SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 32
  1. #1
    boiler up blackdog's Avatar
    Join Date
    Jul 2002
    Location
    Purdue
    Posts
    1,181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    forum hacked, have attackers IP, now what?

    So a few hours ago I got the email you get when you click the forgot password link on my forum for my admin account. 3 minutes later i got the following email:
    > Hi there,
    > I'm Silvery hat hacker, A free security tester for websites in the
    > Internet. Latey, I took a visit by your website
    > http://*********.com and I found out it has a very dangerous
    > bug which may ruin your board and all your hard work.
    >
    > It's a SSI.php vulnerability allows an attacker steal your password
    > and have total access to Admin CP. Please contact me as soon as
    > possible if you think this is important.
    > And your current password for the account "*********" is "test"
    > Regard,
    he also left imbedded a message in the forum's footer announcing that the silvery hat hacker had found a security flaw. what the idiot may not have realized is that when he hit the forgot password link, it emailed me his IP.

    So now what do I do? i searched for "silvery hat hacker" on google and a lot of the stuff came up seemed to be from vietnam. but the IP is in maryland. i'm not sure what to do about this. last time i had a site hacked i called the local police and they did just about nothing except take down my complaint and tell me there was nothing they could do

  2. #2
    Non-Member Dan's Avatar
    Join Date
    Feb 2005
    Posts
    921
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Contact his isp provider, and make a complaint? tell your webhost?

    I'm sure this has been asked many times before, so try using the search bar =)

  3. #3
    SitePoint Evangelist Andrewaclt's Avatar
    Join Date
    Dec 2003
    Location
    Raleigh, NC
    Posts
    535
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    umm, if he helped you out why would you call the police? Be thankful that he wasn't malicious, did no damage and reported the hole too you. He's not a criminal.

    Chances are he used a proxy or something similar, at least I would.

  4. #4
    SitePoint Enthusiast Durinthiam's Avatar
    Join Date
    Jan 2005
    Location
    www.raidshout.com
    Posts
    87
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Step 1: Fix flaw
    Step 2: Change password
    Step 3: Tell everyone on forums to change their passwords
    Step 4: Email creators of the forum script and tell them about the flaw
    Step 5: Thank the guy for not being malicious, and for pointing out the flaw

    Job done, a "hacker" isn't always bad it's just the kiddies who run around being a "hacker" after reading some forum article or ebook that tar the name of the rest, who genuinly are White Hats, and seek out security flaws and announce them so they can be fixed

    White hat describes a hacker (or, if you prefer, cracker) who identifies a security weakness in a computer system or network but, instead of taking malicious advantage of it, exposes the weakness in a way that will allow the system's owners to fix the breach before it is can be taken advantage by others (such as black hat hackers.) Methods of telling the owners about it range from a simple phone call through sending an e-mail note to a Webmaster or administrator all the way to leaving an electronic "calling card" in the system that makes it obvious that security has been breached.

    While white hat hacking is a hobby for some, others provide their services for a fee. Thus, a white hat hacker may work as a consultant or be a permanent employee on a company's payroll. A good many white hat hackers are former black hat hackers.
    Black hat is used to describe a hacker (or, if you prefer, cracker) who breaks into a computer system or network with malicious intent. Unlike a white hat hacker, the black hat hacker takes advantage of the break-in, perhaps destroying files or stealing data for some future purpose. The black hat hacker may also make the exploit known to other hackers and/or the public without notifying the victim. This gives others the opportunity to exploit the vulnerability before the organization is able to secure it.

  5. #5
    SitePoint Addict DA Master's Avatar
    Join Date
    Apr 2004
    Location
    /etc/php.ini
    Posts
    398
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I agree Durinthiam, do what you have said there, if users don't change their password then it's their fault not yours, you have told them to change it.

    Script Kiddies are idiots, like you say, they read books and articles and think they have done the work, all they are doing is exploiting it, remember someone had to find it, these are the real hackers.

  6. #6
    SitePoint Zealot ablueman's Avatar
    Join Date
    Jun 2005
    Posts
    178
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DA Master
    I agree Durinthiam, do what you have said there, if users don't change their password then it's their fault not yours, you have told them to change it.

    Script Kiddies are idiots, like you say, they read books and articles and think they have done the work, all they are doing is exploiting it, remember someone had to find it, these are the real hackers.
    I hope I get hacked when I finish my site. Seriously if they arent malicious they are protecting you from the malicious ones by letting you know. Dont give them a hard time.

    If they are malicious speak with their ISP's abuse or AUP team, dont assume that the IP you have is the correct IP though. As said already it could be an open proxy that needs correcting. If it is an open proxy, they may have logs and you may be able to get the real IP, however this may be something you have to ask th ISP nicely to do for you as they may not want to disclose the customers details due to the data protection act. They may contact the customer on your behalf however. The only way round this data protection problem is to get the police involved. Another point is that he could have a dynamic IP which makes it more difficult to trace.

    Seriously speaking though if malicious damage was done the police are the right course. They should contact the ISP and find out who it was and deal with them as a matter of law.

    If no malicious damage has been done though I think you would ahve a hard time pressing charges even ifyou could find out who he is.

    Which is why securing the services you provide is so important.

    Learn from it and move on will be your best bet.

    (I work for an ISP so whilst this may not all be 100% accurate I believe it is true. (and in no way is the opinon of who I work for ))

  7. #7
    boiler up blackdog's Avatar
    Join Date
    Jul 2002
    Location
    Purdue
    Posts
    1,181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    what i don't get is if he's trying to help me, why did he announce that there was a vulnerability in the script in the footer of my forum? He even mentioned what file that the flaw is in... if a hacker saw that, it would be the easiest hack they ever did!

  8. #8
    SitePoint Enthusiast Durinthiam's Avatar
    Join Date
    Jan 2005
    Location
    www.raidshout.com
    Posts
    87
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    trust me, when an exploit is found in a system, program or script. The White Hat normally notifies the owner of the site in some form then after about 24 hours, that exploit will be on every major (and minor) hacking forum, giving the script kiddies time to play before the scriptwriters release a bug-fix or owners of sites runing the scripts fix the flaw themselves.

    do as I said above and you'll be fine

  9. #9
    SitePoint Evangelist Andrewaclt's Avatar
    Join Date
    Dec 2003
    Location
    Raleigh, NC
    Posts
    535
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    what i don't get is if he's trying to help me, why did he announce that there was a vulnerability in the script in the footer of my forum? He even mentioned what file that the flaw is in... if a hacker saw that, it would be the easiest hack they ever did!
    If he was trying to harm you he would of gone to a seedy message board and posted the vulnerability or a private mailing list and then you would of had 20-30 people exploiting the hole and not telling you about it, instead of one telling you about it.

  10. #10
    Prolific Blogger silver trophy Technosailor's Avatar
    Join Date
    Jun 2001
    Location
    Before These Crowded Streets
    Posts
    9,446
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by blackdog
    but the IP is in maryland.
    It wasn't me, I swear...
    Aaron Brazell
    Technosailor



  11. #11
    SitePoint Evangelist Andrewaclt's Avatar
    Join Date
    Dec 2003
    Location
    Raleigh, NC
    Posts
    535
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hmm...the NSA is also in maryland...

  12. #12
    Prolific Blogger silver trophy Technosailor's Avatar
    Join Date
    Jun 2001
    Location
    Before These Crowded Streets
    Posts
    9,446
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    And we know the NSA specializes in hacking other peoples websites... :\ It's a bit far fetched, don't you think?
    Aaron Brazell
    Technosailor



  13. #13
    SitePoint Evangelist Andrewaclt's Avatar
    Join Date
    Dec 2003
    Location
    Raleigh, NC
    Posts
    535
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hmm...well..kinda.

  14. #14
    ::==:: Bonzo_CS's Avatar
    Join Date
    Dec 2003
    Location
    (Cardiff Wales)
    Posts
    747
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As said above, the white hat helping out lack that is a stroke of luck. Understandably you feel that he has intruded on your system, but be thankful. Imagine that he didn't notify you, brought down your forum or exploited your server resulting in cost? To have someone tell you about a flaw and offer further help without any mention of a charge is a stroke of luck which may save your forum. That type of advice would of cost you if you employed someone to check for holes.


    I'd follow the advice of Durinthiam

    Actually I'd love to have the guy's contact so he could test the security on my stuff.



  15. #15
    SitePoint Evangelist Andrewaclt's Avatar
    Join Date
    Dec 2003
    Location
    Raleigh, NC
    Posts
    535
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'd be more than willing to test your stuff for you, I'm in the process of obtaining insurance for an LLC that does web based application pen testing with a partner of mine.

  16. #16
    SitePoint Addict
    Join Date
    Oct 2004
    Location
    Brooklyn, NY
    Posts
    359
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Be careful with quick, irrational judgments. This isn't the first time I've seen someone quickly categorized as an attacker. Many experts who engage in exploratory research are dissuaded by such accounts, and when this happens, we all lose.

    In this case, it seems that the notification you have received is an automated response, so the individual operating the tool isn't necessarily benevolent, but neither is this individual necessarily malicious. It's debatable whether notifying the users of a security vulnerability is ethical, but in many cases, I think it is the responsible thing to do. After all, the users are likely victims, and they have a right to know when the software they are using has a vulnerability. Of course, the level of detail provided in the notification should be slight enough to not compound the problem.

    I agree with those who have recommended that you fix the vulnerability. This should be your primary focus.
    Chris Shiflett
    http://shiflett.org/

  17. #17
    SitePoint Member
    Join Date
    Dec 2004
    Location
    Anyoona
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you are using some kind of free script to run your forum, you're not safe. Invest in IBP or vBulletin. Guess why nearly ALL major sites running a forum use either IBP or vBulletin...

    BTW: which forum script are you using? I hope you're not using phpBB...


  18. #18
    SitePoint Addict
    Join Date
    Oct 2004
    Location
    Brooklyn, NY
    Posts
    359
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dragonchaser
    If you are using some kind of free script to run your forum, you're not safe.
    This is a silly, subjective statement. You should at least try to substantiate your opinion if you want anyone to consider it credible.
    Chris Shiflett
    http://shiflett.org/

  19. #19
    boiler up blackdog's Avatar
    Join Date
    Jul 2002
    Location
    Purdue
    Posts
    1,181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dragonchaser
    If you are using some kind of free script to run your forum, you're not safe. Invest in IBP or vBulletin. Guess why nearly ALL major sites running a forum use either IBP or vBulletin...

    BTW: which forum script are you using? I hope you're not using phpBB...

    its ipb, but not the most recent version

    at first i wasn't sure whether this guy was trying to help or what... but i removed his little warning from the bottom of my forum and changed my password and the guy did it again. and this time he didn't send me an email to tell me what my password had been changed to. i just assumed he might have changed it to the same thing he did last time and i was correct. that really got on my nerves

  20. #20
    SitePoint Enthusiast Durinthiam's Avatar
    Join Date
    Jan 2005
    Location
    www.raidshout.com
    Posts
    87
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Durinthiam
    Step 1: Fix flaw
    Step 2: Change password
    Step 3: Tell everyone on forums to change their passwords
    Step 4: Email creators of the forum script and tell them about the flaw
    Step 5: Thank the guy for not being malicious, and for pointing out the flaw
    Dont go jumping steps fix the flaw FIRST

  21. #21
    SitePoint Addict DA Master's Avatar
    Join Date
    Apr 2004
    Location
    /etc/php.ini
    Posts
    398
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ablueman
    I hope I get hacked when I finish my site. Seriously if they arent malicious they are protecting you from the malicious ones by letting you know. Dont give them a hard time.

    If they are malicious speak with their ISP's abuse or AUP team, dont assume that the IP you have is the correct IP though. As said already it could be an open proxy that needs correcting. If it is an open proxy, they may have logs and you may be able to get the real IP, however this may be something you have to ask th ISP nicely to do for you as they may not want to disclose the customers details due to the data protection act. They may contact the customer on your behalf however. The only way round this data protection problem is to get the police involved. Another point is that he could have a dynamic IP which makes it more difficult to trace.

    Seriously speaking though if malicious damage was done the police are the right course. They should contact the ISP and find out who it was and deal with them as a matter of law.

    If no malicious damage has been done though I think you would ahve a hard time pressing charges even ifyou could find out who he is.

    Which is why securing the services you provide is so important.

    Learn from it and move on will be your best bet.

    (I work for an ISP so whilst this may not all be 100% accurate I believe it is true. (and in no way is the opinon of who I work for ))
    Do you not think that a script kiddie is more likely to me malicious though? They think they own the world. Someone who is trained to do this and is maybe their job and people who find exploits will be more likely to notify you of any holes.

  22. #22
    SitePoint Evangelist Andrewaclt's Avatar
    Join Date
    Dec 2003
    Location
    Raleigh, NC
    Posts
    535
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    the guy did it again
    How are you sure it's the same guy? Did you compare IP addresses?

  23. #23
    SitePoint Addict DA Master's Avatar
    Join Date
    Apr 2004
    Location
    /etc/php.ini
    Posts
    398
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    True, could be the same ISP, meaning the same subnet mask, although it could be a different person.

  24. #24
    boiler up blackdog's Avatar
    Join Date
    Jul 2002
    Location
    Purdue
    Posts
    1,181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Andrewaclt
    How are you sure it's the same guy? Did you compare IP addresses?
    yeah. and he left the same message in the footer of my forum. and he changed the admin password to the same thing as last time

  25. #25
    SitePoint Evangelist Andrewaclt's Avatar
    Join Date
    Dec 2003
    Location
    Raleigh, NC
    Posts
    535
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In that case, I'd be ticked off too. Send him an email saying he crossed the lines. You are working on fixing it, make sure he knows this.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •