51

Re: Hacked by Altan

Ohhhhhhhhhhhhhhh ! smile

To upgrade 1.2.6, I have dwl the 1.2.6 version and all uploaded smile I don't see where it was bad made smile

52

Re: Hacked by Altan

Did you download the complete 1.2.6 or just the changed files / patch etc ?

Re: Hacked by Altan

CodeXP wrote:

2. Find, line 93:

else if (isset($_POST['form_sent']))
{

Are you sure that's line 93 ? Just checked original source of 1.2.6 and I think this is the line 80 smile
It's not so important for you but it's very important for me where the code was customized so much. I have to locate the line in original source and compare to my code after that smile.

Thank you,

[no signature]

54

Re: Hacked by Altan

vnpenguin wrote:
CodeXP wrote:

2. Find, line 93:

else if (isset($_POST['form_sent']))
{

Are you sure that's line 93 ? Just checked original source of 1.2.6 and I think this is the line 80 smile
It's not so important for you but it's very important for me where the code was customized so much. I have to locate the line in original source and compare to my code after that smile.

Thank you,

You're absolutely right smile

I've checked with the original source, and it's supposed to be line 80. Edited my post with the right line.

Re: Hacked by Altan

neofutur wrote:

hacked the same way yesterday 18:06 french time.

I come here a bit late but send my info anyway :
I were running 1.2.6 and I now just applied all CodeXP patches ( thanks for your fast patches, CodeXP wink

some infos I gathered :

added data in db :
INSERT INTO `punbb_config` VALUES ('o_board_title','HACKED BY ALTAN');
INSERT INTO `punbb_config` VALUES ('o_board_desc','AÇIKLAR KAPANMADIKÇA BEN HEP BURDAYIM');
and  :
INSERT INTO `punbb_users` VALUES (4,32000,'Mathusalem','7621e34ef49d97094c9d85248312414e6ca6dfc2','desktop@noos.fr',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,NULL,NULL,NULL,1,1,0,1,1,1,1,1,1,'French','Mercury',0,NULL,1120570925,'84.96.34.102',1120570925,NULL,NULL,NULL);
INSERT INTO `punbb_users` VALUES (5,4,'coco','4d8ec4de1c6571dbfbd8a720dae4224cbc5488a1','flo-flo@yandex.ru',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,NULL,NULL,NULL,1,1,0,1,1,1,1,1,1,'French','Mercury',0,NULL,1121349686,'83.157.145.200',1121361244,NULL,NULL,NULL);
INSERT INTO `punbb_users` VALUES (6,1,'123','8eb5e49487b969d8b89bf1c41a8cfd4bbb65b4d5','e_m_re@hotmail.com',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0,NULL,NULL,NULL,1,1,0,1,1,1,1,1,1,'French','Mercury',0,NULL,1124812372,'81.214.28.118',1124813177,NULL,NULL,NULL);

( 32000 group for me too but two other users were created after )

created in cache directory :
         64 jui 22 06:20 cache_bans.php
      3663 aoû 23 18:06 cache_config.php
        418 aoû 23 18:05 cache_quickjump_1.php
        418 aoû 23 18:05 cache_quickjump_2.php
        418 aoû 23 18:05 cache_quickjump_3.php
        418 aoû 23 18:05 cache_quickjump_4.php
        418 aoû 23 18:05 cache_quickjump_5.php
        418 aoû 23 18:05 cache_quickjump_6.php
        530 jui 22 06:18 cache_ranks.php
         60 jan 11  2005 .htaccess
         63 jan 11  2005 index.html

those cache_quickjump things seem to be part of the exploit

installed plugins :
drwxr-xr-x    3 apache   neonet       4096 jui 22 06:14 ./
drwxrwxr-x   12 apache   neonet       4096 aoû 24 11:18 ../
-rw-r--r--    1 apache   neonet       5080 jan 26  2005 AMP_Example.php
-rw-rw-r--    1 apache   neonet      16942 fév 28 21:49 AMP_Global_topic.php
-rw-rw-r--    1 apache   neonet       4354 jui 22 06:11 AMP_Global_topic.zip
-rw-rw-r--    1 apache   neonet       6636 fév  7  2005 AP_Broadcast_Email.php
-rw-rw-r--    1 apache   neonet       2273 jui 22 06:11 AP_Broadcast_Email.zip
-rw-rw-r--    1 apache   neonet       4818 mai 12 23:57 AP_Clear_Cache.php
-rw-rw-r--    1 apache   neonet       1460 jui 22 06:11 AP_Clear_Cache.zip
-rw-rw-r--    1 apache   neonet      25359 avr  5 17:25 AP_DB_management.php
-rw-rw-r--    1 apache   neonet       8027 jui 22 06:11 AP_DB_management.zip
-rw-rw-r--    1 apache   neonet       5731 fév 22  2005 AP_Languages_and_styles.php
-rw-rw-r--    1 apache   neonet       2053 jui 22 06:11 AP_Languages_and_styles.zip
-rw-rw-r--    1 apache   neonet       5637 mai 24 16:01 AP_Merge_Forums.php
-rw-rw-r--    1 apache   neonet       1953 jui 22 06:11 AP_Merge_Forums.zip
drwxrwxr-x    3 apache   neonet       4096 jan 15  2005 AP_News_Generator/
-rw-rw-r--    1 apache   neonet       7819 jan 26  2005 AP_News_Generator.php
-rw-rw-r--    1 apache   neonet       3145 jui 22 06:11 AP_News_Generator.zip
-rw-rw-r--    1 apache   neonet      12774 fév 28 21:20 AP_User_management.php
-rw-rw-r--    1 apache   neonet       4151 jui 22 06:11 AP_User_management.zip
-rw-rw-r--    1 apache   neonet       2961 fév  3  2005 AP_Version_Changer.php
-rw-rw-r--    1 apache   neonet       1546 jui 22 06:11 AP_Version_Changer.zip
-rw-r--r--    1 apache   neonet         63 jan 11  2005 index.html

I now refuse to host phpbb forums for I saw too much of this problems, and ask my users to prefer punbb, thank you all for this forum and fast reaction, this problem and fast answers keep me preferring punbb and human understandable well written code  ( thank you clean coders wink)

Seems we need a 1.2.7 release soon nope ?

What about using http://punbb.org/forums/extern.php?acti … amp;fid=48 RSS Feed so any punbb admin sees new release immediatelyin a punbb ?

Another important ( but probably much more difficult to code one ;( would be to have online punbb upgrade like webmin does it ( searching for last version, downloading, verifying md5sum/gpg key if necessary, installing new version )

Last thing, on http://punbb.org/downloads.php I couldn't find md5sums for zip/gz files nor gnup sign ;(
Would you add them so anyone can verify md5 or pgp sign ?

Hopes my thoughts can help.
If you ever need hosting, mirror, rss feed bouncer . . . just ask me wink

Quickjump is a regular cache thing wink
And none of that really helps in finding where the hack originated, since I'm guessing he just used the DB plugin once he was admin to do that.
If you want to email me and/or Rickard some way to download and check your forum source, like Rod did, feel free. I can check and see if there are any missing patches or whatever smile

56 (edited by CodeXP 2005-08-24 22:17)

Re: Hacked by Altan

Rod wrote:

I think about one thing ...

Allowing admin status only to a mail ?

I explain.

I have created the forum www.sortons.net/forum with sortons.net@wanadoo.fr

Why not protect this ??? If someone tries to hack, it sends a mail to the "admin" mail and accept or refuse.

In these case, it would be impossible to change level, and so ... to have possibility to hack.

I have had this idea because someone hacked my MSN (but I have not a msn email, but sortons.net@wanadoo.fr)

After hacking, I have asked to send a new password, and all was perfect, after.

Just finished writing the readme, so here's the mod smile

http://punbb.org/forums/viewtopic.php?id=8544

##
##
##        Mod title:  Group Change Security MOD.
##
##      Mod version:  1.0
##   Works on PunBB:  1.2.6
##     Release date:  2005-08-24
##           Author:  Öyvind A. Sörensen (oyvind.andre.sorensen@gmail.com)
##
##      Description:  Adds an additional security check when trying to 
##                    add a user to the administrator or moderator groups.
##
##   Affected files:  some_script.php
##                    include/foo.php
##
##       Affects DB:  Yes
##                    Adds 2 columns to the users table, and adds a value
##                    to your config table
##
##            Notes:  This mod adds a security check when trying to the
##                    moderator or administrator user groups. It will mail a
##                    random 128 character verification key to the e-mail
##                    adresses specified in the admin user panel, after
##                    asking to change groups.
##                    It will only be valid for the time specified in the
##                    newly added option under "Time and timeouts" under
##                    admin options. Default is 600 sec (10 minutes).
##                    If the key don't get verified within that period, or if
##                    an invalid key gets entered, the user will stay within
##                    his/her current user group.
##
##
##       DISCLAIMER:  Please note that "mods" are not officially supported by
##                    PunBB. Installation of this modification is done at your
##                    own risk. Backup your forum database and any and all
##                    applicable files before proceeding.
##
##


#
#---------[ 1. UPLOAD ]-------------------------------------------------------
#

install_mod.php to /
verify_group_change.php /lang/English/

#
#---------[ 2. RUN ]----------------------------------------------------------
#

install_mod.php


#
#---------[ 3. DELETE ]-------------------------------------------------------
#

install_mod.php


#
#---------[ 4. OPEN ]---------------------------------------------------------
#

profile.php


#
#---------[ 5. FIND (line: 470) ]---------------------------------------------
#

else if (isset($_POST['update_group_membership']))
{
    if ($pun_user['g_id'] > PUN_ADMIN)
        message($lang_common['No permission']);

    confirm_referrer('profile.php');

    $new_group_id = intval($_POST['group_id']);


#
#---------[ 6. AFTER ADD ]-------------------------------------------------
#

    if($new_group_id <= PUN_MOD) 
    {
        require PUN_ROOT.'include/email.php';
        
        // Get the username, current key & group change time of the user we want to add as a new mod or admin.
        $result = $db->query('SELECT username, mod_groupchange_key, mod_groupchange_time FROM '.$db->prefix.'users WHERE id='.$id) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
        list($username, $GCKey, $GCTime) = $db->fetch_row($result);
        
        $KeyToVerify = strip_tags(trim($_POST['activation_key'])); // The key we will try to verify
        $TimeRightNow = time(); // Get the current time
        $TimeOut = $pun_config['o_gc_key_timeout'];
        
        switch($GCKey):
            case NULL: // There are no current key in the database, so we'll generate a new one.
                $randkey = random_pass(128); // Generate a random key, 128 characters in length
                // Let's insert our key into the database
                $db->query('UPDATE '.$db->prefix.'users SET mod_groupchange_key=\''.$randkey.'\', mod_groupchange_time=\''.$TimeRightNow.'\' WHERE id='.$id) or error('Unable to change user group', __FILE__, __LINE__, $db->error());
            break;
            case !NULL: // There are already a key in the DB, so we'll attempt to validated it + check the age of it. If OK, we'll accept the group change. If failed, well, erase the values so that you'll have to start all over again.
                if(time()-$GCTime >= $TimeOut || $KeyToVerify !== $GCKey ) {
                    $db->query('UPDATE '.$db->prefix.'users SET mod_groupchange_key=\'\', mod_groupchange_time=\'\' WHERE id='.$id) or error('Unable to change user group', __FILE__, __LINE__, $db->error());
                    require PUN_ROOT.'lang/'.$pun_user['language'].'/verify_group_change.php';
                    redirect('profile.php?section=admin&id='.$id, $lang_verify_group_change['Verify failed']);
                } else {
                    // Success! The key was validated, and the user can safely be added to his new group.
                    $db->query('UPDATE '.$db->prefix.'users SET group_id='.$new_group_id.', mod_groupchange_key=\'\', mod_groupchange_time=\'\' WHERE id='.$id) or error('Unable to change user group', __FILE__, __LINE__, $db->error());
                    require PUN_ROOT.'lang/'.$pun_user['language'].'/verify_group_change.php';
                    redirect('profile.php?section=admin&id='.$id, $lang_verify_group_change['Verify success']);                    
                }
            break;
        endswitch;
        
        switch($new_group_id):
            case 1:
                $ipAdress = get_remote_address();
                require PUN_ROOT.'lang/'.$pun_user['language'].'/verify_group_change.php';
                pun_mail($pun_config['o_mailing_list'], $lang_verify_group_change['Verify admin mailsubject'], $lang_verify_group_change['Verify admin mailbody']);
                message($lang_verify_group_change['Verify groupchange']);
                break;
            case 2:
                $ipAdress = get_remote_address();
                require PUN_ROOT.'lang/'.$pun_user['language'].'/verify_group_change.php';
                pun_mail($pun_config['o_mailing_list'], $lang_verify_group_change['Verify mod mailsubject'], $lang_verify_group_change['Verify mod mailbody']);
                message($lang_verify_group_change['Verify groupchange']);
                break;
        endswitch;
    } 
    else
    {


#
#---------[ 7. FIND (line: 517) ]---------------------------------------------------------
#

    redirect('profile.php?section=admin&id='.$id, $lang_profile['Group membership redirect']);


#
#---------[ 8. BEFORE, ADD ]---------------------------------------------
#

    }


#
#---------[ 9. FIND (line: 1564) ]---------------------------------------------------
#

                        echo "\t\t\t\t\t\t\t\t".'<option value="'.$cur_group['g_id'].'">'.pun_htmlspecialchars($cur_group['g_title']).'</option>'."\n";
                }

?>
                            </select>


#
#---------[ 10. AFTER ADD ]--------------------------------------------
#

                            <label><?php require PUN_ROOT.'lang/'.$pun_user['language'].'/verify_group_change.php'; echo $lang_verify_group_change['Verify key'] ?><br /><input type="text" name="activation_key" value="" size="60" maxlength="128" /><br /></label>


#
#---------[ 11. OPEN ]-------------------------------------------------
#

admin_options.php


#
#---------[ 13. FIND (line: 105) ]---------------------------------------------
#

    $form['redirect_delay'] = intval($form['redirect_delay']);

    
#
#---------[ 14. AFTER ADD ]---------------------------------------------
#

    $form['gc_key_timeout'] = intval($form['gc_key_timeout']); // Added for the group change security mod


#
#---------[ 15. FIND (line: 319) ]---------------------------------------------
#

                                <tr>
                                    <th scope="row">Redirect time</th>
                                    <td>
                                        <input type="text" name="form[redirect_delay]" size="3" maxlength="3" value="<?php echo $pun_config['o_redirect_delay'] ?>" />
                                        <span>Number of seconds to wait when redirecting. If set to 0, no redirect page will be displayed (not recommended).</span>
                                    </td>
                                </tr>
                                

#
#---------[ 16. AFTER ADD ]---------------------------------------------
#

                                <tr>
                                    <th scope="row">Group change key timeout</th>
                                    <td>
                                        <input type="text" name="form[gc_key_timeout]" size="4" maxlength="4" value="<?php echo $pun_config['o_gc_key_timeout'] ?>" />
                                        <span>Number of seconds the group change activation key will be valid. Defaults to 600 seconds (10 minutes).</span>
                                    </td>
                                </tr>
                                

#
#---------[ 17. SAVE/UPLOAD ]-------------------------------------------------
#

[DOWNLOAD]

57

Re: Hacked by Altan

It is hard to change like that with many users (i know in my site i have a few users tongue ),
With MOD i hate altering tables, you can add new table have the 2 field joined with users table.

I think about another way, make "Security Mode" for changing hi level security.
to swtiching to this mode need another password, and after finishing security chagees swtiching back to Normal mode. mmm or we must just fighting with bugs and hacker that is the real world (n' est pas)

If your people come crazy, you will not need to your mind any more.

58

Re: Hacked by Altan

CodeXP wrote:

Here's another tweak, this time it's one that everyone should add(?):

1. Open register.php

2. Find, line 80:

else if (isset($_POST['form_sent']))
{

3. After, add:

    confirm_referrer('register.php');

4. Save & upload.

The refferer is rather simple to fake, but it's still something to consider just the same.

that will cause problems for anyone trying to register using norton internet suite, installing the image verification mod. (posted somewhere on the modification board) would be alot more secure.

Re: Hacked by Altan

@Reines: yeah, I have to disable "confirm_referrer('register.php');". My friend can not registre because of this line.

[no signature]

60

Re: Hacked by Altan

Why not to have option of hardcoded admin account(and mod too) somewhere in protected config.inc? I better start my ftp proggie one more time than have probs again.
For now I protected admin_* files via apache basic auth in .htaccess, hope it kick out some kiddies.

61

Re: Hacked by Altan

zaqaz wrote:

For now I protected admin_* files via apache basic auth in .htaccess, hope it kick out some kiddies.

Thats a brilliant idea. Sure, it adds an extra password prompt, but for punbb sites that only have 1 admin and a couple of moderators, this could be the ultimate way to keep out these so called "hackers". The eaiset way I see is having all of the admin files in a seperate directory, protected by an .htaccess file with an .htpasswd file located in a non public directory. That way, if these "hackers" are able to run an exploit that gives them admin access, they can't do anything because of the protected admin section.

Do, or do not.

62

Re: Hacked by Altan

I found a very simple way to add Basic authentication to your admin scripts without moving anything.

1. Open include/common_admin.php

In Line 25, add

function authenticate() {
  header('WWW-Authenticate: Basic realm="punBB Administration"');
  header('HTTP/1.0 401 Unauthorized');
  echo "You must enter a valid login ID and password to access this resource\n";
  exit;
  }
 
if (!isset($_SERVER['PHP_AUTH_USER'])) {
  authenticate();
  }
else  {
  $auth = file("./admin_pass.pwd");
  list($user, $password) = split(":", trim($auth[0]));
  if($_SERVER['PHP_AUTH_USER'] != $user || md5($_SERVER['PHP_AUTH_PW']) != $password)  {
    authenticate();
    }
  }

Now, create a file in your pun installation root and call it admin_pass.pwd
In this file you only put one line with a username and a md5 encoded Password that you want to use for authentication.

File admin_pass.pwd example

Tester:0cbc6611f5540bd0809a388dc95a615b

Done.

Now you will be prompted for this extra username/password pair in all admin areas.

Note1: You can and should (if you can smile ) move the password file out of your document root.
Then change the line

  $auth = file("./admin_pass.pwd");

accordingly

Note2:
If you have no md5 encoded password at hand you can generate one here

The German PunBB Site:
PunBB-forum.de

Re: Hacked by Altan

Having recently had my board hacked, I know how you feel, Rod. It is a bad experience and unsettling for the members, too.

In my case I had not yet installed 1.2.6, silly me.

Since then I have been nervously visiting here to see what is happening.

I think it would be a very good idea to have a way of alerting us all to new patches and new versions.

Sure as God made little kittens, when 1.2.7 is released some hackers will be examining the changelogs to see how 1.2.6 is vulnerable, and if we don't know to upgrade quickly we may get hacked.

(Mailing Lists would be good!)

Re: Hacked by Altan

MathIsFun: Setting that up is on todays schedule actually smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Hacked by Altan

And voila! http://punbb.org/newsletter.php

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Hacked by Altan

Tobi wrote:

I found a very simple way to add Basic authentication to your admin scripts without moving anything.

This is a great solution, but I can't get it to work.  After making the modifications, the browser keeps prompting me for username/passwd.  Does anyone have ideas on what could be going wrong?

67

Re: Hacked by Altan

Could be one of these:
Are you sure the password file is in the correct path and readable by the webserver?
Are you sure the password is md5-encoded properly?
Are you sure you have the right password (case-sensitive, mind you) wink

If in doubt, try the line I pasted above.
The unencoded Password there is "Test".
So just paste this line (nothing else, just ths line) into your password file and try.

The German PunBB Site:
PunBB-forum.de

Re: Hacked by Altan

Tobi wrote:

Are you sure the password file is in the correct path and readable by the webserver?

If my forums are installed in http://mydomain.com/directory/forum/ where would I put the password file?

I'm having the same problem as someguy.

Looking for a certain modification for your forum? Please take a look here before posting.

69

Re: Hacked by Altan

pogenwurst wrote:

If my forums are installed in http://mydomain.com/directory/forum/ where would I put the password file?

Insecure version: in the same directory.
Then call it like

$auth = file("./admin_pass.pwd");

Better:
Put it outside of the webserver's document root.
Say, your server root is "/home/for/my/web/directory" and in there you have a dir called "forum".
Then your forum dir above reads "/home/for/my/web/directory/forum/".
Now you put the password file into "/home/for/my/web/"
and call it like

$auth = file("../../admin_pass.pwd");

Ayway, always make sure teh file is readable by the webserver!

The German PunBB Site:
PunBB-forum.de

Re: Hacked by Altan

I have a copy of admin_pass.pwd in my forum root directory and in the include directory (where common_admin.php) is found.  The file contains just this line:

Tester:0cbc6611f5540bd0809a388dc95a615b

Both copies of admin_pass.pwd are set to: -rw-r--r--, and I can view it fine if I type its URL into my browser.

I enter Tester for the user name and Test for the password and get the same behavior I described above.  I know I should move the file to some other location, but I want to get it to work before I start messing with that.

71

Re: Hacked by Altan

So if you have the file in the forum root you can try

$auth = file(PUN_ROOT ."admin_pass.pwd");

if it is in the include directory it will be

$auth = file(PUN_ROOT ."include/admin_pass.pwd");

If this all does not work I dunno... maybe some really strange configuration on your machine.... phew....

The German PunBB Site:
PunBB-forum.de

Re: Hacked by Altan

Unfortunately it's still not working for me. sad

Re: Hacked by Altan

Rickard wrote:

MathIsFun: Setting that up is on todays schedule actually smile

Excellent, Rickard! This will help a lot. I have subsribed. And may I say thanks for all you do.

(BTW it wouldn't let me type my address on Firefox, but went through in IE)

74 (edited by Tobi 2005-09-03 08:15)

Re: Hacked by Altan

someguy wrote:

Unfortunately it's still not working for me. sad

OK, to see if your path is correct you can just leave out the authentication part and only call the file:

if (!isset($_SERVER['PHP_AUTH_USER'])) {
 // authenticate();
  }
else  {
  $auth = file("./admin_pass.pwd");
  list($user, $password) = split(":", trim($auth[0]));
echo "$user $password";
/*
  if($_SERVER['PHP_AUTH_USER'] != $user || md5($_SERVER['PHP_AUTH_PW']) != $password)  {
    authenticate();
    }
*/
  }

This will show you if the file is found and parsed correctly.
If yes then it must have to do with your server settings.

The German PunBB Site:
PunBB-forum.de

Re: Hacked by Altan

MathsIsFun wrote:

(BTW it wouldn't let me type my address on Firefox, but went through in IE)

Huh? I'm not sure I understand.

"Programming is like sex: one mistake and you have to support it for the rest of your life."