Topic: Cl0wn S4t4n1c_S0uls hacked my site

Hello my site is PunBB 1.2.14 and Cl0wn S4t4n1c_S0uls  defaced it!!!

Solutions for future attack???

Re: Cl0wn S4t4n1c_S0uls hacked my site

I have a lot of punbb sites please help me for this problem

Re: Cl0wn S4t4n1c_S0uls hacked my site

Moved to PunBB Discussion

It depends on how he managed to hack your site and what he did to your database.

Re: Cl0wn S4t4n1c_S0uls hacked my site

What?

Re: Cl0wn S4t4n1c_S0uls hacked my site

PHP Version 4.4.4, MySQL 4.1.22

Re: Cl0wn S4t4n1c_S0uls hacked my site

OK, first off, what exactly did he do? Did he modify config.php, did he edit the database, what?

Re: Cl0wn S4t4n1c_S0uls hacked my site

I'm pretty sure it's not related with PunBB, this guy must have exploited some bug and he seems to be interested mostly in governative and military websites.
http://old.zone-h.org/en/defacements/sp … n1c_S0uls/

Re: Cl0wn S4t4n1c_S0uls hacked my site

Smartys wrote:

OK, first off, what exactly did he do? Did he modify config.php, did he edit the database, what?

NO he modified only my index and not the config file!!!

Re: Cl0wn S4t4n1c_S0uls hacked my site

fantasma wrote:
Smartys wrote:

OK, first off, what exactly did he do? Did he modify config.php, did he edit the database, what?

NO he modified only my index and not the config file!!!

I'd suggest reporting the incident to your host and asking them for help: they're more likely to be able to identify the issue.

Re: Cl0wn S4t4n1c_S0uls hacked my site

yes i do it

Re: Cl0wn S4t4n1c_S0uls hacked my site

If he modified your index page, that would suggest that he somehow has managed to get write access to your forum root directory. I doubt this has to do with PunBB, but who knows.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Cl0wn S4t4n1c_S0uls hacked my site

look at your raw server logs for the time span that the defacing happened.  if you have normal traffic up until the time it was defaced, then they most likely gained access to the box that your site was on, and mass defaced all the sites on that box.

Re: Cl0wn S4t4n1c_S0uls hacked my site

this sounds stupid, but did you check you home dir permitions?

14 (edited by MadHatter 2007-01-19 22:40)

Re: Cl0wn S4t4n1c_S0uls hacked my site

I doubt that would help anything.

When I was in school they gave us personal websites, and some time after I graduated I went back to the one I had.  there was a place I had made for group collaboration for some of my classes that let folks upload team documents.  somebody had uploaded a script that allowed them to gain IO access to all the sites hosted on that web server.  I downloaded it and tried it on one of those free hosting servers and was able to have pretty much root access to every site hosted on that server.  It was a pretty dangerous script, and if somebody else hosted on the same box as yours allowed somebody to upload a script like that, they could deface every site on that box from their web browser (including changing directory acl's).

most hosts have scanners for that kind of stuff, so your best bet is to contact them or access your logs to see what was going on.

Re: Cl0wn S4t4n1c_S0uls hacked my site

MadHatter wrote:

I doubt that would help anything.

When I was in school they gave us personal websites, and some time after I graduated I went back to the one I had.  there was a place I had made for group collaboration for some of my classes that let folks upload team documents.  somebody had uploaded a script that allowed them to gain IO access to all the sites hosted on that web server.  I downloaded it and tried it on one of those free hosting servers and was able to have pretty much root access to every site hosted on that server.  It was a pretty dangerous script, and if somebody else hosted on the same box as yours allowed somebody to upload a script like that, they could deface every site on that box from their web browser (including changing directory acl's).

most hosts have scanners for that kind of stuff, so your best bet is to contact them or access your logs to see what was going on.

Proper chmodding would help there (as Apache should only be reading index.php)

16 (edited by MadHatter 2007-01-20 01:34)

Re: Cl0wn S4t4n1c_S0uls hacked my site

exactly, except with this script you were able to change permissions and owners.  It was a complete (and very nicely done--in a sick sort of way--I might add) hacktool.  I was pretty surprised when I looked at it.  At first I thought is was just a situation where the school (and it was a prestigious computer science school) didnt have the systems locked down, but that wasn't the case.  however it worked (I think it ran under the context of the web server) it allowed full access to everything, unlike what you get when you try to access the file system w/ a standard php sript. 

I still have it on my old hard drive (however it crashed pretty hard about a year ago, so recovering it is going to be difficult).  If I ever run across it again, I'd let you check it out (though the exploit it used is most likely fixed by now... this was a long time ago).

Re: Cl0wn S4t4n1c_S0uls hacked my site

If it was a PHP script, it can only see what the webserver can see (unless it was abusing a bug in PHP, Apache, or the OS to give itself elevated permissions)
I've seen some pretty powerful backdoor/hack scripts in PHP, but I don't think most of their functions abused holes in Apache, PHP, or the OS

18

Re: Cl0wn S4t4n1c_S0uls hacked my site

hi
se alguem entende portugues ae
ae foi mal pelo site =/ se voces nao conseguiram arrumar ainda me fala que eu ajudo
obrigado wink

19

Re: Cl0wn S4t4n1c_S0uls hacked my site

^^ I think he's offering to help secure your site if you speak Portuguese.