Topic awaiting preservation: I got hacked!

Well, actuly my sisters site got hacked, but I'm the webmaster. I don't want to post any links, but I did send our host a report on the issue.

It's a high-traffic forum for a large guild on neopets. The hacker uses swear words and l33t style typing, which I'm guessing is typicle for hackers. I do have a backup of the forum from September 29th.

What do I do? I feel helpless...

ok, here's a basic guidline, provided the hacker only got access to your sister's account and not the whole server (likely).

Step one - Save log files, and just about everything, but especially the log files.
Step two - remove the forum for now. put up a static, explaining site.
Step three - find out where he came in (logfiles), fix the hole. If you can't find it, come back for help, you are likely to have a more serious problem.
Step four - if the remote ip is somewhere in your country - report to the police, with all the backups and any information you have.
step five - use only the data from the old forum (check the user table by hand for abnormal permissions). The code for the site should come from a clean backup. Don't assume the sep. 29th version you had from the webserver is clean. Possibly use the source you initially uploaded the site from.
Step five b - if you were using phpbb - switch to something else. It's had so many exploited security holes in the last year ;-(.
step 6 - forum online again.

that's the basic guidline.
Principles again: Check what data you must reuse (database) carefully. Use only code you *know* to be good. Assuming an older backup is ok is foolish. And fix the hole before you try again.

so long,

->Tyberius Prime

quote:

---

Tyberius Prime said:

if you were using phpbb switch to something else. It's had so many exploited security holes in the last year ;-(.

---

I have a phpBB forum and I get nervous about it all the time that someone is going to hack it. It's probably only going to be up for a little while longer and the site will be no more anyway.

I am guessing that you did use phpBB from your description. There was a nasty exploit with the banned words function.
You should be able to convert your phpBB database to another forum like vBulletin. Check the vBulletin page to see if someone has a mod to covert it to their scheme.

Later,

C:\

Thank TP and CP!

I think I found the IP that was used in the hack: (I replaced last digits of IP with #)

quote:

---

66.28.###.## - - [09/Oct/2005:06:26:19 -0400] "GET /admin/admin_forums.php?mode=deletecat&c=3&sid=c397623e1e44eb28708dc50e08c1ca50 HTTP/1.1" 200 10017 "http://lef.yomonkey.com/admin/admin_forums.php?sid=c397623e1e44eb28708dc50e08c1ca50" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.12) Gecko/20050919 Firefox/1.0.7"

---

Is this what I'm looking for?

well, it looks like just a standard 'delete a category' request.
It might have been the hacker *after* he gained access - but I suspect it's not the actual intrusion.

My 2 cents... most of the time, such an intrusion is done through the forum system itself,
but the host and web server securities are even easier to bypass when one knows what he is doing.

Which kind of privileges do you have on the web server itself?
Do you have an idea of the "start time"?

If you precisely know the moment these issues started, it will make digging through the logs a lot easier.

Easiet thing to do would be to filter the server access logs by IP address, since you have the address already (btw: I'd also suggest making sure that that's not your IP address. Check out http://www.whatismyip.com to find out if you're in the same range.)


Justice 4 Pat Richard

I know my IP and it's not mine. And there were multiple category deletion actions from that IP. A part of the hacking or intrusion was that all the categories exept one were deleted and a new category (containing an irc website and channel in the name) was made by the intruder. I am fairly certian that is the IP that was used for the intrusion.

After my sister did some research on the IP, she found out that it was from Google's VPN server (vpn.google.com). I'm now very confused.

Ummm... vpn.google.com doesn't exist. At all. No IP addresses registered and no domain registered.

http://www.dnsstuff.com/tools/whois.ch?ip=vpn.google.com

Where did your sister get this information from, if I may ask?


Justice 4 Pat Richard

It exists, whois lookups will not show sub domains.

You have to do dns lookup

http://www.dnsstuff.com/tools/lookup.ch?name=vpn.google.com&type=A



.:[ Never resist a perfect moment ]:.

It's the 4th IP down in the list in the link bitdamaged provided. And she aparently found out in http://blog.thetechgurus.net/?p=36 from a Goggle of the IP.

[edit]
She just told me she actuly found it out from here: http://www.how2hack.net/readarticle.php?article_id=87
[/edit]



(Edited by zavaboy on 10-11-2005 02:11)

Aaah... silly me. Sorry about that.


Justice 4 Pat Richard

man....it's sites like that that drive me nuts! I found a site that listed exploits for every know web app known to man. complete with perl and C++ scripts. Just seems like a lot of work just to deface someones website that they more than likely took months or more to make.

Rediculous.

Later,

C:\

It looks like the vpn.google.com addy is for secure wireless access. I don't think that's going to tell you anything unless you track them back through google. Even then this was probably done by a wireless user over an open access point. Virtually impossible to track, maybe by MAC addy if they keep reusing the same point but I doubt anyone is going to use the resources necessary to catch this idiot.



.:[ Never resist a perfect moment ]:.

Out of interest what is a good secure forum to use, my phpBB was haxxed not too long ago - no damage was done however.

Also one thing i do now with phpBB, is rename the Admin directory or move it - if they dont have access to the admin then they cant do much ithink? For me this was fine since i pretty much never changed the forums, if you do stuff often it could be a pain.

MercuryBoards is good, I believe, as is Invision, but you've gotta pay for that one. Or there's the Grail, which TP will give ot anyone who asks him via email, I think.


Justice 4 Pat Richard

Indeed, I do. E-Mail, icq, whatever, you'll have to ask.
Setup is a bit more indepth than your standard phpbb - but at least it does what *you* want it to.

I'm now using Invision because it comes with the host.