register, forget about them, and spend time on something more constructive :O)

For example, my forum has been 'visited' for months by some utterly stupid botnet using (everchanging) tor ip's, getting hundreds of hits\ip's a day. They achieve absolutely nothing, could probably be 10 times more and it still would be nothing to bother about (either from my side or the hosting side).
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

GigaWatt

Quote from: a10 on November 01, 2019, 10:54:00 AM
imo, as long as they can't register, forget about them, and spend time on something more constructive :O)

Took the words right in front of my keyboard ;).

pepf, don't be over paranoid. Most of us have at least 100 spam bots trying to register on our forums... that's just how things are nowadays. Trust me, it's nothing to worry about, as long as they don't register ;).

a10 has written a pretty good questionnaire template, you should take a look at it ;).

https://simplemachines.org/community/index.php?msg=3776163

PS: I should put that link in my bookmarks :P :D.
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

Advertisement: