My Forum was hacked

babyinternet · 2009-04-04 09:35

babyinternet
Junior Member
Offline

From: Viet Nam
Registered: 2009-04-03
Posts: 7

Topic: My Forum was hacked

Hi all,

First, sory because my English so badly.

This is my forum: http://nhanweb.com . I used PunBB version 1.3 and update every hotfixs .

2 hour ago, some people call to me and told me that forum was hacked by someone. I checked and Administrator's username and password were changed but nothing uploaded. my FTP account is good. I have view log file but nothing logged. Here is some picture hacker changed in my forum.

Hacker said that PunBB's very easy to hack.

Please check PunBB source.

If you want my log file, please contact me Yahoo! Messenger: l_lion.heart_l@yahoo.com or email webmaster@n2dgroup.com .

Thank for your reading

Webmaster Việt Nam Forum

Utchin · 2009-04-04 09:50

Utchin
PunBB senior member
Offline

Registered: 2007-02-09
Posts: 760

Re: My Forum was hacked

The only way this would have been possible is if the admin account has a easy password. There are no known exploits in PunBB. However we will keep looking to see if their is an exploit of this type.

Sorry. Unactive due to personal life.

babyinternet · 2009-04-04 11:04

babyinternet
Junior Member
Offline

From: Viet Nam
Registered: 2009-04-03
Posts: 7

Re: My Forum was hacked

Thank for your answer.

My password so long I don't know why any post from this account was change author to hacker. That is posts long time ago.

Webmaster Việt Nam Forum

babyinternet · 2009-04-05 06:57

babyinternet
Junior Member
Offline

From: Viet Nam
Registered: 2009-04-03
Posts: 7

Re: My Forum was hacked

I forum was hacked again after I changed my assword to new. I used my laptop to access to my administrator area, no keylog install because I reinstall my laptop before I change my username and password. In log file I found hacker IP: 123.17.183.199.

Some action hacker did in my log file:

123.17.183.199 - - [05/Apr/2009:07:47:49 +0700] "GET /new/request-password.html HTTP/1.1" 200 4080 "http://nhanweb.com/new/login.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:47:49 +0700] "GET /new/extensions/pun_antispam/image.php?8c3a0179bb0be91a359d8419fdc0b43e HTTP/1.1" 200 3779 "http://nhanweb.com/new/request-password.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:47:59 +0700] "POST /new/request-password.html HTTP/1.1" 200 3611 "http://nhanweb.com/new/request-password.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:19 +0700] "GET /new/change-password2-VO1zfQbx.html HTTP/1.1" 200 4037 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:20 +0700] "GET /new/style/Oxygen/Oxygen.css HTTP/1.1" 304 208 "http://nhanweb.com/new/change-password2-VO1zfQbx.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:20 +0700] "GET /new/style/Oxygen/Oxygen_cs.css HTTP/1.1" 304 209 "http://nhanweb.com/new/change-password2-VO1zfQbx.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:20 +0700] "GET /new/style/Oxygen/Oxygen_ie6.css HTTP/1.1" 304 207 "http://nhanweb.com/new/change-password2-VO1zfQbx.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:20 +0700] "GET /new/include/js/common.js HTTP/1.1" 304 208 "http://nhanweb.com/new/change-password2-VO1zfQbx.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:20 +0700] "GET /new/include/js/avim.js HTTP/1.1" 304 208 "http://nhanweb.com/new/change-password2-VO1zfQbx.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:30 +0700] "POST /new/change-password2-VO1zfQbx.html HTTP/1.1" 200 1147 "http://nhanweb.com/new/change-password2-VO1zfQbx.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:31 +0700] "GET /new/ HTTP/1.1" 200 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:31 +0700] "GET /new/ HTTP/1.1" 200 6317 "http://nhanweb.com/new/change-password2-VO1zfQbx.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:32 +0700] "GET /new/extensions/pun_tags/style/Oxygen.css HTTP/1.1" 304 206 "http://nhanweb.com/new/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:32 +0700] "GET /new/extensions/pun_tags/style/Oxygen_cs.css HTTP/1.1" 304 206 "http://nhanweb.com/new/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:44 +0700] "GET /new/post112.html HTTP/1.1" 200 5361 "http://nhanweb.com/new/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:45 +0700] "GET /new/extensions/pun_bbcode/styles.css HTTP/1.1" 304 206 "http://nhanweb.com/new/post112.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:45 +0700] "GET /new/extensions/pun_bbcode/scripts.js HTTP/1.1" 304 207 "http://nhanweb.com/new/post112.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:45 +0700] "GET /new/extensions/pun_quote/scripts.js HTTP/1.1" 304 207 "http://nhanweb.com/new/post112.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:45 +0700] "GET /new/img/avatars/32.jpg HTTP/1.1" 304 174 "http://nhanweb.com/new/post112.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:45 +0700] "GET /new/img/smilies/smile.png HTTP/1.1" 304 172 "http://nhanweb.com/new/post112.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:45 +0700] "GET /new/img/smilies/big_smile.png HTTP/1.1" 304 172 "http://nhanweb.com/new/post112.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:48:49 +0700] "GET /new/login.html HTTP/1.1" 200 4036 "http://nhanweb.com/new/post112.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:49:00 +0700] "POST /new/login.html HTTP/1.1" 200 1447 "http://nhanweb.com/new/login.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:49:01 +0700] "GET /new/post112.html?login=1 HTTP/1.1" 200 7729 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:49:02 +0700] "GET /new/style/Oxygen/Oxygen.css HTTP/1.1" 304 208 "http://nhanweb.com/new/post112.html?login=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:49:02 +0700] "GET /new/style/Oxygen/Oxygen_cs.css HTTP/1.1" 304 209 "http://nhanweb.com/new/post112.html?login=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:49:02 +0700] "GET /new/style/Oxygen/Oxygen_ie6.css HTTP/1.1" 304 207 "http://nhanweb.com/new/post112.html?login=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:49:02 +0700] "GET /new/include/js/common.js HTTP/1.1" 304 208 "http://nhanweb.com/new/post112.html?login=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:49:03 +0700] "GET /new/include/js/avim.js HTTP/1.1" 304 208 "http://nhanweb.com/new/post112.html?login=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:49:03 +0700] "GET /new/extensions/pun_bbcode/styles.css HTTP/1.1" 304 206 "http://nhanweb.com/new/post112.html?login=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:49:03 +0700] "GET /new/extensions/pun_bbcode/scripts.js HTTP/1.1" 304 206 "http://nhanweb.com/new/post112.html?login=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:49:03 +0700] "GET /new/extensions/pun_quote/scripts.js HTTP/1.1" 304 207 "http://nhanweb.com/new/post112.html?login=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:49:03 +0700] "GET /new/extensions/pun_tags/style/Oxygen_cs.css HTTP/1.1" 304 205 "http://nhanweb.com/new/post112.html?login=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.17.183.199 - - [05/Apr/2009:07:49:03 +0700] "GET /new/extensions/pun_tags/style/Oxygen.css HTTP/1.1" 304 206 "http://nhanweb.com/new/post112.html?login=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Webmaster Việt Nam Forum

colak · 2009-04-05 12:19

colak
Moderator
Offline

From: Cyprus
Registered: 2005-01-25
Posts: 253

Re: My Forum was hacked

babyinternet wrote:

I forum was hacked again after I changed my assword to new. I used my laptop to access to my administrator area, no keylog install because I reinstall my laptop before I change my username and password. In log file I found hacker IP: 123.17.183.199.

Are you sure that it's not your own IP?
www.ip2location.com shows that to be from Vietnam which I understand that it is where you come from.

Forum, Art, Architecture, Passion.

Did you visit the textpattern forum?

babyinternet · 2009-04-05 15:54

babyinternet
Junior Member
Offline

From: Viet Nam
Registered: 2009-04-03
Posts: 7

Re: My Forum was hacked

Hi guy,
Not my own IP, I come from Viet Nam and hacker too. When I know forum was hacked again, I didn't access to admin CP and go to Hosting Control Panel and view log first.

Webmaster Việt Nam Forum

Slavok · 2009-04-06 07:30

Slavok
PunBB Developer
Offline

From: Russia
Registered: 2008-06-11
Posts: 1,238

Re: My Forum was hacked

Are you sure that your e-mail, which you use on the forum, has not been hacked?

Parpalak · 2009-04-08 10:40

Parpalak
PunBB Developer
Offline

From: Russia
Registered: 2008-07-22
Posts: 713

Re: My Forum was hacked

If someone has an access to the cookie information (maybe there is an unknown XSS in PunBB?), he can get admin session, then change the e-mail to his own and finally run the password reset procedure.

Do you know if your profile contained a hacker's e-mail?

PunBB team intentions, personal tasks.

prometheus21 · 2009-04-10 18:01

prometheus21
Junior Member
Offline

From: new york
Registered: 2009-04-10
Posts: 4

Re: My Forum was hacked

you should have created a .htaccess in admin directory.

i hope you will find a solution!

sepp0 · 2009-04-26 15:10

sepp0
Junior Member
Offline

Registered: 2009-04-23
Posts: 6

Re: My Forum was hacked

mod_security and you solved the problem

My Forum was hacked

Posts: 10

1 Topic by babyinternet 2009-04-04 09:35 (edited by babyinternet 2009-04-04 09:37)

Topic: My Forum was hacked

2 Reply by Utchin 2009-04-04 09:50

Re: My Forum was hacked

3 Reply by babyinternet 2009-04-04 11:04

Re: My Forum was hacked

4 Reply by babyinternet 2009-04-05 06:57

Re: My Forum was hacked

5 Reply by colak 2009-04-05 12:19

Re: My Forum was hacked

6 Reply by babyinternet 2009-04-05 15:54

Re: My Forum was hacked

7 Reply by Slavok 2009-04-06 07:30

Re: My Forum was hacked

8 Reply by Parpalak 2009-04-08 10:40

Re: My Forum was hacked

9 Reply by prometheus21 2009-04-10 18:01

Re: My Forum was hacked

10 Reply by sepp0 2009-04-26 15:10

Re: My Forum was hacked

Posts: 10