Subject: Hacked
I have to run to work now, so I'll expand the topic later.

Today an user from 76.106.153.204 (comcast, USA) hacked the site. he did no damage and impersonated me and Andreas
It used a hole in the file links.php that has been removed, I'll investigate more when I'll be back.
I've also banned the Ip address and emailed at the abuse service at comcast.

It seemed to use a cookie "impersonation" so please Andreas, log out go here:

http://www.posetteforever.com/mycookies.php

close the browser, open it and login again.

Please, please, read the other topic about how to shut off the site when something like this happens :pray: , try it and memorize the procedure, it's very important :pray: :pray: :pray: :pray:

Back later

Davide

Subject: Re: Hacked
Update:

I came home form work and I found that this was bad but it could be worse.

The Hacker attacked the file links.php (no more existing...) using this code:

Code: [Hide] [Select]
http://www.posetteforever.com/links.php?t=search&search_keywords=asd&start=1,1+UNION+SELECT+1,username,user_password,4,5,6,7,8,9,10,11,12+FROM+phpbb_users/*



Edit: DON'T try that code now, I've just installed a security code and you will be banned on the spot!!

this resulted in giving him the list all the hashes of the password (encrypted passwords in the database) and thus building a session key and simply steal the user's identity.

What he did and tried to do ?

First he tried to access the administration control panel, but it has a double password (that is what saved us) so he could not deface the site and limited the attack to steal Andreas identity and to lurk in some profiles, actually the one of grouchocaesar trying to change things but was stopped by the antispam protection. So he went to the shoutbox and wrote something about the lack of security and how he was a good hacker and did nothing (actually sure he could have done damages with my account but he wanted to do something worse in the admin control panel).

What I did ?

He had ALL the encrypted passwords (all the passwords in the site are encrypted, not even I can know what is the original password, but knowing the encrypted password in the database one can build a link with a working session id) So I searched and found a tool to re-encrypt the password twice, this tools also prevents the use of the encrypted password to enter the site. the alternative would have been to ask EVERYONE to change password.

Now, even if I changed the encrypted passwords, I suggest you to go to your control panel and change your password with a new one. I'll also chenage the password for the control panel with a new one and I'll send you the data with an email (if one steal your identity here he can go to this forum and simply see what the password is...)

Plus, having the complete log, I already cintacted comcast but I'll contact the FBI in the USA too.

More about this "phpBB Links MOD 1.2.2 Remote SQL Injection Exploit" can be found here:

http://www.waraxe.us/ftopict-1916.html

You can see that this autonamed "hacker" did only a simple cut and paste from a code someone else did.

What he did is go to google and use this search string:

allinurl:links.php

he found us here (I can't see posetteforever now but it was one of the results)

http://www.google.com/search?q=alli...n&start=80&sa=N

then he went to the site and applied the hack code above, next he searched for my nickname:

Code: [Hide] [Select]
30956      Anonymous      76.106.153.204      2008 Feb 15 06:42      profile.php (GET)      -      US      -      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12      
     
Page Page: profile.php
Parameters: mode=viewprofile&u=2
http_referer: http://www.posetteforever.com/forum.php


here he is "me":

Code: [Hide] [Select]
30958      Tormie      76.106.153.204      2008 Feb 15 06:43      index.php (GET)      -      US      -      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12      
     
Page Page: index.php
Parameters:
http_referer: http://www.posetteforever.com/login_PF.php


The first thing he tries is to go to the admin panel (and it was stopped by the password protection)

Code: [Hide] [Select]
30966      Tormie      76.106.153.204      2008 Feb 15 06:45      index.php (GET)      -      US      -      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12      
     
Page Page: index.php
Parameters:
http_referer: http://www.posetteforever.com/adm/


Andreas was on the site so he went to see his account number (78)

Code: [Hide] [Select]
30970      Tormie      76.106.153.204      2008 Feb 15 06:47      profile.php (GET)      -      US      -      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12      
     
Page Page: profile.php
Parameters: mode=viewprofile&u=78
http_referer: http://www.posetteforever.com/


here he is "Ahjah"
Code: [Hide] [Select]
30978      ahjah      76.106.153.204      2008 Feb 15 06:50      index.php (GET)      -      US      -      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12      
     
Page Page: index.php
Parameters:
http_referer: http://www.posetteforever.com/login_PF.php?redirect=index.php


here he goes to Andreas preferences (please andreas check them)
Code: [Hide] [Select]
31030      ahjah      76.106.153.204      2008 Feb 15 07:09      profile.php (GET)      -      US      -      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12      
     
Page Page: profile.php
Parameters: mode=editprofile&cpl_mode=preferences
http_referer: http://www.posetteforever.com/profile_main.php



and that's all for now ...

Subject: Re: Hacked
I'll check my stuff and change my password ( :crying: )...

Subject: Re: Hacked
it is "just in case" Andreas, I've already re-encrypted them with a different method, to put it clearer, no one can know what your password is if not you , what is in the site is a MD5 encrypted string based on your password, the hacker got a list of this strings, but I've already changed them all so everyone is safe , but you know... maybe :uuh: ...

For some reason that i don't understand we have been "under attack" since some months ago, however we where lucky this time. I'll do backups more often...

Subject: Re: Hacked
... but we won't back down! :afterburner: :sick:

Subject: Re: Hacked
So what is with all of this Posy is welcoming around here? Greywolf and all. Is that part of the Hacker? :ninja: It is really surprising that we are getting hit now. :mmmh:

Profile PM  
Subject: Re: Hacked
No, it's an old feature that I resurrected, Posy will hug all new registered users :heartbeat: . Yes it is surprising Kenny, it was also my fault not to keep certain files updated. I'm actually working on a major upgrade of the main security package installed, ctracker (at night, as usual :crybaby: )

Subject: Re: Hacked
Maybe when it comes to topics like Hacking we need to keep it in the Mod area. It seems like some of the forum may have started a challenge with a Hacker out on the net. :mmmh: It has been quite and then this happens. Really makes you wonder. Very strange. :uuh:

Profile PM  
Subject: Re: Hacked
Kenny, the people that tries to hack Posetteforever are not real hackers, for a hackers PF can't be a target, it's a place without any commercial involvement. I's a target for people that cut & paste lines of code made by someone else, same as happened to 3dtapestry recently...

Subject: Re: Hacked
Yes I know that Davide. What I was trying to say is that they may be doing this just for sport because we had talked about Hacking before and they fed of the conversation as a challenge. :ninja:

Profile PM  
Subject: Re: Hacked
maybe we're not winning but we're not even losing :D :2nd:

Subject: Re: Hacked
:lmao: :redface:

Profile PM  
Subject: Re: Hacked
Well, after today's work on the site I think we've reached the maximum security level EVER, lol.

There were a couple of "phpBB security" packages that I never installed because they collided with other packages installed, but in the last period I became a little more skilled in understanding PHP (that is the programming language of the site) and I succeded in doing what I think is a good work.

Now if someone tries an UNION attack or some other tricks, he is automatically banned and blacklisted with a message that says "Posy Thinks You Should Go In Our Black List."

This system blocks different kinds of attacks, but expecially on DDOS attacks it can fails sometimes, so if you got banned for an error, contact me asap (I'll set the DDOS attacks on "BLOCK" instead of "BAN" anyway)

So now it's time to go back to normal businness ... :tv2: :yoyo: :bubbles: :lazy:

Subject: Re: Hacked
:wickedfart: <- forgot this one??

Subject: Re: Hacked
Damn... :sorry:


Page 1 of 1


  
You cannot post new topics
You cannot reply to topics
You cannot edit your posts
You cannot delete your posts
You cannot vote in polls
You cannot attach files
You cannot download files
You cannot post calendar events