Re: Hacked by Altan
Ohhhhhhhhhhhhhhh !
To upgrade 1.2.6, I have dwl the 1.2.6 version and all uploaded I don't see where it was bad made
You are not logged in. Please login or register.
PunBB Forums → PunBB 1.2 discussion → Hacked by Altan
Ohhhhhhhhhhhhhhh !
To upgrade 1.2.6, I have dwl the 1.2.6 version and all uploaded I don't see where it was bad made
Did you download the complete 1.2.6 or just the changed files / patch etc ?
2. Find, line 93:
else if (isset($_POST['form_sent'])) {
Are you sure that's line 93 ? Just checked original source of 1.2.6 and I think this is the line 80
It's not so important for you but it's very important for me where the code was customized so much. I have to locate the line in original source and compare to my code after that .
Thank you,
CodeXP wrote:2. Find, line 93:
else if (isset($_POST['form_sent'])) {
Are you sure that's line 93 ? Just checked original source of 1.2.6 and I think this is the line 80
It's not so important for you but it's very important for me where the code was customized so much. I have to locate the line in original source and compare to my code after that .Thank you,
You're absolutely right
I've checked with the original source, and it's supposed to be line 80. Edited my post with the right line.
hacked the same way yesterday 18:06 french time.
I come here a bit late but send my info anyway :
I were running 1.2.6 and I now just applied all CodeXP patches ( thanks for your fast patches, CodeXPsome infos I gathered :
added data in db :
INSERT INTO `punbb_config` VALUES ('o_board_title','HACKED BY ALTAN');
INSERT INTO `punbb_config` VALUES ('o_board_desc','AÇIKLAR KAPANMADIKÇA BEN HEP BURDAYIM');
and :
INSERT INTO `punbb_users` VALUES (4,32000,'Mathusalem','7621e34ef49d97094c9d85248312414e6ca6dfc2','desktop@noos.fr',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,NULL,NULL,NULL,1,1,0,1,1,1,1,1,1,'French','Mercury',0,NULL,1120570925,'84.96.34.102',1120570925,NULL,NULL,NULL);
INSERT INTO `punbb_users` VALUES (5,4,'coco','4d8ec4de1c6571dbfbd8a720dae4224cbc5488a1','flo-flo@yandex.ru',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,NULL,NULL,NULL,1,1,0,1,1,1,1,1,1,'French','Mercury',0,NULL,1121349686,'83.157.145.200',1121361244,NULL,NULL,NULL);
INSERT INTO `punbb_users` VALUES (6,1,'123','8eb5e49487b969d8b89bf1c41a8cfd4bbb65b4d5','e_m_re@hotmail.com',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,NULL,NULL,NULL,1,1,0,1,1,1,1,1,1,'French','Mercury',0,NULL,1124812372,'81.214.28.118',1124813177,NULL,NULL,NULL);( 32000 group for me too but two other users were created after )
created in cache directory :
64 jui 22 06:20 cache_bans.php
3663 aoû 23 18:06 cache_config.php
418 aoû 23 18:05 cache_quickjump_1.php
418 aoû 23 18:05 cache_quickjump_2.php
418 aoû 23 18:05 cache_quickjump_3.php
418 aoû 23 18:05 cache_quickjump_4.php
418 aoû 23 18:05 cache_quickjump_5.php
418 aoû 23 18:05 cache_quickjump_6.php
530 jui 22 06:18 cache_ranks.php
60 jan 11 2005 .htaccess
63 jan 11 2005 index.htmlthose cache_quickjump things seem to be part of the exploit
installed plugins :
drwxr-xr-x 3 apache neonet 4096 jui 22 06:14 ./
drwxrwxr-x 12 apache neonet 4096 aoû 24 11:18 ../
-rw-r--r-- 1 apache neonet 5080 jan 26 2005 AMP_Example.php
-rw-rw-r-- 1 apache neonet 16942 fév 28 21:49 AMP_Global_topic.php
-rw-rw-r-- 1 apache neonet 4354 jui 22 06:11 AMP_Global_topic.zip
-rw-rw-r-- 1 apache neonet 6636 fév 7 2005 AP_Broadcast_Email.php
-rw-rw-r-- 1 apache neonet 2273 jui 22 06:11 AP_Broadcast_Email.zip
-rw-rw-r-- 1 apache neonet 4818 mai 12 23:57 AP_Clear_Cache.php
-rw-rw-r-- 1 apache neonet 1460 jui 22 06:11 AP_Clear_Cache.zip
-rw-rw-r-- 1 apache neonet 25359 avr 5 17:25 AP_DB_management.php
-rw-rw-r-- 1 apache neonet 8027 jui 22 06:11 AP_DB_management.zip
-rw-rw-r-- 1 apache neonet 5731 fév 22 2005 AP_Languages_and_styles.php
-rw-rw-r-- 1 apache neonet 2053 jui 22 06:11 AP_Languages_and_styles.zip
-rw-rw-r-- 1 apache neonet 5637 mai 24 16:01 AP_Merge_Forums.php
-rw-rw-r-- 1 apache neonet 1953 jui 22 06:11 AP_Merge_Forums.zip
drwxrwxr-x 3 apache neonet 4096 jan 15 2005 AP_News_Generator/
-rw-rw-r-- 1 apache neonet 7819 jan 26 2005 AP_News_Generator.php
-rw-rw-r-- 1 apache neonet 3145 jui 22 06:11 AP_News_Generator.zip
-rw-rw-r-- 1 apache neonet 12774 fév 28 21:20 AP_User_management.php
-rw-rw-r-- 1 apache neonet 4151 jui 22 06:11 AP_User_management.zip
-rw-rw-r-- 1 apache neonet 2961 fév 3 2005 AP_Version_Changer.php
-rw-rw-r-- 1 apache neonet 1546 jui 22 06:11 AP_Version_Changer.zip
-rw-r--r-- 1 apache neonet 63 jan 11 2005 index.htmlI now refuse to host phpbb forums for I saw too much of this problems, and ask my users to prefer punbb, thank you all for this forum and fast reaction, this problem and fast answers keep me preferring punbb and human understandable well written code ( thank you clean coders )
Seems we need a 1.2.7 release soon nope ?
What about using http://punbb.org/forums/extern.php?acti … amp;fid=48 RSS Feed so any punbb admin sees new release immediatelyin a punbb ?
Another important ( but probably much more difficult to code one ;( would be to have online punbb upgrade like webmin does it ( searching for last version, downloading, verifying md5sum/gpg key if necessary, installing new version )
Last thing, on http://punbb.org/downloads.php I couldn't find md5sums for zip/gz files nor gnup sign ;(
Would you add them so anyone can verify md5 or pgp sign ?Hopes my thoughts can help.
If you ever need hosting, mirror, rss feed bouncer . . . just ask me
Quickjump is a regular cache thing
And none of that really helps in finding where the hack originated, since I'm guessing he just used the DB plugin once he was admin to do that.
If you want to email me and/or Rickard some way to download and check your forum source, like Rod did, feel free. I can check and see if there are any missing patches or whatever
I think about one thing ...
Allowing admin status only to a mail ?
I explain.
I have created the forum www.sortons.net/forum with sortons.net@wanadoo.fr
Why not protect this ??? If someone tries to hack, it sends a mail to the "admin" mail and accept or refuse.
In these case, it would be impossible to change level, and so ... to have possibility to hack.
I have had this idea because someone hacked my MSN (but I have not a msn email, but sortons.net@wanadoo.fr)
After hacking, I have asked to send a new password, and all was perfect, after.
Just finished writing the readme, so here's the mod
http://punbb.org/forums/viewtopic.php?id=8544
##
##
## Mod title: Group Change Security MOD.
##
## Mod version: 1.0
## Works on PunBB: 1.2.6
## Release date: 2005-08-24
## Author: Öyvind A. Sörensen (oyvind.andre.sorensen@gmail.com)
##
## Description: Adds an additional security check when trying to
## add a user to the administrator or moderator groups.
##
## Affected files: some_script.php
## include/foo.php
##
## Affects DB: Yes
## Adds 2 columns to the users table, and adds a value
## to your config table
##
## Notes: This mod adds a security check when trying to the
## moderator or administrator user groups. It will mail a
## random 128 character verification key to the e-mail
## adresses specified in the admin user panel, after
## asking to change groups.
## It will only be valid for the time specified in the
## newly added option under "Time and timeouts" under
## admin options. Default is 600 sec (10 minutes).
## If the key don't get verified within that period, or if
## an invalid key gets entered, the user will stay within
## his/her current user group.
##
##
## DISCLAIMER: Please note that "mods" are not officially supported by
## PunBB. Installation of this modification is done at your
## own risk. Backup your forum database and any and all
## applicable files before proceeding.
##
##
#
#---------[ 1. UPLOAD ]-------------------------------------------------------
#
install_mod.php to /
verify_group_change.php /lang/English/
#
#---------[ 2. RUN ]----------------------------------------------------------
#
install_mod.php
#
#---------[ 3. DELETE ]-------------------------------------------------------
#
install_mod.php
#
#---------[ 4. OPEN ]---------------------------------------------------------
#
profile.php
#
#---------[ 5. FIND (line: 470) ]---------------------------------------------
#
else if (isset($_POST['update_group_membership']))
{
if ($pun_user['g_id'] > PUN_ADMIN)
message($lang_common['No permission']);
confirm_referrer('profile.php');
$new_group_id = intval($_POST['group_id']);
#
#---------[ 6. AFTER ADD ]-------------------------------------------------
#
if($new_group_id <= PUN_MOD)
{
require PUN_ROOT.'include/email.php';
// Get the username, current key & group change time of the user we want to add as a new mod or admin.
$result = $db->query('SELECT username, mod_groupchange_key, mod_groupchange_time FROM '.$db->prefix.'users WHERE id='.$id) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
list($username, $GCKey, $GCTime) = $db->fetch_row($result);
$KeyToVerify = strip_tags(trim($_POST['activation_key'])); // The key we will try to verify
$TimeRightNow = time(); // Get the current time
$TimeOut = $pun_config['o_gc_key_timeout'];
switch($GCKey):
case NULL: // There are no current key in the database, so we'll generate a new one.
$randkey = random_pass(128); // Generate a random key, 128 characters in length
// Let's insert our key into the database
$db->query('UPDATE '.$db->prefix.'users SET mod_groupchange_key=\''.$randkey.'\', mod_groupchange_time=\''.$TimeRightNow.'\' WHERE id='.$id) or error('Unable to change user group', __FILE__, __LINE__, $db->error());
break;
case !NULL: // There are already a key in the DB, so we'll attempt to validated it + check the age of it. If OK, we'll accept the group change. If failed, well, erase the values so that you'll have to start all over again.
if(time()-$GCTime >= $TimeOut || $KeyToVerify !== $GCKey ) {
$db->query('UPDATE '.$db->prefix.'users SET mod_groupchange_key=\'\', mod_groupchange_time=\'\' WHERE id='.$id) or error('Unable to change user group', __FILE__, __LINE__, $db->error());
require PUN_ROOT.'lang/'.$pun_user['language'].'/verify_group_change.php';
redirect('profile.php?section=admin&id='.$id, $lang_verify_group_change['Verify failed']);
} else {
// Success! The key was validated, and the user can safely be added to his new group.
$db->query('UPDATE '.$db->prefix.'users SET group_id='.$new_group_id.', mod_groupchange_key=\'\', mod_groupchange_time=\'\' WHERE id='.$id) or error('Unable to change user group', __FILE__, __LINE__, $db->error());
require PUN_ROOT.'lang/'.$pun_user['language'].'/verify_group_change.php';
redirect('profile.php?section=admin&id='.$id, $lang_verify_group_change['Verify success']);
}
break;
endswitch;
switch($new_group_id):
case 1:
$ipAdress = get_remote_address();
require PUN_ROOT.'lang/'.$pun_user['language'].'/verify_group_change.php';
pun_mail($pun_config['o_mailing_list'], $lang_verify_group_change['Verify admin mailsubject'], $lang_verify_group_change['Verify admin mailbody']);
message($lang_verify_group_change['Verify groupchange']);
break;
case 2:
$ipAdress = get_remote_address();
require PUN_ROOT.'lang/'.$pun_user['language'].'/verify_group_change.php';
pun_mail($pun_config['o_mailing_list'], $lang_verify_group_change['Verify mod mailsubject'], $lang_verify_group_change['Verify mod mailbody']);
message($lang_verify_group_change['Verify groupchange']);
break;
endswitch;
}
else
{
#
#---------[ 7. FIND (line: 517) ]---------------------------------------------------------
#
redirect('profile.php?section=admin&id='.$id, $lang_profile['Group membership redirect']);
#
#---------[ 8. BEFORE, ADD ]---------------------------------------------
#
}
#
#---------[ 9. FIND (line: 1564) ]---------------------------------------------------
#
echo "\t\t\t\t\t\t\t\t".'<option value="'.$cur_group['g_id'].'">'.pun_htmlspecialchars($cur_group['g_title']).'</option>'."\n";
}
?>
</select>
#
#---------[ 10. AFTER ADD ]--------------------------------------------
#
<label><?php require PUN_ROOT.'lang/'.$pun_user['language'].'/verify_group_change.php'; echo $lang_verify_group_change['Verify key'] ?><br /><input type="text" name="activation_key" value="" size="60" maxlength="128" /><br /></label>
#
#---------[ 11. OPEN ]-------------------------------------------------
#
admin_options.php
#
#---------[ 13. FIND (line: 105) ]---------------------------------------------
#
$form['redirect_delay'] = intval($form['redirect_delay']);
#
#---------[ 14. AFTER ADD ]---------------------------------------------
#
$form['gc_key_timeout'] = intval($form['gc_key_timeout']); // Added for the group change security mod
#
#---------[ 15. FIND (line: 319) ]---------------------------------------------
#
<tr>
<th scope="row">Redirect time</th>
<td>
<input type="text" name="form[redirect_delay]" size="3" maxlength="3" value="<?php echo $pun_config['o_redirect_delay'] ?>" />
<span>Number of seconds to wait when redirecting. If set to 0, no redirect page will be displayed (not recommended).</span>
</td>
</tr>
#
#---------[ 16. AFTER ADD ]---------------------------------------------
#
<tr>
<th scope="row">Group change key timeout</th>
<td>
<input type="text" name="form[gc_key_timeout]" size="4" maxlength="4" value="<?php echo $pun_config['o_gc_key_timeout'] ?>" />
<span>Number of seconds the group change activation key will be valid. Defaults to 600 seconds (10 minutes).</span>
</td>
</tr>
#
#---------[ 17. SAVE/UPLOAD ]-------------------------------------------------
#
It is hard to change like that with many users (i know in my site i have a few users ),
With MOD i hate altering tables, you can add new table have the 2 field joined with users table.
I think about another way, make "Security Mode" for changing hi level security.
to swtiching to this mode need another password, and after finishing security chagees swtiching back to Normal mode. mmm or we must just fighting with bugs and hacker that is the real world (n' est pas)
Here's another tweak, this time it's one that everyone should add(?):
1. Open register.php
2. Find, line 80:
else if (isset($_POST['form_sent'])) {
3. After, add:
confirm_referrer('register.php');
4. Save & upload.
The refferer is rather simple to fake, but it's still something to consider just the same.
that will cause problems for anyone trying to register using norton internet suite, installing the image verification mod. (posted somewhere on the modification board) would be alot more secure.
@Reines: yeah, I have to disable "confirm_referrer('register.php');". My friend can not registre because of this line.
Why not to have option of hardcoded admin account(and mod too) somewhere in protected config.inc? I better start my ftp proggie one more time than have probs again.
For now I protected admin_* files via apache basic auth in .htaccess, hope it kick out some kiddies.
For now I protected admin_* files via apache basic auth in .htaccess, hope it kick out some kiddies.
Thats a brilliant idea. Sure, it adds an extra password prompt, but for punbb sites that only have 1 admin and a couple of moderators, this could be the ultimate way to keep out these so called "hackers". The eaiset way I see is having all of the admin files in a seperate directory, protected by an .htaccess file with an .htpasswd file located in a non public directory. That way, if these "hackers" are able to run an exploit that gives them admin access, they can't do anything because of the protected admin section.
I found a very simple way to add Basic authentication to your admin scripts without moving anything.
1. Open include/common_admin.php
In Line 25, add
function authenticate() {
header('WWW-Authenticate: Basic realm="punBB Administration"');
header('HTTP/1.0 401 Unauthorized');
echo "You must enter a valid login ID and password to access this resource\n";
exit;
}
if (!isset($_SERVER['PHP_AUTH_USER'])) {
authenticate();
}
else {
$auth = file("./admin_pass.pwd");
list($user, $password) = split(":", trim($auth[0]));
if($_SERVER['PHP_AUTH_USER'] != $user || md5($_SERVER['PHP_AUTH_PW']) != $password) {
authenticate();
}
}
Now, create a file in your pun installation root and call it admin_pass.pwd
In this file you only put one line with a username and a md5 encoded Password that you want to use for authentication.
File admin_pass.pwd example
Tester:0cbc6611f5540bd0809a388dc95a615b
Done.
Now you will be prompted for this extra username/password pair in all admin areas.
Note1: You can and should (if you can ) move the password file out of your document root.
Then change the line
$auth = file("./admin_pass.pwd");
accordingly
Note2:
If you have no md5 encoded password at hand you can generate one here
Having recently had my board hacked, I know how you feel, Rod. It is a bad experience and unsettling for the members, too.
In my case I had not yet installed 1.2.6, silly me.
Since then I have been nervously visiting here to see what is happening.
I think it would be a very good idea to have a way of alerting us all to new patches and new versions.
Sure as God made little kittens, when 1.2.7 is released some hackers will be examining the changelogs to see how 1.2.6 is vulnerable, and if we don't know to upgrade quickly we may get hacked.
(Mailing Lists would be good!)
MathIsFun: Setting that up is on todays schedule actually
And voila! http://punbb.org/newsletter.php
I found a very simple way to add Basic authentication to your admin scripts without moving anything.
This is a great solution, but I can't get it to work. After making the modifications, the browser keeps prompting me for username/passwd. Does anyone have ideas on what could be going wrong?
Could be one of these:
Are you sure the password file is in the correct path and readable by the webserver?
Are you sure the password is md5-encoded properly?
Are you sure you have the right password (case-sensitive, mind you)
If in doubt, try the line I pasted above.
The unencoded Password there is "Test".
So just paste this line (nothing else, just ths line) into your password file and try.
Are you sure the password file is in the correct path and readable by the webserver?
If my forums are installed in http://mydomain.com/directory/forum/ where would I put the password file?
I'm having the same problem as someguy.
If my forums are installed in http://mydomain.com/directory/forum/ where would I put the password file?
Insecure version: in the same directory.
Then call it like
$auth = file("./admin_pass.pwd");
Better:
Put it outside of the webserver's document root.
Say, your server root is "/home/for/my/web/directory" and in there you have a dir called "forum".
Then your forum dir above reads "/home/for/my/web/directory/forum/".
Now you put the password file into "/home/for/my/web/"
and call it like
$auth = file("../../admin_pass.pwd");
Ayway, always make sure teh file is readable by the webserver!
I have a copy of admin_pass.pwd in my forum root directory and in the include directory (where common_admin.php) is found. The file contains just this line:
Tester:0cbc6611f5540bd0809a388dc95a615b
Both copies of admin_pass.pwd are set to: -rw-r--r--, and I can view it fine if I type its URL into my browser.
I enter Tester for the user name and Test for the password and get the same behavior I described above. I know I should move the file to some other location, but I want to get it to work before I start messing with that.
So if you have the file in the forum root you can try
$auth = file(PUN_ROOT ."admin_pass.pwd");
if it is in the include directory it will be
$auth = file(PUN_ROOT ."include/admin_pass.pwd");
If this all does not work I dunno... maybe some really strange configuration on your machine.... phew....
Unfortunately it's still not working for me.
MathIsFun: Setting that up is on todays schedule actually
Excellent, Rickard! This will help a lot. I have subsribed. And may I say thanks for all you do.
(BTW it wouldn't let me type my address on Firefox, but went through in IE)
Unfortunately it's still not working for me.
OK, to see if your path is correct you can just leave out the authentication part and only call the file:
if (!isset($_SERVER['PHP_AUTH_USER'])) {
// authenticate();
}
else {
$auth = file("./admin_pass.pwd");
list($user, $password) = split(":", trim($auth[0]));
echo "$user $password";
/*
if($_SERVER['PHP_AUTH_USER'] != $user || md5($_SERVER['PHP_AUTH_PW']) != $password) {
authenticate();
}
*/
}
This will show you if the file is found and parsed correctly.
If yes then it must have to do with your server settings.
(BTW it wouldn't let me type my address on Firefox, but went through in IE)
Huh? I'm not sure I understand.
PunBB Forums → PunBB 1.2 discussion → Hacked by Altan
Powered by PunBB, supported by Informer Technologies, Inc.