Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 15 of 15
  1. #1
    Senior Coder
    Join Date
    Jun 2002
    Location
    near Oswestry
    Posts
    4,508
    Thanks
    0
    Thanked 0 Times in 0 Posts

    How can I find out how I got hacked?

    My menu support forum (phpBB 2.0.8) got hacked today Defacing the site and screwing-up the settings I could brush off, but he erased all but 4 of the thread ... I've had no choice but to shut it down, and when I do re-launch it I'll be starting again from blank

    Anyway, is there anyway I can found out how he got in? I have the access.log for everything he did, but that tells me very little except an IP address (which doesn't resolve), and which files he accessed with which session ID

    Strangely there are no login-page accesses ... it looks like he went straight to the admin index page, already logged in. Some kind of cookie theft or forgery, perhaps? Or did he know the password ... and if so, how?

    So what else can I look for ... what other clues might there be ...?
    Last edited by brothercake; 12-16-2004 at 07:03 PM.
    "Why bother with accessibility? ... Because deep down you know that the web is attractive to people who aren't exactly like you." - Joe Clark

  • #2
    Smokes a Lot
    Join Date
    Jul 2003
    Location
    CA, USA
    Posts
    1,594
    Thanks
    5
    Thanked 20 Times in 20 Posts
    See what happens when you go making everything accessible. . .

    I'm sorry (too soon to joke?)

    My sympathy to you. Sorry I don't know any actions to take beyond what you have already done.

    Basscyst
    Helping to build a bigger box. - Adam Matthews

  • #3
    Senior Coder joh6nn's Avatar
    Join Date
    Jun 2002
    Location
    72° W. 48' 57" , 41° N. 32' 04"
    Posts
    1,887
    Thanks
    0
    Thanked 1 Time in 1 Post
    phpBB is how he got in; it's vulnerable to an exploit below a certain version; 2.1.1, i believe. make sure you update to the newest version before you start things back up. also, for the future, this is a good place to monitor to see what's going on.


    my sympathies, by the way.
    Last edited by joh6nn; 12-16-2004 at 10:38 PM.
    bluemood | devedge | devmo | MS Dev Library | WebMonkey | the Guide

    i am a loser geek, crazy with an evil streak,
    yes i do believe there is a violent thing inside of me.

  • #4
    Senior Coder
    Join Date
    Jun 2002
    Location
    near Oswestry
    Posts
    4,508
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I've seen the recent highlighting exploit - http://www.phpbb.com/phpBB/viewtopic.php?t=240513 - if that's what you're referring to? But it isn't that ...

    I have the entire server log of everything he did now, and he goes straight from the login page to the admin index - either he knew the password, or had some way around the authentication. I've also resolved his IP address to an ISP in the netherlands, so given that and the time they should be able to identify him (assuming it wasn't spoofed)

    But I'm far from confident ... if I can't find out how this happened then there's no way I'm using phpBB again, which would be a shame considering how much work I put into those accessible templates ...
    Last edited by brothercake; 12-16-2004 at 10:59 PM.
    "Why bother with accessibility? ... Because deep down you know that the web is attractive to people who aren't exactly like you." - Joe Clark

  • #5
    WA
    WA is offline
    Administrator
    Join Date
    Mar 2002
    Posts
    2,596
    Thanks
    2
    Thanked 19 Times in 18 Posts
    Sorry to hear about that brothercake. Did you check your phpbb for the security hole recently discovered: http://www.phpbb.com/phpBB/viewtopic.php?t=240513 I'm not a server expert, but I think most will tell you in cases involving hacking through a vulnerable software, it's generally easier just to patch the software, and make sure the vulnerability didn't allow the hacker to gain access to any critical parts of the server (ie: root server). This versus if it was a direct hacking on your server (ie: through ssh, telnet etc), in which a server restore might be needed.

    BTW this is one of the main reasons I went with vBulletin vesus phpBB. It seems vBulletin is much more secure to start off with, and they actively notify their customers when a security issue is found, since they have much more an incentive and resources to do so, being commercial.

    Edit: Never mind- just saw that you're aware of that link
    - George
    - JavaScript Kit- JavaScript tutorials and 400+ scripts!
    - JavaScript Reference- JavaScript reference you can relate to.

  • #6
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    If you want a free & AFAIK secure forum ... FUDforum has a good pedigree.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #7
    Smokes a Lot
    Join Date
    Jul 2003
    Location
    CA, USA
    Posts
    1,594
    Thanks
    5
    Thanked 20 Times in 20 Posts
    Hmm, got me curious, so I looked around a bit. This seems to be fairly old news, but a possible cause? You would probably know better than me.

    http://www.nukesecurity.com/modules....article&sid=75

    Basscyst
    Helping to build a bigger box. - Adam Matthews

  • #8
    Senior Coder joh6nn's Avatar
    Join Date
    Jun 2002
    Location
    72° W. 48' 57" , 41° N. 32' 04"
    Posts
    1,887
    Thanks
    0
    Thanked 1 Time in 1 Post
    brothercake, i don't know what the exploit is, i only know it exists. that link does NOT look like the exploit that i heard about, though. my understanding was that any install of phpBB under 2.0.11 was vulnerable to attacks that included code execution and deleting files off the server. supposedly, this issue has been taken care of in version 2.0.11, but as i don't have need of a forum on my site, i haven't really followed up on it.

    i can almost guarentee that your attacker got in through phpBB, though.

    Edit: bothered to look up the relevant link: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636 . that looks a lot more plausible.
    Last edited by joh6nn; 12-16-2004 at 11:22 PM.
    bluemood | devedge | devmo | MS Dev Library | WebMonkey | the Guide

    i am a loser geek, crazy with an evil streak,
    yes i do believe there is a violent thing inside of me.

  • #9
    Senior Coder
    Join Date
    Jun 2002
    Location
    near Oswestry
    Posts
    4,508
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by joh6nn
    bothered to look up the relevant link: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636 . that looks a lot more plausible.
    It does, yeah.
    "Why bother with accessibility? ... Because deep down you know that the web is attractive to people who aren't exactly like you." - Joe Clark

  • #10
    Banned
    Join Date
    Sep 2003
    Posts
    3,620
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Last edited by Willy Duitt; 12-21-2004 at 10:54 PM.

  • #11
    Senior Coder JamieR's Avatar
    Join Date
    Oct 2004
    Location
    United Kingdom
    Posts
    3,161
    Thanks
    0
    Thanked 5 Times in 5 Posts
    My Ikonboard forum software got hacked some time ago.....turned out the hacking of my forum and defacing of my website was down to some Brazillian Kids called "Rebellious Fingers".....

  • #12
    Senior Coder
    Join Date
    Jun 2002
    Location
    near Oswestry
    Posts
    4,508
    Thanks
    0
    Thanked 0 Times in 0 Posts
    good name

    What I've decided to do to shore it up is lock down the admin interface - so it only allows me, using my browser on my computer at my IP address. That should make it pretty safe I reckon; people could spoof, but they'd have to know what to spoof first .. and not all of that is available information.
    "Why bother with accessibility? ... Because deep down you know that the web is attractive to people who aren't exactly like you." - Joe Clark

  • #13
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    Quote Originally Posted by brothercake
    What I've decided to do to shore it up is lock down the admin interface - so it only allows me, using my browser on my computer at my IP address. That should make it pretty safe I reckon; people could spoof, but they'd have to know what to spoof first .. and not all of that is available information.
    That sounds like a pretty good idea.
    OracleGuy

  • #14
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    hmmm , methinks the most secure option is the conversion script

    Seriously , phpBB was writen by committee & it shows , a shining light next to the original phpBB for sure ... none the less
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #15
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by brothercake
    Anyway, is there anyway I can found out how he got in? I have the access.log for everything he did, but that tells me very little except an IP address (which doesn't resolve), and which files he accessed with which session ID

    Strangely there are no login-page accesses ... it looks like he went straight to the admin index page, already logged in. Some kind of cookie theft or forgery, perhaps? Or did he know the password ... and if so, how?
    even if he knew the pwd, then there should still be a loging for the login-page.
    the most likely reason is that he stole your session after scanning your traffic. you could check that by looking when the SID first appeared in the acceslog and for which IP (--> probably yours) + check if that session was destroyed by you (--> probably not ... i'm assuming he/she grabbed the SID and then waited till you left the admin-section before starting to delete the threads OR he created a new admin to login again later on but then you should have a loging for the login-page...)
    anyway, there are a few easy ways to avoid these:
    - limit the db-right for the useraccount that is used for the admin section
    --> make sure it doesn't have grant-permissions, and if so, check which useraccounts exist for that db !!!
    --> does that account (or the admin-section as a whole) realy need to be able to unlimitely delete threads? (you could add a counter or require extra validation for certain operations --> probably needs hacking into the phpBB- code)
    - don't base your security on authenticated sessions. you need to have extra checks (for insance on (the combination of) the IP, the user-agent header, require cookies + store these in a sessiontable in the db (and crossreference it by storing the PK of that table inside the cookie)
    - regenerate the SID on each pagerequest
    - make sure to destroy the session when you logout
    - use SSL to encode your trafic and improve client-identification

    <edit>since nobody mentiones it: backing up your db from time to time is a great way to limit the impact of such attacks, server crashes, problems with your host etc</edit>
    Last edited by raf; 01-10-2005 at 10:08 AM.
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •