somebody hacked my forum?

[iPhonefreak]

I don't use it.

I vow revenge.

 

[fa5_r]

As always, there are some things you can do help remedy these attacks.

• Run an antivirus and an anti-malware scanner on your computer.
• Change your password to cPanel, FTP, forum/blog account, and any associated emails.
• Search your filesystem for any out of place files (especially PHP files)
• Contact your host and ask if any modules or system packages are out of date, and ask them to upgrade them if necessary.
• Check the CHMOD permissions of your filesystem; there's no need to allow access to core files AT ALL. For example, in MyBB, you can put a 'deny from all' in the /inc/ directory with no side effects.
• Check your templates and default files for malicious content. Most softwares have tools for this.
• NEVER allow an unprotected admin directory.
• Be wary when signing up to new websites, I wouldn't be surprised if that's how this user is harvesting passwords.

Sorry to hear that this is happening. I tried emailing ProXPN a few days back (the proxy this user is using), but I received no reply.

Thanks for the tips. I believe I have done all of that. This guy apparently modify your unused template files so delete anything that you dont use! check sort the files by the last modified date. First I thought it was a FTP breach so I submitted a ticket to Godaddy and changed the FTP password. Then I realized this guy got into ACP. Is there a standard way to crack a forum admin's password or bypass somehow got authenticated into ACP?<br /><br />-- 04 Apr 2013, 03:47 --<br /><br />

He just hacked my forum once again!

He said "I have had my fun here. See ya"

which forum is he hacking?

 

[iPhonefreak]

When we were looking through the server files, he had something in there that wrote to it every time I logged into my forum with my password.

Promotiontime.net

 

[fa5_r]

Ok. maybe you shouldnt say your forum has been hacked again. just say its under maintenance. this sucks man.

 

[iPhonefreak]

I don't want to lie to our members.

What intrigues him to do it is when we take the page down.

 

[fa5_r]

Well, hope you recover soon. Im definitely late for my homework tonight....

 

[MrToxicCodes]

They probally ddos you or use a sentry mba config with a vunerable site link to hack into it. its not that hard. its sucks ur site was hit mate

 

[iPhonefreak]

Good news: "I have identified the user and terminated his account."

ProN has very nice and good support! Hopefully i killed him, but he can create a new one in a minute.<br /><br />-- Wed Apr 03, 2013 11:06 pm --<br /><br />

Well, hope you recover soon. Im definitely late for my homework tonight....

We've been hit 7 times, we can recover very quickly now. 🙂

 

[fa5_r]

i dont think it was ddos. My website would've been down completely or unreachable. Funny thing was before he changed my forum index completely. I was on the forum at the same time and noticed some upload and submit buttons on the left top corner. I was confused as I never touch there. I went to overall header and removed the code then watched some Youtube. When I came back, the index page was swapped completely...i was like wth is going on lol. I still have copy of his files and modified files archived for future analysis.

He just changed some files and potentially left some backdoor for future attack. Im gonna see what Godaddy says about this once i get answer back from the support ticket. I thought it was a breach in FTP but probably he just hacked my forum admin password somehow and got into ACP. I just need to figure out how he got in there.<br /><br />-- 04 Apr 2013, 04:16 --<br /><br />BTW, Im thinking about play with the security settings in ACP like
Check IP against DNS Blackhole List:
Maximum number of login attempts per IP address:
and some other stuff and see if it will be more secure.

 

[iPhonefreak]

It won't help, sorry to say.

 

[Samalan]

Sorry to hear you have been hit, all I can suggest at this moment is keep your forum backed up at all times so you don't lose a lot of data. Contact your host if you feel your cPanel still has files which makes him able to log in again and try and find out who this guy is and rip him to pieces.

 

[jdab]

It's got to the stage where I'm just wondering whose going to be hit next. Making sure I have very frequent backups of everything now.

 

[fa5_r]

Is there a way to lock template modification in ACP on PHPbb?<br /><br />-- 04 Apr 2013, 15:44 --<br /><br />Forgot the mention that, the first sign of attack was there he added a upload and submit buttons on the top of index page where I suppose he can upload file from local directory and submit it to where its going. I first noticed that and changed the index page back to how it was so I dont have to copy of that code. I do have the complete code of his own index page which consist of a paragraph and a hitler video.

 

[Venom]

This seems a premeditated attack, rather than a random one.

If we take a look at the forums that have been attacked maybe we could work out how this is happening, ex; a malicious plugin, and what forum he is planning to strike next.

If you would pm me a list of all plugins you where using, what theme and the host you where using, maybe i could help.

 

[iPhonefreak]

We have determined the cause of our hackings.

Brute Force password cracking.

 

[pandaa]

We have determined the cause of our hackings.

Brute Force password cracking.

How did they manage to get a copy of the hashes and salts?

 

[fa5_r]

Brute Force password cracking

that has to be the method. I knew he somehow got my admin password cause it was weak. I doubt he got my FTP access.<br /><br />-- 05 Apr 2013, 00:00 --<br /><br />Most likely he got in my PHPBB ACP and modified the template file from there. I could easily crack the same password on Windows too. It was my fault using that password. I did not expect someone that will hack a new forum.

 

[Venom]

Like pandaa said how would they get a copy of the hashes & salts? just to upload a index page. You don need acp access for that

 

[iPhonefreak]

Not sure at all. That's just the info I heard.

But, I have noticed something. On the night we had our first hack, it's like he inserted a code into our index template in our ACP. Then it's like once we logged in it sent the data too him. That could be what he meant by "10 forum promotion site feeding him"

Here's the code, may be nothing but I know none of us put that in there and once that was removed our index went back to normal (images were missing): <!-- IF SCRIPT_NAME neq 'index' -->
<div class="breadcrumbs">
<a href="{U_INDEX}">{L_INDEX}</a>
<!-- IF SCRIPT_NAME eq 'viewforum' or SCRIPT_NAME eq 'viewtopic' or SCRIPT_NAME eq 'faq' or SCRIPT_NAME eq 'search' or SCRIPT_NAME eq 'ucp' or SCRIPT_NAME eq 'memberlist' or SCRIPT_NAME eq 'mcp' or SCRIPT_NAME eq 'posting' or SCRIPT_NAME eq 'report' -->
<!-- BEGIN navlinks -->
<!-- IF SCRIPT_NAME neq 'posting' and SCRIPT_NAME neq 'report' -->
<strong>&#8249;</strong> <a href="{navlinks.U_VIEW_FORUM}">{navlinks.FORUM_NAME}</a>
<!-- ENDIF -->
<!-- END navlinks -->

<!-- IF SCRIPT_NAME eq 'viewtopic' -->
<strong>&#8249;</strong> {TOPIC_TITLE}
<!-- ELSEIF SCRIPT_NAME eq 'faq' -->
<strong>&#8249;</strong> {L_FAQ}
<!-- ELSEIF SCRIPT_NAME eq 'search' -->
<strong>&#8249;</strong> {L_SEARCH}
<!-- ELSEIF SCRIPT_NAME eq 'ucp' -->
<strong>&#8249;</strong> {L_PROFILE}
<!-- ELSEIF SCRIPT_NAME eq 'memberlist' -->
<strong>&#8249;</strong> {L_MEMBERLIST}
<!-- ELSEIF SCRIPT_NAME eq 'mcp' -->
<strong>&#8249;</strong> {L_MCP}
<!-- ELSEIF SCRIPT_NAME eq 'posting' -->
<strong>&#8249;</strong> {L_POST}
<!-- ELSEIF SCRIPT_NAME eq 'report' -->
<strong>&#8249;</strong> {L_REPORTING_POST}
<!-- ENDIF -->
<!-- ENDIF -->
</div>
<!-- ENDIF -->

 

[Venom]

Im not experienced in php coding, But I dont see any thing in that code that 'sends' the data to them, so it may be anther file