Cracker on my forum

Liviu Lalescu · August 11, 2024, 06:23:13 AM

Dear SMF community,

My forum: https://lalescu.ro/liviu/fet/forum/

I had a similar problem a few years ago with 4-5 legitimate users accounts.

12 hours ago I had IP 5.180.62.7 log into a legitimate account (Spanish person) and posted a spam topic.

2 hours ago I had IP 5.180.62.4 log into another legitimate account (Arabic person).

I examined the visitors log and these visits were in an interval of 3-4 seconds, respectively, so not done by a person, but by a script. Also, I had two visits from the above second IP on 5 August, a simple "GET" for my lalescu.ro/liviu/.

My concern is security. What could/should I do?

mickjav · August 11, 2024, 06:37:10 AM

Ban The Accounts they use.

Kindred · August 11, 2024, 07:24:36 AM

Their account data was compromised and is in a spammer database.

Nothing you can do other than ban or delete the accounts.. you COULD try forcing a password change if you know that those users are real and still active

Liviu Lalescu · August 11, 2024, 07:42:23 AM

Thank you! I was trying to address the cause, not the effect. I mean I am afraid the cracker obtained from my site more information, like the hashes of all the passwords, and these two accounts might have had simpler passwords, but all the accounts are actually compromised if the cracker runs a brute force algorithm.

You say a "spammer database". How did the cracker obtain the exact login and password of two completely unrelated users? He entered the passwords from the first try.

Arantor · August 11, 2024, 08:36:46 AM

How did the cracker obtain login details? There are literal databases out there of login details and people tend to be pretty poor about reusing passwords.

I'd report the attack to the hosting company - clouvider.com, with times of usage if you can, and get them involved because it looks for all the world like someone using their hosting to break into places.

If you're afraid of the accounts having been broken into some other way, that the attacker somehow has the hash, the question becomes whether you were always on 2.1, whether you upgraded from 2.0 to 2.1 and if you upgraded, whether the users in question had logged in since the upgrade.

Realistically if the users had been users since 2.1 was on your site, the attacker did not bruteforce their accounts via having the hashes somehow because bcrypt takes an inordinate amount of time to bruteforce (that being the point), and infinitely more likely that the attacker was trying low hanging fruit from existing databases, especially cases where the same username/password pair came up in several password troves.

shawnb61 · August 11, 2024, 08:43:19 AM

We are seeing more & more old accounts being hacked. Similar thread with explanation & some helpful resources here:
https://www.simplemachines.org/community/index.php?msg=4176845

Liviu Lalescu · August 11, 2024, 09:12:20 AM

Thank you, @shawnb61 , I had Low password security and made it High.

I am not sure my database password is strong enough, but I cannot find it in the Admin section of my SMF forum. I should make it a strong one, I suppose. Could you tell me where to find it? Maybe it was in a php file of the forum? How can I change it without breaking the forum? I think I need to modify it in two places?

Thank you, @Arantor , I will write now to this hosting company. Thank you for the explanation of the thing with hashes. However, the question remains that today the attacker logged in directly to these two accounts (separated by ~10 hours), without other similar IP's for other tries. I had firstly SMF 2.0 (or even earlier and upgraded to 2.0 long time ago, I am not sure). I updated to SMF 2.1 a few days after the release, I think. My forum Spanish user I think logged in after I updated to 2.1; my Arabic forum user seems not to have logged in after I updated to 2.1, because my site raw logs show that the attacker accepted the new agreement.

Kindred · August 11, 2024, 09:25:18 AM

Database password is set in your hosting account and only USED by smf, not set by smf

Liviu Lalescu · August 11, 2024, 09:43:49 AM

Exactly; so, to change it, I should put the forum in maintenance, change it on my host, update it in SMF (but where?), and turn off maintenance? Sorry for newbie question.

Edit: I found that the database password is stored in Settings.php of the forum. I had a good password, no need to change it.

Liviu Lalescu · August 11, 2024, 09:51:50 AM

And another maybe newbie question: how can I reset the password of a user, so that he is forced to set a new one by an email link? Is it possible?

Edit: I found advice in shawnb61's post above that probably also the users' emails are compromised, so I just banned these two users, and in the ban description I told them to contact me. Anyway, they were inactive for a long time.

Liviu Lalescu · August 11, 2024, 11:59:58 AM

I have the third probably cracked user account of today. The common feature is the same forum username as the forum displayed name, and Gmail account for email. Different class of IP now ( 193.176.87.60 ), which also seems suspect.

Sir Osis of Liver · August 11, 2024, 03:33:12 PM

Quote from: Liviu Lalescu on August 11, 2024, 09:51:50 AMAnd another maybe newbie question: how can I reset the password of a user, so that he is forced to set a new one by an email link? Is it possible?

Delete passwd in members table.

Liviu Lalescu · August 11, 2024, 03:55:50 PM

Thank you for the information! Indeed, I entered the database and I saw that the recent passwords are very long (they begin with $ and the tooltip says something about 60 characters), the not so recent are ~40 characters and the old ones are ~32 characters. On this occasion I remembered I converted from YaBB a very long time ago... sorry I did not remember this earlier. So the initial installation was YaBB. I just checked, and the conversion to SMF was done ~30 October 2011.

Arantor · August 11, 2024, 04:14:07 PM

The 32 character ones are MD5 based, the 40 character ones are SHA1 based, the longer ones are Bcrypt based.

If someone had your database, decrypting the 32 and 40 character ones would take little time at all. But that also assumes they have your database (which is fairly unlikely in practice)

Liviu Lalescu · August 11, 2024, 04:28:25 PM

Thank you for the explanations! Only HostGator until ~two years ago and Hosterion since then should have had access; I keep encrypted monthly backups on my hard drive.

I think the best would be to remove all the old MD5 and SHA1 ones. I might make a backup of the database and then try this. Hmm... ~3700 members... manually...

Sir Osis of Liver · August 11, 2024, 04:35:11 PM

Bear in mind if member email has been changed, they won't be able to reset password.

Liviu Lalescu · August 11, 2024, 04:44:03 PM

Actually, I thought of this. I prefer this (these very old users who did not login in a long time can email me), than to allow attackers to see their password (in hopes they did not see them until now).

Sir Osis of Liver · August 11, 2024, 04:55:01 PM

You might consider posting a message at top of forum (news fader) advising members that they may not be able to login or reset password due to security issue, and give them a link to contact you.

Liviu Lalescu · August 12, 2024, 02:05:17 AM

Indeed, I will try. But since they did not log in for many years, I doubt they will see it.

shawnb61 · August 12, 2024, 02:48:55 AM

That's why I change their passwords & put a 55% watch on them.

I suspect odds are lower that the email is compromised. Mainly because folks are probably prompted by their email provider to do password maintenance.

If they come back & do it again, on a post that requires approval, that's when we know their email is compromised. At that point, I'd ban or delete them.

News:

Cracker on my forum