SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Addict
    Join Date
    Aug 2006
    Posts
    288
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Hacked! How much access do they have?

    Hello,

    A website that I have and uses an older version of SMF forum has been hacked.

    The hacker modified a file on my server. What does that mean? Do they have FTP, database and Cpanel passwords? Or they could accomplish such thing without gaining such access.

    Thank you

  2. #2
    SitePoint Evangelist
    Join Date
    May 2006
    Location
    Denmark
    Posts
    407
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That happened to a site I administrate a while ago as well through a security hole in SMF. They uploaded a file that allowed them to run commands the shell. Check that there are no files that shouldn't be there. The one on our server was located in the themes folder masquerading as an additional theme.

    Nevertheless, I'd probably change all my passwords just to be sure that's not how.

    Don't bother notifying SMF. They basically told us that it was our own problem and they didn't really bother with it at all.

    Edit: They did it through an RFI vulnerability. To my knowledge, that hole hasn't been fixed.

  3. #3
    SitePoint Addict
    Join Date
    Aug 2006
    Posts
    288
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Daniel,

    So do you think they should have FTP access in order to make modification in files?

    I compared the code of all files with an older backup and only one file was changed adding some redirection to some porn site.

    I removed that code and changed the passwords. Now I am in the process of upgrading SMF to the later version. But if what you say is true, and the vulnerability is still there, then I guess nothing can stop them from using it again...

    Maybe my case is a bit different since it was an older version of SMF and the vulnerability was one that it is now fixed ...

  4. #4
    SitePoint Evangelist
    Join Date
    May 2006
    Location
    Denmark
    Posts
    407
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't know if it's the same vulnerability or if it happened the same way. Our fix was adding something like this:
    Code:
    RewriteRule (.*)(http|https|ftp):\/\/(.*) - [env=badbot]
    CustomLog /var/log/badbots.log combined env=badbot
    Deny from env=badbot
    to httpd.conf on the server. That log file gets a lot of entries each day, by the way. People will simply get a 403 and get logged if they try an RFI attack. Periodically we run a script that puts IPs which appear in that log file +5 times in /etc/hosts.deny. All incoming connections from those IPs will then be completely dropped. If you just want to return a 403 on RFI attempts then you can just do:
    Code:
    RewriteRule (.*)(http|https|ftp):\/\/(.*) - [F]
    Nevertheless, seeing as you have changed all your passwords, if it happens again then it must be a vulnerability in SMF.

    You should also not just check what was changed, but also if additional files have been added. What you'll be looking for is some kind of rootkit or PHP shell.

  5. #5
    SitePoint Addict
    Join Date
    Aug 2006
    Posts
    288
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks. No file seems to be added. Just that one file modified.

    I have now upgraded to 1.1.5 and changed all passwords. I hope it will be ok!

  6. #6
    SitePoint Member
    Join Date
    Jul 2007
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Zoom123 View Post
    Thanks Daniel,

    So do you think they should have FTP access in order to make modification in files?

    I compared the code of all files with an older backup and only one file was changed adding some redirection to some porn site.

    I removed that code and changed the passwords. Now I am in the process of upgrading SMF to the later version. But if what you say is true, and the vulnerability is still there, then I guess nothing can stop them from using it again...

    Maybe my case is a bit different since it was an older version of SMF and the vulnerability was one that it is now fixed ...
    They may not need FTP access to modify files. There are a number of vulnerabilities which may allow them to directly modify files through a PHP script or even upload another PHP script that can do it.

    That being said, still a good idea to change your passwords after a compromise like this.

  7. #7
    SitePoint Zealot
    Join Date
    Jun 2008
    Posts
    126
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Zoom123 View Post
    I have now upgraded to 1.1.5 and changed all passwords. I hope it will be ok!
    According to Secunia, and according to a statement I recently saw from someone at SMF, SMF 1.1.5 currently has no unpatched vulnerabilities, but there is a shoutbox mod for it that has a vulnerability. http://secunia.com/advisories/search...machines+forum

    It is good to block requests that have a "protocol" in the query string, as shown in another post here.

    If the attack on your site was a run of the mill "drive-by" RFI attack, they would not have gotten FTP or cPanel access. Your database password is contained in a plain text file on your site, so they could have got that, and you should change it. Best to change all passwords as a precaution, including email passwords.

    Upgrading SMF was the most important step you took. Blocking RFI attacks in .htaccess would be the best additional step.

    Some RFI attacks do use FTP transfers, which would show up in your FTP log. However, those transfers are initiated by the RFI'd PHP script, not from the outside, so it does not mean they got your FTP password.

  8. #8
    SitePoint Zealot
    Join Date
    Jun 2008
    Location
    Australia
    Posts
    164
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    the best way to do is to have back up of website and then store all the files in your local server. when you think that you have been hacked, then you should delete all the files on server and upload the back up....

    other thing is that you should regularly change your password...l.l.

  9. #9
    SitePoint Addict
    Join Date
    Aug 2006
    Posts
    288
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you guys. I have made backups of files and database, upgraded to latest version and changed all passwords. Hope it will be ok.

    So I should now put this line in my .htaccess:

    RewriteRule (.*)(http|https|ftp):\/\/(.*) - [F]


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •