How much should we worry about Forum Hacking?
-
Bush and Ghostlander taking a look into it as I type.
-
[quote name=“netnerd” post=“53479” timestamp=“1390171987”]
[quote author=Ruthie link=topic=6799.msg53477#msg53477 date=1390171739]
Yeah, I was straight on P0wersurge.com forums too, you have to sign up for more info.
[/quote]
I can send you the text file db i managed to download or tell me where to send it?
[/quote]PM what you have to Bushstar
-
[quote name=“Ruthie” post=“53483” timestamp=“1390172202”]
[quote author=netnerd link=topic=6799.msg53479#msg53479 date=1390171987]
[quote author=Ruthie link=topic=6799.msg53477#msg53477 date=1390171739]
Yeah, I was straight on P0wersurge.com forums too, you have to sign up for more info.
[/quote]
I can send you the text file db i managed to download or tell me where to send it?
[/quote]PM what you have to Bushstar
[/quote]
ok on it now -
So we got defaced. I’ve got a copy of the defaced page as it was some neat ASCII art.
[url=http://forum.feathercoin.com/hacker.php]http://forum.feathercoin.com/hacker.php[/url]
You can get the source from here.
[url=http://forum.feathercoin.com/index.tar.gz]http://forum.feathercoin.com/index.tar.gz[/url]I have updated all the packages on the server and restored the front of the forum. The forum was the only site effected on a server that runs multiple pages for Feathercoin. I’m not yet sure how they managed to deface our site and it may well not be an outdated package on the server. Even though we run the latest version of SMF the forum software we may still be vulnerable.
I will investigate further tomorrow. I’m guessing that there is a SMF hack doing the rounds, it would be good to track this down if it is out there.
-
[quote name=“Bushstar” post=“53490” timestamp=“1390173134”]
So we got defaced. I’ve got a copy of the defaced page as it was some neat ASCII art.[url=http://forum.feathercoin.com/hacker.php]http://forum.feathercoin.com/hacker.php[/url]
You can get the source from here.
[url=http://forum.feathercoin.com/index.tar.gz]http://forum.feathercoin.com/index.tar.gz[/url]I have updated all the packages on the server and restored the front of the forum. The forum was the only site effected on a server that runs multiple pages for Feathercoin. I’m not yet sure how they managed to deface our site and it may well not be an outdated package on the server. Even though we run the latest version of SMF the forum software we may still be vulnerable.
I will investigate further tomorrow. I’m guessing that there is a SMF hack doing the rounds, it would be good to track this down if it is out there.
[/quote]Man that is hte best ASCI art I have ever seen.
-
[quote name=“chrisj” post=“53492” timestamp=“1390173340”]
[quote author=Bushstar link=topic=6799.msg53490#msg53490 date=1390173134]
So we got defaced. I’ve got a copy of the defaced page as it was some neat ASCII art.[url=http://forum.feathercoin.com/hacker.php]http://forum.feathercoin.com/hacker.php[/url]
You can get the source from here.
[url=http://forum.feathercoin.com/index.tar.gz]http://forum.feathercoin.com/index.tar.gz[/url]I have updated all the packages on the server and restored the front of the forum. The forum was the only site effected on a server that runs multiple pages for Feathercoin. I’m not yet sure how they managed to deface our site and it may well not be an outdated package on the server. Even though we run the latest version of SMF the forum software we may still be vulnerable.
I will investigate further tomorrow. I’m guessing that there is a SMF hack doing the rounds, it would be good to track this down if it is out there.
[/quote]Man that is hte best ASCI art I have ever seen.
[/quote]
It was pretty cooldon’t know if this is what you are looking for Bushstar [url=http://www.youtube.com/watch?v=Was3qt_KFtw#ws]Smf forums hack[/url].
I know one thing the person responsible for creating the art was not the person who hacked the page. I think the hacker may be in trouble with his vandal mates for removing credits form the animation -
How do you know nn?
-
Wrong aproach from hack recovering… If it’s 0day it will repeat! Check server processes and find the entry point… I can’t believe what I’m reading here…
-
[quote name=“Ruthie” post=“53496” timestamp=“1390173961”]
How do you know nn?
[/quote]
nn? -
Sorry, the question was directed at you netnerd, I just addressed you after.
-
[url=http://www.jakoblell.com/blog/2013/12/13/multiple-vulnerabilities-in-smf-forum-software/]http://www.jakoblell.com/blog/2013/12/13/multiple-vulnerabilities-in-smf-forum-software/[/url]
[quote]All three vulnerabilities are present in SMF1 up to version 1.1.18 and SMF2 up to version 2.0.5. The SMF team has released updates (version 1.1.19 and 2.0.6) which fix the clickjacking problem (via an X-Frame-Options header) and the username faking possibility via multiple consecutive spaces. [b]However, the Unicode homoglyph attack has not yet been fixed[/b] since it is not trivial to filter out all confusable characters while still allowing legitimate Unicode characters in usernames (especially if you can’t use the Spoofchecker class because you have to support PHP versions below 5.4.0).[/quote]
-
[quote name=“Tuck Fheman” post=“53510” timestamp=“1390177815”]
[url=http://www.jakoblell.com/blog/2013/12/13/multiple-vulnerabilities-in-smf-forum-software/]http://www.jakoblell.com/blog/2013/12/13/multiple-vulnerabilities-in-smf-forum-software/[/url][quote]All three vulnerabilities are present in SMF1 up to version 1.1.18 and SMF2 up to version 2.0.5. The SMF team has released updates (version 1.1.19 and 2.0.6) which fix the clickjacking problem (via an X-Frame-Options header) and the username faking possibility via multiple consecutive spaces. [b]However, the Unicode homoglyph attack has not yet been fixed[/b] since it is not trivial to filter out all confusable characters while still allowing legitimate Unicode characters in usernames (especially if you can’t use the Spoofchecker class because you have to support PHP versions below 5.4.0).[/quote]
[/quote]If this is the case [url=http://www.jakoblell.com/blog/2013/12/13/multiple-vulnerabilities-in-smf-forum-software/#toc-2]http://www.jakoblell.com/blog/2013/12/13/multiple-vulnerabilities-in-smf-forum-software/#toc-2[/url] intermediate attacker will have quite a lot of info in his hands. Changing all of the accounts on the services that are related in any way to the *.feathercoin.com is must, cleaning server from possible started processes in the background ( check exec, passtrough, … enabled in php ), check from created php scripts that are web accessible ( usualy they are used as backdor ), check crons & hope if attacker doesn’t execute some exploit against host operating system…
-
Not sure if this is related, but I’m curious … Chrisj weren’t you “Admin” yesterday and now you’re “Staff”?
-
[quote name=“Tuck Fheman” post=“53520” timestamp=“1390180669”]
Not sure if this is related, but I’m curious … Chrisj weren’t you “Admin” yesterday and now you’re “Staff”?
[/quote]oh ns… I didn’t even see that. Tuck’s right.
-
A friend of mine (who has an account here) just received an email stating [s]BTC-e (no mention on their website) had been hacked and to change his password.[/s] (
I just wanted to mention it in case others start receiving them because I’m not sure how long it will take him to respond with the email.[b]Be wary of any email like this you may receive.[/b]
The email was legit (from BTC-e) but had nothing to do with BTC-e being hacked. It was someone trying to access his account from Switzerland and attempting to reset his password.
-
[quote name=“Calem” post=“53521” timestamp=“1390181031”]
[quote author=Tuck Fheman link=topic=6799.msg53520#msg53520 date=1390180669]
Not sure if this is related, but I’m curious … Chrisj weren’t you “Admin” yesterday and now you’re “Staff”?
[/quote]oh ns… I didn’t even see that. Tuck’s right.
[/quote]Oh noes!! CJ is the hacker!!! OMG!!! its always the quiet ones!!! ;D
Joking aside guys, all admins (myself included) have been made “staff” until we have all had the opportunity to reset passwords etc (as a precaution). All will regain their admin rights… :)
-
[quote name=“Nutnut” post=“53530” timestamp=“1390186610”]
Joking aside guys, all admins (myself included) have been made “staff” until we have all had the opportunity to reset passwords etc (as a precaution). All will regain their admin rights… :)
[/quote]Cool.
-
I demoted everyone to staff in case this is a compromised admin account. Perhaps I can ask the chap nicely at the hacker forum how he did this.
-
[quote name=“Bushstar” post=“53557” timestamp=“1390202932”]
Perhaps I can ask the chap nicely at the hacker forum how he did this.
[/quote]Maybe.
I could imagine that half the reasons hackers do this sorta stuff is to feel somewhat important/intelligent etc.
Not having a dig at the guy (as annoying and disruptive as this is), he did point out an exploit.
Hopefully the person didn’t do anything damaging etc.
-
[quote name=“Bushstar” post=“53557” timestamp=“1390202932”]
I demoted everyone to staff in case this is a compromised admin account. Perhaps I can ask the chap nicely at the hacker forum how he did this.
[/quote]So the exploit remains unpatched? The only responsible thing to do is to shut it down and fix the problem. Simply taking shots in the dark will only result in everyone’s private data being compromised.
