Hacker in my forum

[Liviu Lalescu]

Dear SMF community,

I have this forum: https://lalescu.ro/liviu/fet/forum/

Since 3 January, I observed that four of my users' accounts have been hacked, three of them have in the signature a link to https://www.cialispascherfr24.com/ . These three users are Arabic and speak French, most probably. The links in their signature were certainly added now. I did not speak with these four users, yet.

The incriminated IP is: 178.137.16.56  . I searched the internet for it: https://www.phpbb.com/community/viewtopic.php?f=64&p=15651886 and https://www.piepcomp.nl/threads/dirty-bot-uit-de-oekraine-veranderd-e-mailadressen-en-meer-op-websites.6899/ (I used Google translate for the second one).

I examined my host logs, they indicate that this IP enters directly to the account, does not spend useless time to hack, and only logins to these users and updates their profiles.

Could you please help me with what might have happened?

[Aleksi "Lex" Kilpinen]

Bad passwords leaked elsewhere?
Would be my first guess.

[GigaWatt]

Agree... their rigs/smart devices could be infected with malware and it's just using whatever it can find as social gathering sites (including forums) as their target.

Could you ask your members if they also have FB, Instagram, Twitter accounts and if the same thing is happening on their social media profiles?

[Liviu Lalescu]

Thank you, I'll email them (hoping the hacker won't intercept these messages).

[GigaWatt]

It's not a "hacker" per say... yes, someone is probably behind that, but those are scripts or programs (malware in general) that try a multitude of different methods to retrieve usernames and passwords from the target's device/devices. If the target (the user) doesn't usually log out of any of his accounts, it's fairly easy to post, message of modify something in his/hers account. This is all done automatically via scripts/programs. In most cases, there's no real person doing this, except the person that made those programs/scripts.

[Liviu Lalescu]

Thank you! Indeed, I examined the visitors logs and the operation of login and updating the user profile is done in a few seconds. However, there are some users who did not login for many years who are affected (they did not accept the new EU privacy, and the hacking script did also this for them).

[GigaWatt]

...(they did not accept the new EU privacy, and the hacking script did also this for them)

This has nothing to do with GDPR, if you're referring to that.

However, there are some users who did not login for many years who are affected...

Now this might be concerning. Are you sure that those user's haven't logged in for ages on the forum? At least 2 or 3 years? Could you please check your logs and see if inactive members for a long period have logged in almost at the same time (let's say 100 inactive members for the past 2 or 3 years have all decided to log in and change their signatures to the exact same string in about an hour's time)?

[Kindred]

This almost definitely reflects accounts with compromised passwords

[GigaWatt]

This almost definitely reflects accounts with compromised passwords

If it's hundred's of inactive accounts... I wouldn't bet on it. If it was a few, yeah, I'd agree.

[Kindred]

Since the attacker is actuslly logging IN to the account, it's really the only option.

If it was a hack, the attacker would be making changes without logging into each account individually

[Liviu Lalescu]

...(they did not accept the new EU privacy, and the hacking script did also this for them)

This has nothing to do with GDPR, if you're referring to that.

However, there are some users who did not login for many years who are affected...

Now this might be concerning. Are you sure that those user's haven't logged in for ages on the forum? At least 2 or 3 years? Could you please check your logs and see if inactive members for a long period have logged in almost at the same time (let's say 100 inactive members for the past 2 or 3 years have all decided to log in and change their signatures to the exact same string in about an hour's time)?

There are 4 affected users, but only 3 have that spam link in the signature. For the GDPR policy, one of these 3 users did not login since this GDPR was enabled (so, did not login since more than one year). The problems appeared since 3 January 2021 (3, 4, 5, and 10 January have logs of this IP). I think all these 4 users did not login for a long time (maybe months).

After the hacker script logged in and modified the users' signatures, I observed that the visitors status said they were posting a new topic (only for two of these users), but in the end they did not.

Only one of these 4 users has 3 posts (in July 2018), the others have 0 posts.

Yes, indeed, thank you, I think their accounts are compromised. I was very scared that it might be from my part.

[Aleksi "Lex" Kilpinen]

If it was a hack, the attacker would be making changes without logging into each account individually

Yup, if they had access to the server - there wouldn't be any need to go after individual users.

[Liviu Lalescu]

If I view that nasty IP's activity, there is a 5th user appearing, but with "Password incorrect", on 4 January 2021. This user logged in with a probably legitimate IP on 14 December 2020.

Note: The hacked accounts (+ the attempt) are users who have the same username as the real name.

I will email my users. Thank you for the help!

[GigaWatt]

If it was a hack, the attacker would be making changes without logging into each account individually

Yup, if they had access to the server - there wouldn't be any need to go after individual users.

Wasn't thinking of a hacked server, was thinking of hacked users and their devices .

There are 4 affected users, but only 3 have that spam link in the signature. For the GDPR policy, one of these 3 users did not login since this GDPR was enabled (so, did not login since more than one year). The problems appeared since 3 January 2021 (3, 4, 5, and 10 January have logs of this IP). I think all these 4 users did not login for a long time (maybe months).

After the hacker script logged in and modified the users' signatures, I observed that the visitors status said they were posting a new topic (only for two of these users), but in the end they did not.

Only one of these 4 users has 3 posts (in July 2018), the others have 0 posts.

Yes, indeed, thank you, I think their accounts are compromised. I was very scared that it might be from my part.

And this leads me to believe it's a user side problem, i.e. their devices (PCs, laptops, smart devices) are infected with malware. Your forum is probably fine .

Keep an eye out. If there are no new cases or very few (2, 3 "hacked" accounts per week), it's probably some new piece of malware roaming around. Things should get back to normal once it's signature is in most AVs databases . If the number spikes, write back and we'll analyze the problem further .

Note: The hacked accounts (+ the attempt) are users who have the same username as the real name.

They might be "dormant" spammers (spammer). I've seen this on my forum too. Some Joe Shmoe creates a few accounts, keeps them dormant (inactive) and when he/she gets paid to spread spam, he/she activates the accounts, starts posting or whatever. This could also be easily automated from the attackers point, so it's not implausible that this might also be the case.

[Liviu Lalescu]

Thank you! I'll write if the cases escalate.

About dormant spammer, I doubt. Because a user made 3 legitimate Arabic posts a few years ago, and the users we are talking about registered in ~2015-2017.

[Aleksi "Lex" Kilpinen]

I've seen similar stuff before, and I'd be willing to bet it's because the users have used the exact same logins in multiple places so that when one got compromised, it's easy for anyone to just go look for the same leaked usernames on other public sites and try their luck. Happens a lot actually.

[Liviu Lalescu]

Yes, it does. I am ashamed to say I did this in the past. A few years ago Steam warned me double-check login with phone failed, so I needed to change all my passwords. I think it is because of that Yahoo critical leak more years ago.

[GigaWatt]

About dormant spammer, I doubt. Because a user made 3 legitimate Arabic posts a few years ago, and the users we are talking about registered in ~2015-2017.

Ah, they're probably legit users than .

I've seen similar stuff before, and I'd be willing to bet it's because the users have used the exact same logins in multiple places so that when one got compromised, it's easy for anyone to just go look for the same leaked usernames on other public sites and try their luck. Happens a lot actually.

Yep, quite common . Especially if they use smart devices frequently to visit places where they use the same credentials . People use smart devices instead of PCs or laptops more and more, so it's not surprising the number of malware targeting smart devices is rising.

I think it is because of that Yahoo critical leak more years ago.

Could've been... no one can say for sure .

I haven't changed my password on most of my social logins or mail accounts in years and I still haven't been hacked... well, at least to my knowledge, LOL . The trick is, don't use smart devices, or at least, don't visit any places on which you use your "one and only" login details. My passwords are more or less the same (add a character here, remove a character there, change one, etc.) and I have like 2 or 3 tops, so I'm not the most responsible person when it comes to IT security, but, as I said, I don't use smart devices and that has proven (over time) to be the right way to go when it comes to security . That, visiting non-essential places (like social media) in incognito/private mode and not storing my passwords in the browser (like most users do)... that would be three things I'd recommend from an IT security standpoint .

[Liviu Lalescu]

... that would be three things I'd recommend from an IT security standpoint .

Good to know