Topic: I've been hacked

If anyone can help, the administrator account was completely deleted.  It's not even in the MySQL database.  so, i might just have to rebuild.  I have no idea what i did wrong.

here's the user name of the hacker and his IP address, so you can block him:
RuStaQi
62.231.202.172

he's now the admin.  is there anyway to change the password or anything to get rid of him?

thanks for your help

Re: I've been hacked

go to the database and change the password

Re: I've been hacked

i've changed the password, but they're encrypted, so I can't log in still.  do you know another way?

Re: I've been hacked

1. Go to http://www.solidz.com/tools/sha1.php and enter your password. Hit calculator anc copy the output.
2. Paste it into the password field in your database.
3. Log in, remove the hacker account. Reset anything he/she screwed up.
4. Update your forums to 1.2.6.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: I've been hacked

>< I forgot about the password hash.

Re: I've been hacked

so, i've taken it back, upgraded to 1.2.6, etc.

what could have happened?  what can I do to prevent being hacked again?  did someone get into the config file?  thanks for you help.

Re: I've been hacked

1. update the forums as soon as there's security flaws discovered and patched.
2. don't allow searchengines to index your forum (can get rid of most through the robots.txt file)
3. turn off the versionnumber in the footer (I suppose it doesn't do that much harm, as people can try either way)

(myself, I'm goign to take a look at that mod_security for apache today ... looked promising at removing bad stuff smile)

8

Re: I've been hacked

Frank H wrote:

(myself, I'm goign to take a look at that mod_security for apache today ... looked promising at removing bad stuff smile)

It is.
And it keeps the attempts in a log file. Very interesting from a forensic point of view... smile
I haven't had any trouble since.

I can give you my  basic rules for the setup if you want.

The German PunBB Site:
PunBB-forum.de

Re: I've been hacked

That would be very nice smile

10

Re: I've been hacked

I think it is the basic install:

<IfModule mod_security.c>
    SecChrootDir /secure/secapache
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # Unicode encoding check
    SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range
    SecFilterForceByteRange 0 255

    # Only log suspicious requests
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog logs/audit_log
    # Debug level set to a minimum
    SecFilterDebugLog logs/modsec_debug_log
    SecFilterDebugLevel 0

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # By default log and deny suspicious requests
    # with HTTP status 500
    SecFilterDefaultAction "deny,log,status:500"

    SecFilterSelective ARG_highlight %27
    SecFilterSelective ARG_highlight %2527
    SecFilter "visualcoders\.net/spy\.gif\?\&cmd"
    SecFilter "wget"
</IfModule>

I added the "wget" directive
wget is the program that most hackers use to load their stuff after the attack.
Since this string will not occur on my sites I blocked it. You don't have to but it will make you sleep better.

Take care to have SecFilterScanPOST set to "On" so you filter POST requests as well!

If you want to make your own rules there is even a rule generator .


The trickiest part is the
"    SecChrootDir /secure"
This works a bit like a BSD jail for apache.
If you are using a Linux machine read on:

That means all commands working through apache believe the server root is under /secure/secapache
So, if you do not place a copy of Perl, fetch, wget, htget or whatever else these psychos use under that directory they cannot execute their commands.
The SecChrootDir does not have to be the directory where your apache resides. Can be anywhere.

But:!
To have php working as usual you will have to put *some*  binaries there:
If you work with system() or exec() or the likes you need to copy

/bin/ls
/bin/sh
to 
/secure/bin/

If you want to use the php mail() function you have to install mini_sendmail

And enter this into your php.ini in the mailer section (where you normally have /usr/sbin/sendmail or the likes):

 /usr/sbin/mini_sendmail -t -fyourname@yourdomain.com
Then copy these libraries:
/lib/libnss_dns.so.2 --> /secure/lib/libnss_dns.so.2
/lib/libnss_files.so.2 --> /secure/lib/libnss_files.so.2
/lib/libresolv.so.2 --> /secure/lib/libnss_files.so.2
/etc/resolv.conf --> /secure/etc/resolv.conf

If you want to use MySQL you have to make the socket readable by php:

vi /etc/my.cf
[mysqld]
socket=/secure/tmp/mysql.sock
[client]
socket=/secure/tmp/mysql.sock

That should be it as far as I remember... the SecChroot story is a bit difficult I admit but it gives you enough security to not be afraid of the psycho kiddies anymore.
All you have to do now is make a backup of everything under /secure because this is all they can destroy even if they make it through your filters.

Note:
Yes, it is possible to escape this jail. However, it is anything else than trivial and I don't know of a copy/paste exploit that can do it. It requires handwork which means you must be a valuable target to a hacker to even try.

I hope this helps

The German PunBB Site:
PunBB-forum.de

Re: I've been hacked

Thanks! smile