Our board has been hacked, but how?

[Moparx]

ah. well on the first page in his initial post he has 200 and 301 codes.
the 301 is a redirect and the 200 simply means the request has succeeded

the second log entry he posted just shows the 200

 

[DC9]

•

After some DIGGING with what I had from here, and it wasn't much, we have discovered that this exploit can be used on ANY forum, not just vb! So Wayne, PLEASE let my experts have the files.

Here is my proof: http://www.linuxquestions.org/quest...threadid=306560

We've nailed it down to a hacker's site called http://www.drdeathx.com run by Goldskull. Liz

To be sure, the first two attacks were carried out by GoldSkull and he was re-directed from the site you are quoting. It is an Egyptian site.

The third attack was made by two hackers, one operating from Egypt. The other hacker, called "nona", operated from Colorado, USA, and more precisely from this site: connector-5.propel.com. Propel advertise itself as the fastest web accelerator on the market. Probably a good choice if you want to make fast scans!

As I mentioned, the hacker's file that I have saved, the template.php, is perhaps not very interesting. I have not compared it with my template.php line-by-line, but it looks to be a copy.

However, I do recall that the hacker installed a zip file (nona-zip) that may contain some tools or things that could be interesting. My webhost and I had to delete the hacker's folder because suddenly he was allover the cpanel. But my webhost may be able to retrieve the zip-file. I am going to ask.

Furthermore I have the rawlog since the first attack.

I am not going to switch host just yet. The forum we are running is valuable to us, and within its own little niche (ice hockey) it is truly unique on he web, but we are not running a business, so no money lost. However, if we do not get down to the bottom of this, and if we are attacked again, I will change host.

As for passwords (Wayne's post), all my passwords have at least 12 characters, and they do contain small and big letters, numbers and non-alphanumerical signs.

 

[southernlady]

DC9, compare the hackers template.php to your original template.php line by line and then post JUST the changed part. Not the entire file. I can then go back to MY original template and look at mine and see what was changed and where. Liz

 

[mobo]

Almost sounds like he has a script to reset the password and some type of loop in it so it doesnt require the current password to accomplish the task. Three times is far too few to crack the admin password.

 

[Wayne Luke]

Look at the code above posted by DC9....

 			 				require_once('IHG/guestbook/public/nona/admincp/global.php');
   if ($_SERVER['HTTP_HOST'] == 'www.vbulletin.com')
   {
   	$debug = 1;
   }
   require_once('IHG/guestbook/public/nona/admincp/includes/adminfunctions_template.php');

You will not find that code in any vBulletin file. vBulletin does not use explicit paths in its includes. A file was comprimised. It is loading files out of another user's home directory on the same server he is in. This isn't some scanning, it is cross user contamination which any secure server will prevent. On a shared server, it should be in safe mode to prevent this kind of thing. Safemode runs PHP as the user who owns the files not as a global unrestricted user.

Furthermore, vBulletin does not allow GET or POST requests from external servers. It only allows them from the domain it is installed on. You would have to specifically go into the code and disable that functionality for someone to use a GET or POST SQL injection attack from a remote server.

So here is what we know about this attack:

1) the attacker has access to the server. This by itself means the customers should be moved to new machines and the server wiped and reinstalled.

2) the attacker has access to DC9's $HOME directory. This cannot be obtained through vBulletin but requires either root access to change permissions or a complete lack of permissions on the server.

3) The vBulletin files were not CHMODED 644 for security. We have notified about this and it protects against the various worms and such which get in an just delete files. It makes the files deletable by their owner only which would be the account that uploaded them. It would also prevent something like this from happening where someone overwrote a file.

4) The files which containt the exploit are not available to DC9 unless he cracks into the other directory himself. He should get the host involved but they do not seem to be responsive here.

Finally, there are hundreds of thousands of automated scanners out there. There are books on how to find crackable sites via Google. And a lot of other resources. You need to be proactive in security, not reactive. If you have to react you have already lost.

Unless you want to continue getting hacked, moving servers is the only way. You are on a compromised machine. If you have access to the files at IHG/guestbook/public/nona/admincp then you can send them to me. I will make sure that they get to our security audit team and reviewed. My guess is that they simply bypass authorization and allow the cracker to access the templates without permission checking.

I am not at liberty to release files to people who have not signed the appropriate agreements with Jelsoft to get access to our code without purchasing a license.

If you need my email address, you can send a PM.

 

[DC9]

Thanks, Wayne. I am still trying to get the host to retrieve the files.

Here's my take to how the hacker got into the root folder:

1) We used to have an advanced guestbook. We never used it and I had forgotten all about it. It wouldn't surprise me that the version of the guestbook was 2.2. It was installed in July 2004.

If it was version 2.2., then it is wellknown (and also to me know) that it is vulnerable to MySQL injection. The hack, which is widely published on the net (make a google search) is very simple:

Once the hacker finds a version 2.2. advanced guestbook, all he has to do is to click on admin, leave the username blank and type the password ') OR ('a' = 'a , and then he is in the admin section.

Question: Is it likely that this is how the hacker accessed the server, and more precisely my home directory? (#1 and #2 in Wayne's list)

2) In the sub-folder called 'public' under the guestbook folder, the hacker created his own folder (called nona). Into this folder he uploaded a zip-file (called nona_zip). The zip file probably contained all the vBulletin files - he used version 3.0.7. plus perhaps some tools. As mentioned, I am trying to retrieve this file, and if I get it, I will send it to you, Wayne.

4It is my belief that the hacker entered the root folder some weeks or months ago, and not prior to the 3rd attack that he executed. Reason: My vBulletin files were chmod to 644 shortly after the first attack, two weeks ago. At that point, the mySQL database for the guestbook was also deleted, but I forgot to delete the guestbook folder and the subfolders (incl. nona) below it.

Question: Does this sound plausible?

3) There are very strong signs that nona (who operated from the USA) is connected with the Egyptian hackers. I got the strongest indication yesterday, when nona attempted to access my site from the Egyptian hacker forum, Liz has referred to. Moreover, during the third attack, the Egyptian hacker attempted to access nona's folder in the guestbook.

I have studied the raw log from the 24 September attack very carefully and I have made some interesting observations:

a. The Egyptian hacker entered the forum at 13:52pm. He attempted to log in to my account, but the password didn't work. He asked for a new password, and this was send to his email, not mine. my take: Somebody must reset my email to the Egyptian hacker's email address.
Once he entered the board, he looked for the admincp, but he couldn't find it. (it has been removed from the footer and renamed). The hacker then fooled around for about 1 hour, deleting my PM's, resetting the password in the userCP, he also entered the modCP which at that point had still not been .htpasswd protected.
Then suddenly out of nowhere at 16:06, he reached the adminCP. No guesses, he suddenly reached it. my take: somebody must have informed him about the location.
However, to his dismay he got the "401 code". Since the last hacker attack the adminCP had been .htpasswd protected.

What happens next? At 16:08, two minutes later, nona - the hacker - appears on the log and accesses his folder in the guestbook. He has all the vBulletin files stored in his folder - the php codes reveals that the files are his, but the content is copied from mine. He must have done this copying a while ago, since I can't see any references to the the nona folder for the past month in my raw log.

At 16:10, I have returned from the cinema (Charlie and the Chocolate factory), the Egyptian hacker is discovered and his ip banned immediately. It takes another hour to track nona, who manage to deface the board and reach the cpanel.
At 17:38 the Egyptian hacker attempts to reach nonas folder from another computer, but I had banned the whole ip range, and yesterday nona attempted to reach my site from the Egyptian hacker site.

my take, and correct me if it sounds crazy: Nona was the grey eminence in the hacker attacks. His folder hidden in the never used guestbook provided the backdoor to the forum. He accessed the forums database from this folder (don't think this shows up in the rawlog) and changed my email address and password to allow the Egyptian hackers to log in.
Once the Egyptian hacker(s) realized that they could no longer access the adminCP (24.9 at 16:06), nona finally revealed himself and hacked the board. By doing this, he finally showed up in the rawlog, and I was able to track down his nest and burn it.

Does this sound plausible, or am I way out of line?

 

[Wayne Luke]

See now we are getting more information.

Would like to point some things out though. It is plausible that your USA IP address actually originates in Egypt. IP addresses are not viable tracking indicators. They are not truly static and are easily spoofed. Any cracker worth his salt knows how to spoof an IP address and there are tools for the Script Kiddies to do the same. Don't rely on IP address to find someone's location. It could lead you to Joe Suburbanite who only browses porn on AOL.

What you say sounds plausible especially with a SQL injection in the guestbook which could allow him to open an FTP Pipe.

What version of Cpanel do you have installed? There are versions of this released almost daily.

 

[mobo]

That is quite a popular hack to say the least..
Wonder if this guy even seen his was hacked
http://www.manbir-online.com/forum/index.php

 

[southernlady]

IP location is Chicago. Total of 378 web sites on server. Liz

 

[DC9]

Thanks a lot for your replies.

Wayne, my current version of cpanel is 10.

Unfortunately, the webhost didn't manage to retrieve the file. Faith has it that the made a backup as late as yesterday, and after the guestbook folder was deleted.

I have now run through all the folders in the root to look for something unusual and to see whether the files were chmod correctly. As I recall from Saturday, public folder in the guestbook was chmod to 775 or 777. And I never set those permissions.

Is there anything else I can do?

And Liz, thanks a lot for your caring interest and help.

Hopefully, this is done for now. I would like to get some time to look at the other threads on this fine board and see whether there is something that I can give an input .

 

[southernlady]

DC9, you can still send me that info that you have...not the template.php but the other. Liz

 

[DC9]

Liz, thanks, I will do that.

 

[maharg]

On a shared server, it should be in safe mode to prevent this kind of thing. Safemode runs PHP as the user who owns the files not as a global unrestricted user.

Since this IS a security forum, I feel I should point out that this is not really the case. PHP safe mode does somewhat emulate this. In particular, it dissallows the use of PHP's built in library functions to open files that are not owned by the owner of the php file. This is not the same as running as that user, as extensions that call directly to the operating system may still open and even write to files owned by the server process. It also means that you do not have write access to your own files unless the server is running as root (which is bad).

The only true way to achieve that goal is in fact to run php as a CGI or FastCGI process. Safe mode, by the PHP site's own documentation, is not even close to sufficient in a shared hosting environment to ensure secure operation unless you never load extensions that open files (and most of the useful ones can/do).

 

[Wayne Luke]

You're right but there are tradeoffs between security and performance, functionality and ease of use. Each person needs to figure out where they draw the line and get the best of each. Most hosts don't run PHP as CGI because of performance issues. So you have to work with the next best thing.

 

[DC9]

More news:

I have just found out that months ago, I downloaded the site. In this download, nona's folder was there, but the zip-file wasn't.

Thus, we can conclude that

1) the guestbook was hacked months ago. long time before the first hacking took place.
2) The zip-file was uploaded at a later time. We will not know what was in it.

So what was in the folder at the time the site was downloaded?

Two vB files, both belonging to the hacker (vB version 3.0.7., dated 20.2 2005; the license number has been edited to 'Barakat'.

I don't think that the hacker has further edited the two files, but having access to the forum database, they could be critical for obtaining information, or...what?

The two files were:

• members.php
• template.php

What are your thoughts?

 

[southernlady]

DC9, send me what you have. I have permission to have the files. Liz

 

[Tha Champ]

What a nerd, he has his own cracking kit.
And the tools in it dont even work!
*Dont ask how i know that '

 

[Orp]

Champ, who are you talking about?

 

[sifuhall]

Looks like we have had another victim of this hacker.

A vBulletin site that I co-admin was hacked and the IP traced to Egypt. This person replaced the templates forumhome and forumdisplay with his own template.

After reviewing the logs I see that it appears he used sql injection to gain control of the main admin account from the user.php file, then locked out the other admin accounts, changed the email address and eventually the password of the main admin, etc.

We have recovered the main admin account and changed the password (and email address), moved the database to a new database with a new db login and password, password-protected the admincp area.

This forum has no hacks or add-ons at all.

What else can we do to help secure this site?

 

[Judgy]

A Step to step guide of how your site was hacked.

I have spent a short while reading this post this morning and now have step by step instructions as to how your board was hacked.

I believe the referal url to be the key...securedeath.com if you enter this site you will find a strange mix of arabic and english text. Entering the page into google will give you the option of translating it into english (which then seems to return a step to step guide on hacking certain forums.. See http://translate.google.com/transla...p://www.securedeath.com/phpBB/&hl=en&lr=&sa=G