1

Topic: Hacked by Altan

The IP address is: 81.214.28.118
The host name is: dsl.static8121428118.ttnet.net.tr

A big chance for me ... I was surfing on my forum.

In few seconds, he was ADMIN, he has changed MAINTENANCE MODE ...

Waouh ... 1.2.6 > NOT PERFECT about security smile


EDIT: http://punbb.org/forums/viewtopic.php?pid=50077#p50077 /Rickard

Re: Hacked by Altan

you have the access.log file from the webhost from him?

3

Re: Hacked by Altan

It puts this in "MAINTENANCE MODE"

<html>

<head>
<meta http-equiv="Content-Language" content="tr">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<title>Hacked By ALTAN and STEEL</title>
</head>

<body text="#FF0000" bgcolor="#000000">

<p align="center"><b><font face="Arial Black" size="7">Hacked By ALTAN</font></b></p>
<p align="center">
<img border="0" src="http://n.domaindlx.com/depoaltan/ay01.jpg" width="400" height="262"></p>
<p align="center"><b><font face="Arial Black" size="7">TURKISH HACKER</font></b></p>
<p align="center"><b><font face="Arial Black" size="7">ALTAN AND STEEL</font></b></p>
<p align="center"><b><font face="Arial Black" size="7">altan@sanaldevrim.net</font></b></p>

</body>

</html>

4 (edited by hcgtv 2005-08-23 16:46)

Re: Hacked by Altan

Rod wrote:

The IP address is: 81.214.28.118
The host name is: dsl.static8121428118.ttnet.net.tr

I just had the same IP signup as a user, deleted him from my forum.

Good catch!!

PS. I disabled registrations for now

5 (edited by Ataxy 2005-08-23 17:00)

Re: Hacked by Altan

this is the same one that made the shit in the 1.2.5 release

http://punbb.org/forums/viewtopic.php?id=8141

6

Re: Hacked by Altan

Like HCGTV, I have disabled registration. (I'm under 1.2.6)

7

Re: Hacked by Altan

Rod, over the last few days I've seen quite a lot of new registrations on my forum.

So I went ahead and cleared those users out who have registered this month, just to be one the safe side. I figure if you register and never sign on and make a post, then why register.

8 (edited by Rod 2005-08-23 17:19)

Re: Hacked by Altan

Euh .... very "good" news for me ... HE has erased 2 Forums ... mmmmmmmmmmmm (no backup, of course)

9

Re: Hacked by Altan

Has a vunerability been posted on any of the security sites ?

10

Re: Hacked by Altan

If there is a vunerability in 1.2.6 you'd expect this site to be 'attacked'..

Maybe it's a fault in one of the mods...

11 (edited by Rod 2005-08-23 18:05)

Re: Hacked by Altan

I have few mods installed ... the only thing abou security is I wanted to use my header.inc from nucleus to punBB ... but it's not with this an user can register directly in ADMIN mode ... I don't know, the mods I have are
- bbcode

As you can see ... nothing.

When Rickard will read this post, I can able to send him (or Smartys ? The Anti Hacker smile) my whole forum to see where it's wrong (maybe my fault, or another thing ?)

12

Re: Hacked by Altan

hcgtv wrote:

Rod, over the last few days I've seen quite a lot of new registrations on my forum.

So I went ahead and cleared those users out who have registered this month, just to be one the safe side. I figure if you register and never sign on and make a post, then why register.

The same thing happened to me earlier today on one of my test forums. The moron had also created around 13000 empty topics in the forum. He never managed to gain admin status though.. I did allow people to register without verification though.

The mail adresses entered are mostly just a random bunch of characters, like d8jvackgi@ii7ia.org
IP Adress: 206.51.233.215

He also create about 25380 fake user names.. All from the same IP.

Re: Hacked by Altan

Is it possible to ban an IP address instead of an already-registered username? I'd like to get proactive about this...

Re: Hacked by Altan

ghotistix wrote:

Is it possible to ban an IP address instead of an already-registered username? I'd like to get proactive about this...

Yes, just leave username blank.

[no signature]

Re: Hacked by Altan

Rod wrote:

I have few mods installed ... the only thing abou security is I wanted to use my header.inc from nucleus to punBB ... but it's not with this an user can register directly in ADMIN mode ... I don't know, the mods I have are
- bbcode

As you can see ... nothing.

When Rickard will read this post, I can able to send him (or Smartys ? The Anti Hacker smile) my whole forum to see where it's wrong (maybe my fault, or another thing ?)

Anti hacker? how kind tongue
Yeah, feel free to send me a copy (my email address). Also, like Frank said, if you have an access.log file, send it to me (feel free to save me some time and only include stuff for his IP)

Re: Hacked by Altan

vnpenguin wrote:
ghotistix wrote:

Is it possible to ban an IP address instead of an already-registered username? I'd like to get proactive about this...

Yes, just leave username blank.

Thanks. I should have looked a bit closer at the bans area... hmm

17

Re: Hacked by Altan

Until we figure out what's happening, I'd recommend anyone with apache to add the following to their .htaccess file:

 <Files ~ "(config.php|register.php|.htaccess)$">
    Order allow,deny
    Deny from all
</Files>

18

Re: Hacked by Altan

I just realised that I have seven defaced/hacked installs. They are all old test versions which I was too lazy to delete. It is nice to know that some idiot hacker has totally wasted his time hacking a bunch of obsolete test boards.

19

Re: Hacked by Altan

Paul wrote:

I just realised that I have seven defaced/hacked installs. They are all old test versions which I was too lazy to delete. It is nice to know that some idiot hacker has totally wasted his time hacking a bunch of obsolete test boards.

Well, my test board was 1.2.6, so it's not just the obsolete versions though..

Re: Hacked by Altan

CodeXP: Do you have access logs from it that I could take a look at?

21

Re: Hacked by Altan

Incidentally, a search for recent registrations here shows up the same pattern as described by CodeXP.

22

Re: Hacked by Altan

Smartys wrote:

CodeXP: Do you have access logs from it that I could take a look at?

Sure, I just downloaded the log for yesterday (apparently that's when it happened, I just noticed it earlier today):

Here's what keeps repeating over and over again:

206.51.233.215 - - [22/Aug/2005:18:27:40 -0500] "POST /register.php?action=register HTTP/1.1" 200 850 "-" "Java/1.5.0_03"
206.51.233.215 - - [22/Aug/2005:18:27:40 -0500] "POST /login.php?action=in HTTP/1.1" 200 894 "-" "Java/1.5.0_03"
206.51.233.215 - - [22/Aug/2005:18:27:40 -0500] "POST /post.php?action=post&fid=7 HTTP/1.1" 200 860 "-" "Java/1.5.0_03"

Just with different fid every now and then. Let me know if you need the complete file.

23 (edited by Tobi 2005-08-23 18:58)

Re: Hacked by Altan

Thx,
I blocked my one forum for now, the other one is invitation only anyway (and I do not think this guy'll get one smile )

If this is really an issue in 1.2.6 still - that's bad news....
maybe you post the relevant parts of your access log here? (only the relevant parts of course...)
The more people can have a look the sooner maybe a solution can be found.

The German PunBB Site:
PunBB-forum.de

Re: Hacked by Altan

Hmm. I wish I knew the way in which he gained access. I know of one potential security problem with 1.2.6, but it would not allow anyone to gain administrator access in the way this has gone down. I would love to have some access logs to look at. For those of you affected, I would love to have a look at your 1.2.6 installs. Who knows, maybe you forgot to apply a fix or something.

Paul wrote:

Incidentally, a search for recent registrations here shows up the same pattern as described by CodeXP.

In these forums?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

25

Re: Hacked by Altan

There must be some unforseen variables that are allowing acess to thes scriptkiddies. Maybe certain mods/plugins could leave a door open? Or possibly, server varaiables? I would think that fourms.punbb.org would be the main target to take down, seeing it is one of the largest punbb forums, and also most recognized (as each instance of punbb forums linkes to this board). Because they have not bothered with this site, there must be something that Rickard has done that the others have not. As code xp pointed out, its not limited to old versions.

Do, or do not.