someone's hacking into admin

[LadyC]

one of the members of our site seem to have been targeted by someone from a board they used to belong to. the 'someone' is very computer literate, and seems to have figured out how to hack into our administrative panel, or hack into SOMETHING, to change the one member's name. (that member is an administrator, by the way.)

so there's a couple of issues i have to ask about... 1), any ideas how this is being done and when a security update will come out that might prevent that? 2) is there anyway to track the ip number (and ban it) of the culprit?

i've looked through the error log files. i've looked thru the moderator log files. i can't find anything that might help me put a stop to this, nor anything that i could use as proof of who is doing it, although there is no doubt in my mind who it is.

if i run the patch to upgrade this to the RC2, would it provide better security without messing up anything on my board? (i'm currently running 1.0.7)

[sawz]

107 is the latest stable release, so i don't think there are any security issues
with that release.

do you have any mods installed?

remove your friends admin privilege and change there password for starters.

let us know about the mods please.

[LadyC]

nope, no mods, and passwords have been changed twice already.

[kegobeer]

Have you examined your server access logs?  If not, look for odd ip addresses and anything out of the ordinary.  You should also do a thorough scan of all of the files on your server and remove any files that do not belong to SMF (like rar files, odd php files, etc).

Do you have any other php applications on your server?  It's possible this person has used another applications exploits to gain access to your server.  It's also possible this person guessed your admin's password, and then created another user with admin rights.  All administrators should change their passwords.

[LadyC]

i had suggested all admins change passwords, but i don't know if all of them did or not. i'll ask them all to do so again. it did seem to thwart the hacker for a couple of weeks last time, and then it started up again this weekend.

as for the server access log, i'm glad you brought that up! i filled out the report form somewhere on this site last night and it asked for the server access log.... i don't even know where to find that! i went thru my c-panel on the server and couldn't figure out what i was supposed to be looking for. the report form also asked for the url to the phpinfo file. i don't know where to find that either!

at this point the only other php application running is one called g-cards.

[kegobeer]

It could be this person guessed a password to gain access.  Did you change your cPanel, MySQL, and other server passwords when you changed SMF passwords?  When you change MySQL passwords, edit Settings.php to reflect the new password.  It's also a good idea not to use your main MySQL user; you should create another MySQL user with the necessary permissions.  If they do guess the password, it won't be the same as your cPanel and that will allow you another level of protection.