...

View Full Version : How can I find out how I got hacked?



brothercake
12-16-2004, 07:57 PM
My menu support forum (phpBB 2.0.8) got hacked today :mad: Defacing the site and screwing-up the settings I could brush off, but he erased all but 4 of the thread ... I've had no choice but to shut it down, and when I do re-launch it I'll be starting again from blank :(

Anyway, is there anyway I can found out how he got in? I have the access.log for everything he did, but that tells me very little except an IP address (which doesn't resolve), and which files he accessed with which session ID

Strangely there are no login-page accesses ... it looks like he went straight to the admin index page, already logged in. Some kind of cookie theft or forgery, perhaps? Or did he know the password ... and if so, how?

So what else can I look for ... what other clues might there be ...?

Basscyst
12-16-2004, 09:56 PM
See what happens when you go making everything accessible. . . :p ;)

I'm sorry (too soon to joke?)

My sympathy to you. Sorry I don't know any actions to take beyond what you have already done.

Basscyst

joh6nn
12-16-2004, 11:34 PM
phpBB is how he got in; it's vulnerable to an exploit below a certain version; 2.1.1, i believe. make sure you update to the newest version before you start things back up. also, for the future, this (http://johnny.ihackstuff.com/
) is a good place to monitor to see what's going on.


my sympathies, by the way.

brothercake
12-16-2004, 11:54 PM
I've seen the recent highlighting exploit - http://www.phpbb.com/phpBB/viewtopic.php?t=240513 - if that's what you're referring to? But it isn't that ...

I have the entire server log of everything he did now, and he goes straight from the login page to the admin index - either he knew the password, or had some way around the authentication. I've also resolved his IP address to an ISP in the netherlands, so given that and the time they should be able to identify him (assuming it wasn't spoofed)

But I'm far from confident ... if I can't find out how this happened then there's no way I'm using phpBB again, which would be a shame considering how much work I put into those accessible templates ...

WA
12-16-2004, 11:59 PM
Sorry to hear about that brothercake. Did you check your phpbb for the security hole recently discovered: http://www.phpbb.com/phpBB/viewtopic.php?t=240513 I'm not a server expert, but I think most will tell you in cases involving hacking through a vulnerable software, it's generally easier just to patch the software, and make sure the vulnerability didn't allow the hacker to gain access to any critical parts of the server (ie: root server). This versus if it was a direct hacking on your server (ie: through ssh, telnet etc), in which a server restore might be needed.

BTW this is one of the main reasons I went with vBulletin vesus phpBB. It seems vBulletin is much more secure to start off with, and they actively notify their customers when a security issue is found, since they have much more an incentive and resources to do so, being commercial.

Never mind- just saw that you're aware of that link

firepages
12-17-2004, 12:09 AM
If you want a free & AFAIK secure forum ... FUDforum (http://fud.prohost.org) has a good pedigree.

Basscyst
12-17-2004, 12:12 AM
Hmm, got me curious, so I looked around a bit. This seems to be fairly old news, but a possible cause? You would probably know better than me.

http://www.nukesecurity.com/modules.php?name=News&file=article&sid=75

Basscyst

joh6nn
12-17-2004, 12:19 AM
brothercake, i don't know what the exploit is, i only know it exists. that link does NOT look like the exploit that i heard about, though. my understanding was that any install of phpBB under 2.0.11 was vulnerable to attacks that included code execution and deleting files off the server. supposedly, this issue has been taken care of in version 2.0.11, but as i don't have need of a forum on my site, i haven't really followed up on it.

i can almost guarentee that your attacker got in through phpBB, though.

bothered to look up the relevant link: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636 . that looks a lot more plausible.

brothercake
12-18-2004, 02:13 AM
bothered to look up the relevant link: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636 . that looks a lot more plausible.
It does, yeah.

Willy Duitt
12-21-2004, 10:53 PM
You might be interested in reading this article:
http://news.zdnet.com/2100-1009_22-5499725.html?tag=nl.e589

.....Willy

Edit: And these...
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=248046
http://www.php.net/

JamieR
01-05-2005, 11:14 PM
My Ikonboard forum software got hacked some time ago.....turned out the hacking of my forum and defacing of my website was down to some Brazillian Kids called "Rebellious Fingers"..... :mad:

brothercake
01-06-2005, 01:05 AM
good name :rolleyes:

What I've decided to do to shore it up is lock down the admin interface - so it only allows me, using my browser on my computer at my IP address. That should make it pretty safe I reckon; people could spoof, but they'd have to know what to spoof first .. and not all of that is available information.

oracleguy
01-07-2005, 09:40 PM
What I've decided to do to shore it up is lock down the admin interface - so it only allows me, using my browser on my computer at my IP address. That should make it pretty safe I reckon; people could spoof, but they'd have to know what to spoof first .. and not all of that is available information.

That sounds like a pretty good idea.

firepages
01-08-2005, 01:44 AM
hmmm , methinks the most secure option is the conversion script (http://fudforum.org/download.php) ;)

Seriously , phpBB was writen by committee & it shows , a shining light next to the original phpBB for sure ... none the less ;)

raf
01-10-2005, 10:49 AM
Anyway, is there anyway I can found out how he got in? I have the access.log for everything he did, but that tells me very little except an IP address (which doesn't resolve), and which files he accessed with which session ID

Strangely there are no login-page accesses ... it looks like he went straight to the admin index page, already logged in. Some kind of cookie theft or forgery, perhaps? Or did he know the password ... and if so, how?
even if he knew the pwd, then there should still be a loging for the login-page.
the most likely reason is that he stole your session after scanning your traffic. you could check that by looking when the SID first appeared in the acceslog and for which IP (--> probably yours) + check if that session was destroyed by you (--> probably not ... i'm assuming he/she grabbed the SID and then waited till you left the admin-section before starting to delete the threads OR he created a new admin to login again later on but then you should have a loging for the login-page...)
anyway, there are a few easy ways to avoid these:
- limit the db-right for the useraccount that is used for the admin section
--> make sure it doesn't have grant-permissions, and if so, check which useraccounts exist for that db !!!
--> does that account (or the admin-section as a whole) realy need to be able to unlimitely delete threads? (you could add a counter or require extra validation for certain operations --> probably needs hacking into the phpBB- code)
- don't base your security on authenticated sessions. you need to have extra checks (for insance on (the combination of) the IP, the user-agent header, require cookies + store these in a sessiontable in the db (and crossreference it by storing the PK of that table inside the cookie)
- regenerate the SID on each pagerequest
- make sure to destroy the session when you logout
- use SSL to encode your trafic and improve client-identification

<edit>since nobody mentiones it: backing up your db from time to time is a great way to limit the impact of such attacks, server crashes, problems with your host etc</edit>



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum