Hacking & back door entry

[junglejim42]

Good morning all
Is it possible that a member of my smf (ver) 2.0.17 forum has unknowingly posted a link to an external website which then allows a hacker to access my ROOT directory through SMF.

My root directorty files were altered twice in 5 hours yesterday even after changing my FTP password to a  16* random char/num/spec char password

I have used an online malware website scanner, but nothing comes up

any advice would be appreciated

[Doug Heffernan]

There are no known security issues with the latest version a.f.a.i.k. Did you ask you rhost to check their access logs and see what exactly went down around the time that your directory files were altered?

[junglejim42]

I did report it to them, and they were not very helpful

[Shambles]

I had a large number of my index.php files hacked 3 years ago... turned out that all websites on that server were hacked in the same way as the breach had been done at the server level, not at the website level.

Your host should definitely be able to trace the changes, unless they've something to hide (like their security isn't upto scratch).

[Kindred]

I will reiterate as an official statement from the SMF teams...

There are no known security issues in 2.0.17


that being said, while we do the best we can to review mods, we have no control over combinations of mods (or mods from third party sites) which may not have the same security level as SMF itself.

Did the user CLAIM that they posted a link which you clicked that them gave them access or do you have evidence that your site was hacked?

[junglejim42]

I will reiterate as an official statement from the SMF teams...

There are no known security issues in 2.0.17


that being said, while we do the best we can to review mods, we have no control over combinations of mods (or mods from third party sites) which may not have the same security level as SMF itself.

Did the user CLAIM that they posted a link which you clicked that them gave them access or do you have evidence that your site was hacked?

Yes my website has been hacked and root index file changed to redirect to another site. 
Awstats does not show any above normal hits to show brute force hacking.
I've removed the mods added in the past 2 months to eliminate them.

I was only enquiring whether it was possible for a hacker to access my root directory through an external link on the forum

[Doug Heffernan]

Yes my website has been hacked and root index file changed to redirect to another site. 
Awstats does not show any above normal hits to show brute force hacking.
I've removed the mods added in the past 2 months to eliminate them.

I was only enquiring whether it was possible for a hacker to access my root directory through an external link on the forum

Smf mods are being checked thoroughly by the Customising Team here before being approved. What mods did you have installed and did you download them from here?

I doubt that that could be the cause of the hack. (through an external link).

If I were you, I would do a thorough checkup of your server space for anything out of the ordinary.

[junglejim42]

Yes my website has been hacked and root index file changed to redirect to another site. 
Awstats does not show any above normal hits to show brute force hacking.
I've removed the mods added in the past 2 months to eliminate them.

I was only enquiring whether it was possible for a hacker to access my root directory through an external link on the forum

Smf mods are being checked thoroughly by the Customising Team here before being approved. What mods did you have installed and did you download them from here?

I doubt that that could be the cause of the hack. (through an external link).

If I were you, I would do a thorough checkup of your server space for anything out of the ordinary.

freichat and ultimate menu were the only mods added recently downloaded from here. I'm going through the process of elimination to see finds the problem.

Easy to see which files have been changed /added, just can't work out how they keep getting there

[Kindred]

well, that's easy.

Once the hacker is in, the bury one (or more) backdoor programs -- usually about 10-20 directories deep.

Once you ARE hacked, the nest bet is to delete EVERYTHING and restore the file system form a backup taken before the hack.

just changing your main files back doesn't fix the backdoors.

[junglejim42]

well, that's easy.

Once the hacker is in, the bury one (or more) backdoor programs -- usually about 10-20 directories deep.

Once you ARE hacked, the nest bet is to delete EVERYTHING and restore the file system form a backup taken before the hack.

just changing your main files back doesn't fix the backdoors.

Thanks for that.  will investigate further

[NeonFlash]

There is another possibility by the way. Even though the hacker may not have broken to your site by bruteforcing or exploiting a vulnerability in SMF or either of the installed mods, it is still possible for them to compromise your site.

Is your website running on a shared hosting server? Are there other sites hosted on the same server as well? This can be confirmed by doing a reverse IP lookup on whois.

If in case there are other sites hosted on the same server and if they were vulnerable, a hacker might have exploited them to gain access to the shared hosting server. Even though servers compartmentalise and one vhost should not be able to access the directories of another vhost, there is still a possibility that the hacker might have gained root access on the server (either by exploiting or by other means). In that case, the whole server is compromised.

Although I doubt a hacker with such skills would merely make a modification in your index.php to redirect you to another site

[junglejim42]

I am on a shared server and i have 2 other websites that havent been touched.

I have found a lot of javascript files in the SMF directory.  the content of the files relate to allchatstars dot com which is an arabic chat site, there is also a name in one of the JS files that is the same in one of the root files that keep getting changed.

Most common file found so far is post.php, opening each file in turn to ensure code is ok.

As a final precaution before going down the re-installing route i have disabled new registrations for 48hrs, I havent had any file changes for 24 hours now.

[Illori]

if you have the files and access to your access logs, please consider filling out our security form

https://www.simplemachines.org/about/smf/security.php

[junglejim42]

if you have the files and access to your access logs, please consider filling out our security form

https://www.simplemachines.org/about/smf/security.php

I will once all avenues have been explored, I'm currently monitoring webalizer URL access logs to see what files are being accessed.  SMF who's online log shows 107 guests of which 40 were on the registration page last night 10pm to 10am. I shall open the site to new registrations in 24hrs and see what happens then. 

[drewactual]

Would this shared link contain a sessions hash by any chance?

[junglejim42]

Just an update, didnt get to the cause of the problem.  Webhost P'd me off with an upgrade which turned out to be a down grade which meant i had to delete a lot of mailboxes.  so i have changed servers and done a clean install

[Kindred]

that should solve the situation...