simple machines forum theoretically hacked questions

Discussion in 'SMF' started by King G, Dec 28, 2016.

  1. King G

    King G Enthusiast

    201
    23
    +13
    if my simple machines forum hosted on 000webhost gets hacked.

    is it likely that my macbook pro laptop will get malware installed onto it.

    I have avast runnning on my computer.

    thanks
     
  2. Hauyser

    Hauyser illiterate.

    394
    142
    +146
  3. King G

    King G Enthusiast

    201
    23
    +13
    great! :)
     
  4. radu81

    radu81 Fan

    656
    347
    +190
    Smf is secure, there are no known bugs
     
  5. Solidus

    Solidus Stupid machines!

    578
    287
    +319
  6. H-DB

    H-DB Enthusiast

    112
    43
    +83
  7. Antes

    Antes Developer

    152
    55
    +110
  8. zappaDPJ

    zappaDPJ Administrator

    6,422
    1,342
    +4,835
    I've been running multiple SMF forums for years and never been hacked. In the unlikely event your forum did get hacked there's still no reason to suppose the payload would interfere in anyway with your MacBook.
     
  9. radu81

    radu81 Fan

    656
    347
    +190
    Exactly this! Thanks
     
  10. Deprecated

    Deprecated Participant

    86
    13
    +12
    I've never been hacked in maybe 10 years.

    I've always loved their what I call sentinels, the method they use to prevent running a component file rather than coming in the index. In the main index they have define('SMF', 1); Then in all the other files they have if (!defined('SMF')) die('Hacking attempt...'); A hacker would have to inject a file onto your server to get around that. Every folder has an index even if it just redirects to the main index, kills folder viewing. The problem with any open source code is that the hacker has a copy of your code.

    I won't discuss in detail filtering and escaping user input before it used in SQL queries, but they have that covered.

    In computer and software security it always amounts to multiple measures to prevent hacking.

    I have additional code in my server blocks (Nginx, I don't use Apache) to prevent many common hacks.

    I ripped off many SMF methods for use in my own CDS, even their $context[] array. :)
     
  11. Pete

    Pete Flavours of Forums Forever

    1,773
    227
    +607
    Eh, why bother with that when you can just stick an .htaccess file in Sources and prevent that entirely? Or, move any malicious code before the sentinel - it's not like we haven't seen malware hit the <?php line, put a lot of spaces after it so people wouldn't trivially see it in an editor and hide their code there. Same for the index.php files, why not just use an .htaccess to deal with that?

    Or, for that matter, have code spliced into the themes which have no such sentinel - and can be edited from the admin panel in most cases. This has been used in at least one of the high profile hacks against SMF.
     
  12. Deprecated

    Deprecated Participant

    86
    13
    +12
    When you consider that Nginx does not use .htaccess files (Apache) you can understand why that stuff goes in my Nginx server blocks.

    So far I've stuck with curve and only modded my top of forum appearance.
     
  13. Pete

    Pete Flavours of Forums Forever

    1,773
    227
    +607
    I consider that nginx does not use .htaccess. I would assume anyone deploying nginx would apply the same protections as .htaccess files in the nginx config to do the job without even hitting PHP.

    And it doesn't matter that you've stuck with Curve; one of the most high profile hacks in SMF's history was on Curve.
     
  14. Deprecated

    Deprecated Participant

    86
    13
    +12
    You assumed correctly. I apply the same protections on my Nginx. Like I said, multiple redundant layers of protection.

    Well I haven't been hacked and I cron my database daily. If my forum gets hacked I'll just figure out how they did it and then I'll unhack it.

    Just remember, if somebody can run their code on your system they own your system.

    I wrote a mod that gives me ssh access. I never told anybody that. And of course it is nowhere on my site. (I needed it when somebody gave me an open source site—he was going to jail—and didn't give me his GoDaddy creds. I eventually moved his site to a server I controlled.) What a fun business for a retired person! :)

    OMG GoDaddy, just don't get me started! ;)
     
  15. Pete

    Pete Flavours of Forums Forever

    1,773
    227
    +607
    Let me put it this way: Avast uses SMF. They are a security company - and they got hacked. And I assure you they were using more complex methods of defence than anything you've outlined so far. But what got them was not anything they'd thought about.

    I know because I'm the one who investigated. I also know how long it took them to notice they'd been hacked because the hack was that sophisticated. I doubt most forum owners ever know they've been hacked.
     
  16. Deprecated

    Deprecated Participant

    86
    13
    +12
    So Pete, what do you suggest I do? Maybe I shouldn't have started a new forum in the first place.

    Is that the only solution? SMF can be hacked therefore do not run a SMF forum?
     
  17. Pete

    Pete Flavours of Forums Forever

    1,773
    227
    +607
    Yet again you choose to misinterpret my words to fit your narrative, which is not really based on watching what actually goes on.

    SMF 2.0.15 is as far as anyone knows, safe. I'm disputing what you call 'security measures' because in the last 15 years we learned from experience that they are, in fact, not actually anything much beyond security theatre.

    The usual rules apply: strong passwords etc. and ideally make no file writable unless you actually need to, and make it readonly as soon as you're done with it.
     
  18. zappaDPJ

    zappaDPJ Administrator

    6,422
    1,342
    +4,835
    Even banks get hacked. My approach is to try and prevent it but assume it's inevitable and take precautions based on that premise.

    I've found you can avoid most hacking attempts by always running the latest version of any software and never use themes with dependencies like the PHP Image Resizer, TimThumb. If it's a forum choose your admins wisely.

    In the event of the worst happening, close your site, inform the hosting company and your forum members. You would then want to plug the hole which I've always found surprising easy, reinstall from a known good backup and force a password change.

    I realise that all sounds simple and obvious but it's surprising how few site owners actually follow those basic procedures including a certain official support site :cautious:
     
    • Agree Agree x 1
    • Winner Winner x 1
    • List
  19. Deprecated

    Deprecated Participant

    86
    13
    +12
    Pete, I'm hurt that you would say that. You are speculating about my inner state when that wasn't it at all. Mine was a genuine question, although the way I phrased my reply may have not been the best way to state it. I was just perplexed, I'm already doing the best I can, and I've been with 2.0 since the very early RC stages and I have just never been hacked—that I know.

    Here is my Nginx server block code:

    Code:
        ## Block file injections
       set $block_file_injections 0;
       if ($query_string ~ "[a-zA-Z0-9_]=http://") {
           set $block_file_injections 1;
       }
       if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
           set $block_file_injections 1;
       }
       if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
           set $block_file_injections 1;
       }
       if ($block_file_injections = 1) {
           return 403;
       }
    
       ## Block common exploits
       set $block_common_exploits 0;
       if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
           set $block_common_exploits 1;
       }
       if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
           set $block_common_exploits 1;
       }
       if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
           set $block_common_exploits 1;
       }
       if ($query_string ~ "proc/self/environ") {
           set $block_common_exploits 1;
       }
       if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
           set $block_common_exploits 1;
       }
       if ($query_string ~ "base64_(en|de)code\(.*\)") {
           set $block_common_exploits 1;
       }
       if ($block_common_exploits = 1) {
           return 403;
       }
    
    Bit of a problem for me, I have a dedicated server and every time I call my IT department it goes to voice mail, and then when I hang up somebody left an identical voice mail for me! ;) ;) ;)

    Actually I used to be with 1and1.com shared hosting but one day I realized I knew more than their IT hacks. I couldn't get anything more from them than I already new so I fired them.

    I enjoy sky diving myself with no parachute. You just have to learn to swim in air before you hit the ground. So far at 50,000 feet I'm enjoying the view! Good thing I got the oxy strapped to my back. ;)
     
Verification:
Draft saved Draft deleted
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.