Hacked

[chiefbutz]

My forum has hacked, I don't know how, but it was. It displayed a message that said "This forum hack by ____" The blank was the person's screen name. I was on SMF 1.0.5 I am sorry, but I did no keep any of those files. I upgraded to 1.1 RC2, and overate the old files. Just wanted to let you guys know.

[TheMaTrIx]

Could you give us some details?

Did the message apear on a blank page that replaced your index.php?
Did the message apear on a blank page that, trough some means, became your index?
Did the message apear on your forum with you being locked out of it?
Are your files still there?
Is your database ok?

[chiefbutz]

DB fine, Files still there, it was on a white page, anythign using the forum showed the message, that included SSI.php

[TheMaTrIx]

Check your htaccess files.
If theres nothing in there changed, then get your host to check the server, because its posible that the whole server is compromised.

There are a few worms going around that infect hosting servers, put htaccess files in all directories pointing to the "your hacked" page.

[chiefbutz]

It works fine now, U just upgraded to SMF 1.1 RC2 and it worked. I bet the dude some how edited the Index file, and I didn't notice it when I looked at it

[TheMaTrIx]

Its still important to find out how he did it.

Was it trough a script injection
Was it pointed at you or did other sites on that server get it too?
Did he just get in trough FTP and uploaded a new index.php?(even if this is unsure, I sure hope you changed all your passwords)

Does anyone have a grudge against you? Is your password secure?

[chiefbutz]

It was only me, and I don't think it was thorugh FTP, and yes all my passwords have been chnaged. I feel it was either an injection, or somehow done with the package manager

[alchemy]

See if you can get a copy of the apache or IIS logfiles.

Apache log files may show how they got in, if it was through sql injection.

It would be usefull to everyone running SMF if you could retrieve this, in case this is some unknown method.....since there are no known exploits for 1.05.

If you can get those logs don't publish them out in the open....especially if it is a new method of sql injection. I would be happy to look them over with you through pm, or ask one of the mod's to look them over.

[alchemy]

Also be aware if you have joomla, mambo, drupal or the like running "xmlrpc" there are many bots contstanly probing for exploits in these programs.

my logs are filled with stuff like that.

[Dannii]

There are no known exploits in 1.0.5, so if you were hacked, it must have been through an insecure password, or through an insecure portal or something else that was integrated with SMF.

[TheMaTrIx]

There are no known exploits in 1.0.5, so if you were hacked, it must have been through an insecure password, or through an insecure portal or something else that was integrated with SMF.

Or as said earlyer, an unknown exploit. Which I doubt, but I rather help this guy find out what exactly it was then having to wonder if it was an unknown exploit in SMF.

And if it was caused by the installation of a certain hack, that would also be good to know.

Don't be to fast with saying "we got no known exploits so it can't be our fault".

Your can in no way be able to say that as "knowing" it to be right, you can only make an educated guess, while the posibility always exists
There is always the posiblity that there are unknown exploits. And as said earlyer, I rather find out what exactly it was by researching the hack in question then having to go "HA, it WAS an exploit and you said it couldn't be!"

[chiefbutz]

I know how he got in, he did it again to my main site. He got in via FTP, that is the only way. He is only editing files. I have taken all precautions, and stuff.

[TheMaTrIx]

If he still accesses FTP, even with your new passwords, there is a posibility the FTP servers security alows for people to do directory traversals.

This is a common problem with badly configured ftp servers.

If your sure that he can't guess or crack your new password (by say having one thats really long with random #@|é" kinda chars in it) your host better get their ass in gear and fix their ftp. Because then its certain they have either a directory traversal hole or another security problem in their ftp software.

[JayBachatero]

If you are able to get the access log from around the time this happened email them to [email protected].  There are no know exploits in 1.0.5 but to make sure please email it there and provide more details unless you are 100% sure it was through FTP and if so you should contact your host ASAP.

-JayBachatero

[chiefbutz]

I have, it was FTP that is the ONLY way that they got to 3 different places of my sites. I am sorry to raise the alarm everyone, my bad.

[TheMaTrIx]

No need to be sorry imho.

Better safe then sorry (and hacked)

[Grudge]

Indeed, please report any suspecious incidents.

PS - I can't spell

[chiefbutz]

Yep, I will.. but I hope I never get anymore!

P.S. Don't worry I can't spell either. Failed all but like 2 of my elemntry school spellign tests, and if we didn't have spell check no one oculd ever read what I write. PLus I type too fast, that doesn't help. (I ever had to install a spellchecker into firefox)

[TheMaTrIx]

It doesn't work XD  hahahahaha

I'm a bit dyslectic myself and also type way to fast and am to lazy to fix any mistakes (which is hell when you do any coding  )

The fact I speak and write a douzen languages and understand even more doesn't really help either. My mothertongue is dutch, but I'm actualy better at writing english then dutch ...