I have to run to work now, so I'll expand the topic later.
Today an user from 76.106.153.204 (comcast, USA) hacked the site. he did no damage and impersonated me and Andreas
It used a hole in the file links.php that has been removed, I'll investigate more when I'll be back.
I've also banned the Ip address and emailed at the abuse service at comcast.
It seemed to use a cookie "impersonation" so please Andreas, log out go here:
http://www.posetteforever.com/mycookies.php
close the browser, open it and login again.
Please, please, read the other topic about how to shut off the site when something like this happens :pray: , try it and memorize the procedure, it's very important :pray: :pray: :pray: :pray:
Back later
Davide
Subject: Hacked
Subject: Re: Hacked
Update:
I came home form work and I found that this was bad but it could be worse.
The Hacker attacked the file links.php (no more existing...) using this code:
Edit: DON'T try that code now, I've just installed a security code and you will be banned on the spot!!
this resulted in giving him the list all the hashes of the password (encrypted passwords in the database) and thus building a session key and simply steal the user's identity.
What he did and tried to do ?
First he tried to access the administration control panel, but it has a double password (that is what saved us) so he could not deface the site and limited the attack to steal Andreas identity and to lurk in some profiles, actually the one of grouchocaesar trying to change things but was stopped by the antispam protection. So he went to the shoutbox and wrote something about the lack of security and how he was a good hacker and did nothing (actually sure he could have done damages with my account but he wanted to do something worse in the admin control panel).
What I did ?
He had ALL the encrypted passwords (all the passwords in the site are encrypted, not even I can know what is the original password, but knowing the encrypted password in the database one can build a link with a working session id) So I searched and found a tool to re-encrypt the password twice, this tools also prevents the use of the encrypted password to enter the site. the alternative would have been to ask EVERYONE to change password.
Now, even if I changed the encrypted passwords, I suggest you to go to your control panel and change your password with a new one. I'll also chenage the password for the control panel with a new one and I'll send you the data with an email (if one steal your identity here he can go to this forum and simply see what the password is...)
Plus, having the complete log, I already cintacted comcast but I'll contact the FBI in the USA too.
More about this "phpBB Links MOD 1.2.2 Remote SQL Injection Exploit" can be found here:
http://www.waraxe.us/ftopict-1916.html
You can see that this autonamed "hacker" did only a simple cut and paste from a code someone else did.
What he did is go to google and use this search string:
allinurl:links.php
he found us here (I can't see posetteforever now but it was one of the results)
http://www.google.com/search?q=alli...n&start=80&sa=N
then he went to the site and applied the hack code above, next he searched for my nickname:
here he is "me":
The first thing he tries is to go to the admin panel (and it was stopped by the password protection)
Andreas was on the site so he went to see his account number (78)
here he is "Ahjah"
here he goes to Andreas preferences (please andreas check them)
and that's all for now ...
I came home form work and I found that this was bad but it could be worse.
The Hacker attacked the file links.php (no more existing...) using this code:
http://www.posetteforever.com/links.php?t=search&search_keywords=asd&start=1,1+UNION+SELECT+1,username,user_password,4,5,6,7,8,9,10,11,12+FROM+phpbb_users/*
Edit: DON'T try that code now, I've just installed a security code and you will be banned on the spot!!
this resulted in giving him the list all the hashes of the password (encrypted passwords in the database) and thus building a session key and simply steal the user's identity.
What he did and tried to do ?
First he tried to access the administration control panel, but it has a double password (that is what saved us) so he could not deface the site and limited the attack to steal Andreas identity and to lurk in some profiles, actually the one of grouchocaesar trying to change things but was stopped by the antispam protection. So he went to the shoutbox and wrote something about the lack of security and how he was a good hacker and did nothing (actually sure he could have done damages with my account but he wanted to do something worse in the admin control panel).
What I did ?
He had ALL the encrypted passwords (all the passwords in the site are encrypted, not even I can know what is the original password, but knowing the encrypted password in the database one can build a link with a working session id) So I searched and found a tool to re-encrypt the password twice, this tools also prevents the use of the encrypted password to enter the site. the alternative would have been to ask EVERYONE to change password.
Now, even if I changed the encrypted passwords, I suggest you to go to your control panel and change your password with a new one. I'll also chenage the password for the control panel with a new one and I'll send you the data with an email (if one steal your identity here he can go to this forum and simply see what the password is...)
Plus, having the complete log, I already cintacted comcast but I'll contact the FBI in the USA too.
More about this "phpBB Links MOD 1.2.2 Remote SQL Injection Exploit" can be found here:
http://www.waraxe.us/ftopict-1916.html
You can see that this autonamed "hacker" did only a simple cut and paste from a code someone else did.
What he did is go to google and use this search string:
allinurl:links.php
he found us here (I can't see posetteforever now but it was one of the results)
http://www.google.com/search?q=alli...n&start=80&sa=N
then he went to the site and applied the hack code above, next he searched for my nickname:
30956 Anonymous 76.106.153.204 2008 Feb 15 06:42 profile.php (GET) - US - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12
Page Page: profile.php
Parameters: mode=viewprofile&u=2
http_referer: http://www.posetteforever.com/forum.php
Page Page: profile.php
Parameters: mode=viewprofile&u=2
http_referer: http://www.posetteforever.com/forum.php
here he is "me":
30958 Tormie 76.106.153.204 2008 Feb 15 06:43 index.php (GET) - US - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12
Page Page: index.php
Parameters:
http_referer: http://www.posetteforever.com/login_PF.php
Page Page: index.php
Parameters:
http_referer: http://www.posetteforever.com/login_PF.php
The first thing he tries is to go to the admin panel (and it was stopped by the password protection)
30966 Tormie 76.106.153.204 2008 Feb 15 06:45 index.php (GET) - US - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12
Page Page: index.php
Parameters:
http_referer: http://www.posetteforever.com/adm/
Page Page: index.php
Parameters:
http_referer: http://www.posetteforever.com/adm/
Andreas was on the site so he went to see his account number (78)
30970 Tormie 76.106.153.204 2008 Feb 15 06:47 profile.php (GET) - US - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12
Page Page: profile.php
Parameters: mode=viewprofile&u=78
http_referer: http://www.posetteforever.com/
Page Page: profile.php
Parameters: mode=viewprofile&u=78
http_referer: http://www.posetteforever.com/
here he is "Ahjah"
30978 ahjah 76.106.153.204 2008 Feb 15 06:50 index.php (GET) - US - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12
Page Page: index.php
Parameters:
http_referer: http://www.posetteforever.com/login_PF.php?redirect=index.php
Page Page: index.php
Parameters:
http_referer: http://www.posetteforever.com/login_PF.php?redirect=index.php
here he goes to Andreas preferences (please andreas check them)
31030 ahjah 76.106.153.204 2008 Feb 15 07:09 profile.php (GET) - US - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12
Page Page: profile.php
Parameters: mode=editprofile&cpl_mode=preferences
http_referer: http://www.posetteforever.com/profile_main.php
Page Page: profile.php
Parameters: mode=editprofile&cpl_mode=preferences
http_referer: http://www.posetteforever.com/profile_main.php
and that's all for now ...
Subject: Re: Hacked
I'll check my stuff and change my password ( :crying: )...
Subject: Re: Hacked
it is "just in case" Andreas, I've already re-encrypted them with a different method, to put it clearer, no one can know what your password is if not you , what is in the site is a MD5 encrypted string based on your password, the hacker got a list of this strings, but I've already changed them all so everyone is safe , but you know... maybe :uuh: ...
For some reason that i don't understand we have been "under attack" since some months ago, however we where lucky this time. I'll do backups more often...
For some reason that i don't understand we have been "under attack" since some months ago, however we where lucky this time. I'll do backups more often...
Subject: Re: Hacked
... but we won't back down! :afterburner: :sick:
Subject: Re: Hacked
So what is with all of this Posy is welcoming around here? Greywolf and all. Is that part of the Hacker? :ninja: It is really surprising that we are getting hit now. :mmmh:
Subject: Re: Hacked
No, it's an old feature that I resurrected, Posy will hug all new registered users :heartbeat: . Yes it is surprising Kenny, it was also my fault not to keep certain files updated. I'm actually working on a major upgrade of the main security package installed, ctracker (at night, as usual :crybaby: )
Subject: Re: Hacked
Maybe when it comes to topics like Hacking we need to keep it in the Mod area. It seems like some of the forum may have started a challenge with a Hacker out on the net. :mmmh: It has been quite and then this happens. Really makes you wonder. Very strange. :uuh:
Subject: Re: Hacked
Kenny, the people that tries to hack Posetteforever are not real hackers, for a hackers PF can't be a target, it's a place without any commercial involvement. I's a target for people that cut & paste lines of code made by someone else, same as happened to 3dtapestry recently...
Subject: Re: Hacked
Yes I know that Davide. What I was trying to say is that they may be doing this just for sport because we had talked about Hacking before and they fed of the conversation as a challenge. :ninja:
Subject: Re: Hacked
maybe we're not winning but we're not even losing :D :2nd:
Subject: Re: Hacked
:lmao: :redface:
Subject: Re: Hacked
Well, after today's work on the site I think we've reached the maximum security level EVER, lol.
There were a couple of "phpBB security" packages that I never installed because they collided with other packages installed, but in the last period I became a little more skilled in understanding PHP (that is the programming language of the site) and I succeded in doing what I think is a good work.
Now if someone tries an UNION attack or some other tricks, he is automatically banned and blacklisted with a message that says "Posy Thinks You Should Go In Our Black List."
This system blocks different kinds of attacks, but expecially on DDOS attacks it can fails sometimes, so if you got banned for an error, contact me asap (I'll set the DDOS attacks on "BLOCK" instead of "BAN" anyway)
So now it's time to go back to normal businness ... :tv2: :yoyo: :bubbles: :lazy:
There were a couple of "phpBB security" packages that I never installed because they collided with other packages installed, but in the last period I became a little more skilled in understanding PHP (that is the programming language of the site) and I succeded in doing what I think is a good work.
Now if someone tries an UNION attack or some other tricks, he is automatically banned and blacklisted with a message that says "Posy Thinks You Should Go In Our Black List."
This system blocks different kinds of attacks, but expecially on DDOS attacks it can fails sometimes, so if you got banned for an error, contact me asap (I'll set the DDOS attacks on "BLOCK" instead of "BAN" anyway)
So now it's time to go back to normal businness ... :tv2: :yoyo: :bubbles: :lazy:
Subject: Re: Hacked
:wickedfart: <- forgot this one??
Subject: Re: Hacked
Damn... :sorry:
Page 1 of 1
You cannot post new topicsYou cannot reply to topics
You cannot edit your posts
You cannot delete your posts
You cannot vote in polls
You cannot attach files
You cannot download files
You cannot post calendar events