26 (edited by CodeXP 2005-08-23 21:56)

Re: Hacked by Altan

Ok, here's a little mod of register.php & post.php that could help out a little (at least it would have in my scenario). It may still require a little tweaking, but still...

1. Open ./register.php

2. Find, on line 142:

    else if ($pun_config['o_regs_verify'] == '1' && $email1 != $email2)
        message($lang_register['E-mail not match']);

3. After, add:

    else if (!$gooddomain) {
        $pos = strpos($email1, '@');
        $server = substr($email1, $pos+1);
    
        switch(gethostbyname($server)):
            case $server:
                message($lang_common['Invalid e-mail']);
            break;
            default:
                $gooddomain = 1;
            break;
        endswitch;
    }

4.  Open ./post.php

5. Find, on line 138:

        if ($pun_config['p_force_guest_email'] == '1' || $email != '')
        {
            require PUN_ROOT.'include/email.php';
            if (!is_valid_email($email))
                $errors[] = $lang_common['Invalid e-mail'];
        }

6. After, add:

        if (!$gooddomain) {
        $pos = strpos($email, '@');
        $server = substr($email, $pos+1);
    
        switch(gethostbyname($server)):
            case $server:
                message($lang_common['Invalid e-mail']);
            break;
            default:
                $gooddomain = 1;
            break;
        endswitch;
    }

7. Save & upload.

What this does, is check if the specified server responds to a "ping". If it doesn't, well, you'll get the invalid e-mail adress error message. It won't do much good if the "hacker" really specifies a real e-mail domain, but he didn't in this case, so then it would have blocked him smile

EDIT: Improved script a little.

27

Re: Hacked by Altan

CodeXP wrote:

The mail adresses entered are mostly just a random bunch of characters, like d8jvackgi@ii7ia.org

Yes here, as quoted, just alphabetical nonesense names and addresses though of course for all I know that could be quite normal.

28

Re: Hacked by Altan

It would be useful if you could list all the mods you have installed. Its possible one of them has a deliberate security flaw allowing this person to register with admin status.

29

Re: Hacked by Altan

Paul wrote:
CodeXP wrote:

The mail adresses entered are mostly just a random bunch of characters, like d8jvackgi@ii7ia.org

Yes here, as quoted, just alphabetical nonesense names and addresses though of course for all I know that could be quite normal.

Here's a sample of 100 entires from my database, by that jackass (username | e-mail) to compare with:

cUOgLo3MK                       |       vhcbejs@j4prhp.org  
xTQ1SzVpy                       |       lt9l@oeruvx.biz 
QJYUTsfeUd                      |       uwnx1t@zcjpcc.com   
qpJuMVWGAwT                     |       3kctub3kx@aue1ryzhx.net 
Mw1NPr9gg1BO8                   |       vhieb@1rojp.co.uk   
EBzTqsnM                        |       lrutd@qrooc6gz.co.uk    
7kA6niwrZoiM1hGD                |       zv8zhyikzf@f3yu8mq.co.uk    
zoNeTobw7l1II                   |       w1mntdow@tj6lq7fcf.com  
JLvnul24DKgQDfh                 |       8zpp@qmg5vc.biz 
fpM77FeIGppB                    |       1hyfh2ezc@wbuirswgk.co.uk   
6Q8SqlQpXVLAz                   |       qbd6ue5og@eo5yz.net 
CtXiGPlEywO                     |       u7nn@cpbonduk.net   
tlBWVGTLVQZGc                   |       daeu9jk@woavajyon.org   
cKU7Ntq                         |       val6w9h@4gvybh.biz  
lNUvH1DYsplz                    |       pnr9c@g3rmueg.org   
vnBHrykQnu                      |       cfbwl@elk4vaxtn.org 
uDnQQocw                        |       slh1iwkerj@erzohgtlx.net    
G98f51yKbm                      |       6xkklz7pm@ypl8atz3.co.uk    
PSuoaWH                         |       fvrztitc@m5prg.co.uk    
aNTEFmP2hELzVzpD                |       aqmkd73uwr@uxchdguq.com 
uDuhE7Dxha                      |       ncni@l51visi2u.org  
MyxqYbNslHoIW                   |       k4qdxryjg@sulhbf.biz    
K1eTbiMMRv                      |       w8o5ybc@7u1r2ndd.net    
fZixjaSaM                       |       pjtq6sfj@xciiq.biz  
GmHYjlbcVw                      |       sldj4@eexoki.co.uk  
_Cp1a_Vj5                       |       vhcv9bs@ltlokrv.net 
5uMovdcbiIqLX                   |       2ji9@zvyqti.biz 
ODpGf6friB5c                    |       ovgyk@paztq8nu.co.uk    
n1vfOdatp                       |       ulwr3@uwghvj.com    
WtoUJvDtgtuV                    |       jn57qyldm@rcik1np.com   
yIQpAll                         |       sxw4tkhadl@mfvrzr.org   
DMEhdEBu3O6Go8R9                |       harf@xrtaoh8.co.uk  
Mf1BlHzccQ3                     |       s9waxnv9as@zokzi.biz    
ZsywjDUgCs3adGTe                |       qyzd4ttb@qxbtgzk.biz    
awXQioI9fSkYDGP                 |       1qkeylgjsg@aclyhgm.org  
O46NwUEp                        |       h9f8hlysgl@uldmy.net    
E5geR4HuU64f1Zb                 |       ua3dtfzao@7dbkiwm.net   
ks42kVQ1NgJm                    |       tvnzmbas9@ellmrdk6w.org 
ecIIu1xhKZNJXHv                 |       a68agjk@soxuzvwwp.org   
o53dtRKAhIKmW                   |       bobv@dn2ar6.biz 
mvDiP8a                         |       n5cpka3vzi@rhfgam2w1.com    
1SlsQMVXdAw9m                   |       ovqnd5xgl@zyvjwfi.com   
arCg83v7s_BO6                   |       n5igjz2s@gcewp.biz  
4aqeqDlJWUMk2q                  |       i_wths1o8n@a1jiwcs.com  
hFON68A                         |       m7crz6vnj@vaqpg.co.uk   
q7HvhNcqfp2h8                   |       geplovud@qu5c9ilb.org   
tn1iXhRv                        |       ud2bg@nsa1pzcr.biz  
2hfDQ3CZ6brhR3                  |       u_m6xd@idccqs8h.net 
Wf3qccEnEu89                    |       vbuk83kv@osptb.org  
njk7cOFSFk7dnB                  |       6tlqpj6k@2lhrf.org  
wdJ1qIRclry                     |       jiar@dhklp.biz  
e4ySXroWii                      |       nr7ffd8u@lvi8ue.net 
6LfD3Nc462Ot                    |       qovteh5j@enrkgebk.org   
Hptf8WnrjoP_VJ6                 |       2jszbpn_c@mep4uwg.org   
koFzh5PMCWyXk                   |       ufwki@aj93euqv.com  
NmZCmbT                         |       qg4fh3mo5t@msghn.co.uk  
SOc6nRRsHbzX4A                  |       6itilcvkdd@vdnun4wek.biz    
L6SkwZXPSIs                     |       pzczx@rqjg9k.co.uk  
WZxl6hnFeTN                     |       do9vfov@jln6gwm.net 
dH3wvM9F                        |       aopm@ycpjyc.biz 
phaN_dGm2Yadce                  |       rzs_owkf@c6ounb3e.co.uk 
TiMMmFDGCb                      |       qqghqop9f@dkjaede.org   
AN3ir_ADEE                      |       pelqrrxyv@7ear3e.biz    
wKs2mXQh3YIZ                    |       mggfogz@m9jicx6yf.biz   
i2CB8PlF                        |       3jtla@rqqadt.com    
bZ7HX8kFcZ6VfFd                 |       ahqf6ar@faib8iyzd.biz   
LpN6mGvxXo_                     |       m4ditg2yss@8mixkpzf8.co.uk  
hurNVQGjsHmi                    |       n_r73@mwbbfexj6.org 
cNeKIuMx6DGCgCS                 |       2kib@rsgjb1.biz 
qBY_gcD                         |       1x4oy@avtfdg13r.org 
ap1yfrvArdO                     |       owjl@ukl8oays.biz   
hX9vDOgEoIk1hxnk                |       5_pb@c5pytn2e3.org  
I5X46uqYL                       |       rkqy4d@xbxwsvo5.co.uk   
Nqk5fNXNch                      |       h9w7@ogbn1j.org 
Iz9oD_RYFzNIp                   |       fh_knyul@ifhwxk.net 
DrOWrnwRBuAvd                   |       sl1fh@cejjwesib.biz 
xYTXFT2Ny5                      |       c_u3vsr9hy@lpefac.net   
DoBY8Pv                         |       9bnqur9@agrtj.net   
ouqTanpv                        |       zmmo3gd@ox8jnvl.org 
RL4qwK1yI                       |       nki2nie4_v@ydizgv6.com  
Dy8dga2P                        |       jbx2@6aes3px.biz    
OJgb9wKMoDngiE                  |       c_s1pjptdg@hxmsis.org   
sGAeC979Xu                      |       kimrojtobr@yxctt.biz    
oIz4bTEd1c                      |       oma8r_@kzi9gsxms.biz    
bqcTNh7FoOWa                    |       nkm6f3a@yfjdqacly.net   
TKctvwwaKFI                     |       sbg4brna@yufd5.net  
yfMUeZYtSopMrZH_                |       z79apomhs@udnayjzlm.biz 
R4olUfJ2jA3l                    |       oakmzafg_@q2fl51v9.org  
uXEmyAa4FBYWGcw                 |       lrxeyqq@b1mav.co.uk 
DDOvzgsBjRRo_g                  |       npe7@6wdngnp.co.uk  
SZdh5xgZ                        |       g2u338ymev@axnq4uflp.biz    
DrOWd16                         |       lonp1ij@fv214w1.biz 
r97StXvxOd4oeL                  |       5of6m@a1plm3l.com   
H2YmWDbxJetTGeAe                |       fxbmop4@vjzprka.org 
YufwTLBR8JctWH                  |       yobmtfu@smtqdip.com 
ZQpoCVLrYD                      |       v5gx@oktwdev8.org   
Ur9XsXnKyE3Kx                   |       iq_2ljxfdd@ahql3hn.com  
fMnxzsA11RK                     |       bpttol2h5@bqbnvdr.net   
naxqjQ57B4                      |       t7tum@ndko6w.org    
pdQbdNt9                        |       9of61myf5@6jeryevy.org

30

Re: Hacked by Altan

Waouh impressed to see I'm not alone ...

It's very weird to be hacked : it's the first time I'm confronted to this (and I'm on the net since 1998 !!!) ... like a rape. Really.

@ Rickard & Smartys > I send to you in few minuts the link to dwl my whole forum.

31

Re: Hacked by Altan

This brings up a question.

I have my forums set so that Verify registrations is set to yes. Just wondering if the user is added only after he or she is verified by responding to the email?

Re: Hacked by Altan

Rickard wrote:
Paul wrote:

Incidentally, a search for recent registrations here shows up the same pattern as described by CodeXP.

In these forums?

There are a lot of suspicious registrations here (punbb.org) on 11 August 2005.  It looks like (s)he is/was trying something here too.

Re: Hacked by Altan

hcgtv: No, they're added, but with a group id of 32000 I believe

34

Re: Hacked by Altan

Smartys wrote:

hcgtv: No, they're added, but with a group id of 32000 I believe

eg, easy to delete from the db

Re: Hacked by Altan

btw, about the guest post, registration and registration and post attacks (mypunbb was hit pretty bad) i've made a plugin to clean up the mess left by them, i'll be releasing it tomorrow (it allows you to remove all users and posts for a certain IP or set of IPs)

36 (edited by CodeXP 2005-08-24 15:34)

Re: Hacked by Altan

Here's another tweak, this time it's one that everyone should add(?):

1. Open register.php

2. Find, line 80:

else if (isset($_POST['form_sent']))
{

3. After, add:

    confirm_referrer('register.php');

4. Save & upload.

The refferer is rather simple to fake, but it's still something to consider just the same.

37

Re: Hacked by Altan

might i ask what it does?

38

Re: Hacked by Altan

I'm waiting all the tweaks of Code XP to add them in one time smile

Like Hcgtv (yet !) my admin was in "verify email registration" YES ...

39

Re: Hacked by Altan

Stork wrote:

might i ask what it does?

The same as when you're trying to post or change settings in your profile/admin panel. It checks if the form was submited from your own domain. Of course, seeing as that information comes from your own browser, it can be faked, but it's still a good idea to check for.

40

Re: Hacked by Altan

I think about one thing ...

Allowing admin status only to a mail ?

I explain.

I have created the forum www.sortons.net/forum with sortons.net@wanadoo.fr

Why not protect this ??? If someone tries to hack, it sends a mail to the "admin" mail and accept or refuse.

In these case, it would be impossible to change level, and so ... to have possibility to hack.

I have had this idea because someone hacked my MSN (but I have not a msn email, but sortons.net@wanadoo.fr)

After hacking, I have asked to send a new password, and all was perfect, after.

41

Re: Hacked by Altan

there is also
http://punbb.org/forums/viewtopic.php?id=8501
hacked by same hacker

If your people come crazy, you will not need to your mind any more.

Re: Hacked by Altan

I just had a quick look at Rod's source code and I can say with some certainty that the reason his forum was hacked was that he had not applied the following fix (which is part of 1.2.6):

http://dev.punbb.org/changeset/221

If you have been hacked, please make sure you have applied it.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

43 (edited by CodeXP 2005-08-23 22:27)

Re: Hacked by Altan

Rod wrote:

I think about one thing ...

Allowing admin status only to a mail ?

I explain.

I have created the forum www.sortons.net/forum with sortons.net@wanadoo.fr

Why not protect this ??? If someone tries to hack, it sends a mail to the "admin" mail and accept or refuse.

In these case, it would be impossible to change level, and so ... to have possibility to hack.

I have had this idea because someone hacked my MSN (but I have not a msn email, but sortons.net@wanadoo.fr)

After hacking, I have asked to send a new password, and all was perfect, after.

Great idea! I'll see if I can't do a mod for that tomorrow, if nobody beats me to it (and provided I'm up to the challenge) smile

44 (edited by Rod 2005-08-23 22:32)

Re: Hacked by Altan

Rickard wrote:

I just had a quick look at Rod's source code and I can say with some certainty that the reason his forum was hacked was that he had not applied the following fix (which is part of 1.2.6):

http://dev.punbb.org/changeset/221

If you have been hacked, please make sure you have applied it.

Ohhhh it's cute ... never seen this (I admit I have never gone on www.punbb.org > shame on me)



profile.php uploaded smile I will turn on the registrations when all will be sure smile

45

Re: Hacked by Altan

Ladies and gentlemen, you may now go back to sleep (particularly if register_globals = off)

46

Re: Hacked by Altan

Paul : maybe you are a very old man who needs 14h of sleep ... but ... this experience prevents me from sleeping smile

47

Re: Hacked by Altan

Rickard wrote:

I just had a quick look at Rod's source code and I can say with some certainty that the reason his forum was hacked was that he had not applied the following fix (which is part of 1.2.6):

http://dev.punbb.org/changeset/221

Yes, that's applied on all my forums as are all the changes from 1.2.6.

I opened up registration again, let's see what happens in the next few days.

Thanks Rickard for looking into this.

Rod, you gave us a scare smile

48

Re: Hacked by Altan

I must say, that was a very fast response.

Re: Hacked by Altan

hacked the same way yesterday 18:06 french time.

I come here a bit late but send my info anyway :
I were running 1.2.6 and I now just applied all CodeXP patches ( thanks for your fast patches, CodeXP wink

some infos I gathered :

added data in db :
INSERT INTO `punbb_config` VALUES ('o_board_title','HACKED BY ALTAN');
INSERT INTO `punbb_config` VALUES ('o_board_desc','AÇIKLAR KAPANMADIKÇA BEN HEP BURDAYIM');
and  :
INSERT INTO `punbb_users` VALUES (4,32000,'Mathusalem','7621e34ef49d97094c9d85248312414e6ca6dfc2','desktop@noos.fr',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,NULL,NULL,NULL,1,1,0,1,1,1,1,1,1,'French','Mercury',0,NULL,1120570925,'84.96.34.102',1120570925,NULL,NULL,NULL);
INSERT INTO `punbb_users` VALUES (5,4,'coco','4d8ec4de1c6571dbfbd8a720dae4224cbc5488a1','flo-flo@yandex.ru',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,NULL,NULL,NULL,1,1,0,1,1,1,1,1,1,'French','Mercury',0,NULL,1121349686,'83.157.145.200',1121361244,NULL,NULL,NULL);
INSERT INTO `punbb_users` VALUES (6,1,'123','8eb5e49487b969d8b89bf1c41a8cfd4bbb65b4d5','e_m_re@hotmail.com',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,NULL,NULL,NULL,1,1,0,1,1,1,1,1,1,'French','Mercury',0,NULL,1124812372,'81.214.28.118',1124813177,NULL,NULL,NULL);

( 32000 group for me too but two other users were created after )

created in cache directory :
         64 jui 22 06:20 cache_bans.php
      3663 aoû 23 18:06 cache_config.php
        418 aoû 23 18:05 cache_quickjump_1.php
        418 aoû 23 18:05 cache_quickjump_2.php
        418 aoû 23 18:05 cache_quickjump_3.php
        418 aoû 23 18:05 cache_quickjump_4.php
        418 aoû 23 18:05 cache_quickjump_5.php
        418 aoû 23 18:05 cache_quickjump_6.php
        530 jui 22 06:18 cache_ranks.php
         60 jan 11  2005 .htaccess
         63 jan 11  2005 index.html

those cache_quickjump things seem to be part of the exploit

installed plugins :
drwxr-xr-x    3 apache   neonet       4096 jui 22 06:14 ./
drwxrwxr-x   12 apache   neonet       4096 aoû 24 11:18 ../
-rw-r--r--    1 apache   neonet       5080 jan 26  2005 AMP_Example.php
-rw-rw-r--    1 apache   neonet      16942 fév 28 21:49 AMP_Global_topic.php
-rw-rw-r--    1 apache   neonet       4354 jui 22 06:11 AMP_Global_topic.zip
-rw-rw-r--    1 apache   neonet       6636 fév  7  2005 AP_Broadcast_Email.php
-rw-rw-r--    1 apache   neonet       2273 jui 22 06:11 AP_Broadcast_Email.zip
-rw-rw-r--    1 apache   neonet       4818 mai 12 23:57 AP_Clear_Cache.php
-rw-rw-r--    1 apache   neonet       1460 jui 22 06:11 AP_Clear_Cache.zip
-rw-rw-r--    1 apache   neonet      25359 avr  5 17:25 AP_DB_management.php
-rw-rw-r--    1 apache   neonet       8027 jui 22 06:11 AP_DB_management.zip
-rw-rw-r--    1 apache   neonet       5731 fév 22  2005 AP_Languages_and_styles.php
-rw-rw-r--    1 apache   neonet       2053 jui 22 06:11 AP_Languages_and_styles.zip
-rw-rw-r--    1 apache   neonet       5637 mai 24 16:01 AP_Merge_Forums.php
-rw-rw-r--    1 apache   neonet       1953 jui 22 06:11 AP_Merge_Forums.zip
drwxrwxr-x    3 apache   neonet       4096 jan 15  2005 AP_News_Generator/
-rw-rw-r--    1 apache   neonet       7819 jan 26  2005 AP_News_Generator.php
-rw-rw-r--    1 apache   neonet       3145 jui 22 06:11 AP_News_Generator.zip
-rw-rw-r--    1 apache   neonet      12774 fév 28 21:20 AP_User_management.php
-rw-rw-r--    1 apache   neonet       4151 jui 22 06:11 AP_User_management.zip
-rw-rw-r--    1 apache   neonet       2961 fév  3  2005 AP_Version_Changer.php
-rw-rw-r--    1 apache   neonet       1546 jui 22 06:11 AP_Version_Changer.zip
-rw-r--r--    1 apache   neonet         63 jan 11  2005 index.html

I now refuse to host phpbb forums for I saw too much of this problems, and ask my users to prefer punbb, thank you all for this forum and fast reaction, this problem and fast answers keep me preferring punbb and human understandable well written code  ( thank you clean coders wink)

Seems we need a 1.2.7 release soon nope ?

What about using http://punbb.org/forums/extern.php?acti … amp;fid=48 RSS Feed so any punbb admin sees new release immediatelyin a punbb ?

Another important ( but probably much more difficult to code one ;( would be to have online punbb upgrade like webmin does it ( searching for last version, downloading, verifying md5sum/gpg key if necessary, installing new version )

Last thing, on http://punbb.org/downloads.php I couldn't find md5sums for zip/gz files nor gnup sign ;(
Would you add them so anyone can verify md5 or pgp sign ?

Hopes my thoughts can help.
If you ever need hosting, mirror, rss feed bouncer . . . just ask me wink

50

Re: Hacked by Altan

neofutur wrote:

Seems we need a 1.2.7 release soon nope?

No because Rickard just said that the reason he thinks Rod was 'hacked' is that the upgrade to 1.2.6 wasn't done properly.