♥ PosetteForever ♥
Shebeen, the Staff forum - Hacked
Tormie [ Friday, 15 February 2008, 10:28 AM ]
Post subject: Hacked
I have to run to work now, so I'll expand the topic later.
<br />
<br />
Today an user from 76.106.153.204 (comcast, USA) hacked the site. he did no damage and impersonated me and Andreas
<br />
It used a hole in the file links.php that has been removed, I'll investigate more when I'll be back.
<br />
I've also banned the Ip address and emailed at the abuse service at comcast.
<br />
<br />
It seemed to use a cookie "impersonation" so please Andreas, log out go here:
<br />
<br />
<a class="post-url" href="http://www.posetteforever.com/mycookies.php">http://www.posetteforever.com/mycookies.php</a>
<br />
<br />
close the browser, open it and login again.
<br />
<br />
Please, please, read the other topic about how to shut off the site when something like this happens <img src="https://www.posetteforever.com/images/smiles/eusa_pray.gif" alt="" /> , try it and memorize the procedure, it's very important <img src="https://www.posetteforever.com/images/smiles/eusa_pray.gif" alt="" /> <img src="https://www.posetteforever.com/images/smiles/eusa_pray.gif" alt="" /> <img src="https://www.posetteforever.com/images/smiles/eusa_pray.gif" alt="" /> <img src="https://www.posetteforever.com/images/smiles/eusa_pray.gif" alt="" />
<br />
<br />
Back later
<br />
<br />
Davide
Tormie [ Friday, 15 February 2008, 06:50 PM ]
Post subject: Re: Hacked
Update:
<br />
<br />
I came home form work and I found that this was bad but it could be worse.
<br />
<br />
The Hacker attacked the file links.php (no more existing...) using this code:
<br />
<br />
<!-- no smilies start --><div class="code"><div class="code-header" id="codehdr2_37afb80d" style="position:relative;">Code: [<a href="download_post.php?post=38624">Download</a>] [<a href="javascript:void(0)" onclick="ShowHide('code_37afb80d','code2_37afb80d','');ShowHide('codehdr_37afb80d','codehdr2_37afb80d','')">Hide</a>] [<a href="javascript:void(0)" onclick="select_text('code_37afb80d')">Select</a>]</div><div class="code-header" id="codehdr_37afb80d" style="position:relative;display:none;">Code: [<a href="download_post.php?post=38624">Download</a>] [<a href="javascript:void(0)" onclick="ShowHide('code_37afb80d','code2_37afb80d',''); ShowHide('codehdr_37afb80d','codehdr2_37afb80d','')">Show</a>]</div><div class="code-content" id="code_37afb80d" style="position:relative;"><span class="code-row-text">http://www.posetteforever.com/links.php?t=search&search_keywords=asd&start=1,1+UNION+SELECT+1,username,user_password,4,5,6,7,8,9,10,11,12+FROM+phpbb_users/*</span></div></div><!-- no smilies end -->
<br />
<br />
<br />
<b>Edit: DON'T try that code now, I've just installed a security code and you will be banned on the spot!!</b>
<br />
<br />
this resulted in giving him the list all the hashes of the password (encrypted passwords in the database) and thus building a session key and simply steal the user's identity.
<br />
<br />
What he did and tried to do ?
<br />
<br />
First he tried to access the administration control panel, but it has a double password (that is what saved us) so he could not deface the site and limited the attack to steal Andreas identity and to lurk in some profiles, actually the one of grouchocaesar trying to change things but was stopped by the antispam protection. So he went to the shoutbox and wrote something about the lack of security and how he was a good hacker and did nothing (actually sure he could have done damages with my account but he wanted to do something worse in the admin control panel).
<br />
<br />
What I did ?
<br />
<br />
He had ALL the encrypted passwords (all the passwords in the site are encrypted, not even I can know what is the original password, but knowing the encrypted password in the database one can build a link with a working session id) So I searched and found a tool to re-encrypt the password twice, this tools also prevents the use of the encrypted password to enter the site. the alternative would have been to ask EVERYONE to change password.
<br />
<br />
Now, even if I changed the encrypted passwords, I suggest you to go to your control panel and change your password with a new one. I'll also chenage the password for the control panel with a new one and I'll send you the data with an email (if one steal your identity here he can go to this forum and simply see what the password is...)
<br />
<br />
Plus, having the complete log, I already cintacted comcast but I'll contact the FBI in the USA too.
<br />
<br />
More about this "phpBB Links MOD 1.2.2 Remote SQL Injection Exploit" can be found here:
<br />
<br />
<a class="post-url" href="http://www.waraxe.us/ftopict-1916.html" target="_blank">http://www.waraxe.us/ftopict-1916.html</a>
<br />
<br />
You can see that this autonamed "hacker" did only a simple cut and paste from a code someone else did.
<br />
<br />
What he did is go to google and use this search string:
<br />
<br />
allinurl:links.php
<br />
<br />
he found us here (I can't see posetteforever now but it was one of the results)
<br />
<br />
<a class="post-url" href="http://www.google.com/search?q=allinurl:links.php&hl=en&start=80&sa=N" target="_blank">http://www.google.com/search?q=alli...n&start=80&sa=N</a>
<br />
<br />
then he went to the site and applied the hack code above, next he searched for my nickname:
<br />
<br />
<!-- no smilies start --><div class="code"><div class="code-header" id="codehdr2_6a18a3a5" style="position:relative;">Code: [<a href="download_post.php?post=38624&item=1">Download</a>] [<a href="javascript:void(0)" onclick="ShowHide('code_6a18a3a5','code2_6a18a3a5','');ShowHide('codehdr_6a18a3a5','codehdr2_6a18a3a5','')">Hide</a>] [<a href="javascript:void(0)" onclick="select_text('code_6a18a3a5')">Select</a>]</div><div class="code-header" id="codehdr_6a18a3a5" style="position:relative;display:none;">Code: [<a href="download_post.php?post=38624&item=1">Download</a>] [<a href="javascript:void(0)" onclick="ShowHide('code_6a18a3a5','code2_6a18a3a5',''); ShowHide('codehdr_6a18a3a5','codehdr2_6a18a3a5','')">Show</a>]</div><div class="code-content" id="code_6a18a3a5" style="position:relative;"><span class="code-row-text">30956 Anonymous 76.106.153.204 2008 Feb 15 06:42 profile.php (GET) - US - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12
<br />
<br />
Page Page: profile.php
<br />
Parameters: mode=viewprofile&u=2
<br />
http_referer: http://www.posetteforever.com/forum.php
<br />
</span></div></div><!-- no smilies end -->
<br />
<br />
here he is "me":
<br />
<br />
<!-- no smilies start --><div class="code"><div class="code-header" id="codehdr2_d023e2e0" style="position:relative;">Code: [<a href="download_post.php?post=38624&item=2">Download</a>] [<a href="javascript:void(0)" onclick="ShowHide('code_d023e2e0','code2_d023e2e0','');ShowHide('codehdr_d023e2e0','codehdr2_d023e2e0','')">Hide</a>] [<a href="javascript:void(0)" onclick="select_text('code_d023e2e0')">Select</a>]</div><div class="code-header" id="codehdr_d023e2e0" style="position:relative;display:none;">Code: [<a href="download_post.php?post=38624&item=2">Download</a>] [<a href="javascript:void(0)" onclick="ShowHide('code_d023e2e0','code2_d023e2e0',''); ShowHide('codehdr_d023e2e0','codehdr2_d023e2e0','')">Show</a>]</div><div class="code-content" id="code_d023e2e0" style="position:relative;"><span class="code-row-text">30958 Tormie 76.106.153.204 2008 Feb 15 06:43 index.php (GET) - US - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12
<br />
<br />
Page Page: index.php
<br />
Parameters:
<br />
http_referer: http://www.posetteforever.com/login_PF.php</span></div></div><!-- no smilies end -->
<br />
<br />
The first thing he tries is to go to the admin panel (and it was stopped by the password protection)
<br />
<br />
<!-- no smilies start --><div class="code"><div class="code-header" id="codehdr2_c350ee10" style="position:relative;">Code: [<a href="download_post.php?post=38624&item=3">Download</a>] [<a href="javascript:void(0)" onclick="ShowHide('code_c350ee10','code2_c350ee10','');ShowHide('codehdr_c350ee10','codehdr2_c350ee10','')">Hide</a>] [<a href="javascript:void(0)" onclick="select_text('code_c350ee10')">Select</a>]</div><div class="code-header" id="codehdr_c350ee10" style="position:relative;display:none;">Code: [<a href="download_post.php?post=38624&item=3">Download</a>] [<a href="javascript:void(0)" onclick="ShowHide('code_c350ee10','code2_c350ee10',''); ShowHide('codehdr_c350ee10','codehdr2_c350ee10','')">Show</a>]</div><div class="code-content" id="code_c350ee10" style="position:relative;"><span class="code-row-text">30966 Tormie 76.106.153.204 2008 Feb 15 06:45 index.php (GET) - US - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12
<br />
<br />
Page Page: index.php
<br />
Parameters:
<br />
http_referer: http://www.posetteforever.com/adm/
<br />
</span></div></div><!-- no smilies end -->
<br />
<br />
Andreas was on the site so he went to see his account number (78)
<br />
<br />
<!-- no smilies start --><div class="code"><div class="code-header" id="codehdr2_4621a322" style="position:relative;">Code: [<a href="download_post.php?post=38624&item=4">Download</a>] [<a href="javascript:void(0)" onclick="ShowHide('code_4621a322','code2_4621a322','');ShowHide('codehdr_4621a322','codehdr2_4621a322','')">Hide</a>] [<a href="javascript:void(0)" onclick="select_text('code_4621a322')">Select</a>]</div><div class="code-header" id="codehdr_4621a322" style="position:relative;display:none;">Code: [<a href="download_post.php?post=38624&item=4">Download</a>] [<a href="javascript:void(0)" onclick="ShowHide('code_4621a322','code2_4621a322',''); ShowHide('codehdr_4621a322','codehdr2_4621a322','')">Show</a>]</div><div class="code-content" id="code_4621a322" style="position:relative;"><span class="code-row-text">30970 Tormie 76.106.153.204 2008 Feb 15 06:47 profile.php (GET) - US - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12
<br />
<br />
Page Page: profile.php
<br />
Parameters: mode=viewprofile&u=78
<br />
http_referer: http://www.posetteforever.com/</span></div></div><!-- no smilies end -->
<br />
<br />
here he is "Ahjah"
<br />
<!-- no smilies start --><div class="code"><div class="code-header" id="codehdr2_ca4c1918" style="position:relative;">Code: [<a href="download_post.php?post=38624&item=5">Download</a>] [<a href="javascript:void(0)" onclick="ShowHide('code_ca4c1918','code2_ca4c1918','');ShowHide('codehdr_ca4c1918','codehdr2_ca4c1918','')">Hide</a>] [<a href="javascript:void(0)" onclick="select_text('code_ca4c1918')">Select</a>]</div><div class="code-header" id="codehdr_ca4c1918" style="position:relative;display:none;">Code: [<a href="download_post.php?post=38624&item=5">Download</a>] [<a href="javascript:void(0)" onclick="ShowHide('code_ca4c1918','code2_ca4c1918',''); ShowHide('codehdr_ca4c1918','codehdr2_ca4c1918','')">Show</a>]</div><div class="code-content" id="code_ca4c1918" style="position:relative;"><span class="code-row-text">30978 ahjah 76.106.153.204 2008 Feb 15 06:50 index.php (GET) - US - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12
<br />
<br />
Page Page: index.php
<br />
Parameters:
<br />
http_referer: http://www.posetteforever.com/login_PF.php?redirect=index.php</span></div></div><!-- no smilies end -->
<br />
<br />
here he goes to Andreas preferences (please andreas check them)
<br />
<!-- no smilies start --><div class="code"><div class="code-header" id="codehdr2_c1880b42" style="position:relative;">Code: [<a href="download_post.php?post=38624&item=6">Download</a>] [<a href="javascript:void(0)" onclick="ShowHide('code_c1880b42','code2_c1880b42','');ShowHide('codehdr_c1880b42','codehdr2_c1880b42','')">Hide</a>] [<a href="javascript:void(0)" onclick="select_text('code_c1880b42')">Select</a>]</div><div class="code-header" id="codehdr_c1880b42" style="position:relative;display:none;">Code: [<a href="download_post.php?post=38624&item=6">Download</a>] [<a href="javascript:void(0)" onclick="ShowHide('code_c1880b42','code2_c1880b42',''); ShowHide('codehdr_c1880b42','codehdr2_c1880b42','')">Show</a>]</div><div class="code-content" id="code_c1880b42" style="position:relative;"><span class="code-row-text">31030 ahjah 76.106.153.204 2008 Feb 15 07:09 profile.php (GET) - US - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12
<br />
<br />
Page Page: profile.php
<br />
Parameters: mode=editprofile&cpl_mode=preferences
<br />
http_referer: http://www.posetteforever.com/profile_main.php
<br />
<br />
</span></div></div><!-- no smilies end -->
<br />
<br />
and that's all for now ...
ahjah [ Friday, 15 February 2008, 08:42 PM ]
Post subject: Re: Hacked
I'll check my stuff and change my password ( <img src="https://www.posetteforever.com/images/smiles/crybaby2.gif" alt="" /> )...
Tormie [ Friday, 15 February 2008, 08:49 PM ]
Post subject: Re: Hacked
it is "just in case" Andreas, I've already re-encrypted them with a different method, to put it clearer, no one can know what your password is if not you , what is in the site is a MD5 encrypted string based on your password, the hacker got a list of this strings, but I've already changed them all so everyone is safe , but you know... maybe <img src="https://www.posetteforever.com/images/smiles/eusa_shifty.gif" alt="" /> ...
<br />
<br />
For some reason that i don't understand we have been "under attack" since some months ago, however we where lucky this time. I'll do backups more often...
ahjah [ Friday, 15 February 2008, 09:05 PM ]
Post subject: Re: Hacked
... but we won't back down! <img src="https://www.posetteforever.com/images/smiles/focus.gif" alt="" /> <img src="https://www.posetteforever.com/images/smiles/eusa_sick.gif" alt="" />
tda42 [ Saturday, 16 February 2008, 12:11 AM ]
Post subject: Re: Hacked
So what is with all of this Posy is welcoming around here? Greywolf and all. Is that part of the Hacker? <img src="https://www.posetteforever.com/images/smiles/ph34r.gif" alt="" /> It is really surprising that we are getting hit now. <img src="https://www.posetteforever.com/images/smiles/eusa_think.gif" alt="" />
Tormie [ Saturday, 16 February 2008, 12:20 AM ]
Post subject: Re: Hacked
No, it's an old feature that I resurrected, Posy will hug all new registered users <img src="https://www.posetteforever.com/images/smiles/heartbeat.gif" alt="" /> . Yes it is surprising Kenny, it was also my fault not to keep certain files updated. I'm actually working on a major upgrade of the main security package installed, ctracker (at night, as usual <img src="https://www.posetteforever.com/images/smiles/crybaby2.gif" alt="" /> )
tda42 [ Saturday, 16 February 2008, 12:26 AM ]
Post subject: Re: Hacked
Maybe when it comes to topics like Hacking we need to keep it in the Mod area. It seems like some of the forum may have started a challenge with a Hacker out on the net. <img src="https://www.posetteforever.com/images/smiles/eusa_think.gif" alt="" /> It has been quite and then this happens. Really makes you wonder. Very strange. <img src="https://www.posetteforever.com/images/smiles/eusa_shifty.gif" alt="" />
Tormie [ Saturday, 16 February 2008, 12:42 AM ]
Post subject: Re: Hacked
Kenny, the people that tries to hack Posetteforever are not real hackers, for a hackers PF can't be a target, it's a place without any commercial involvement. I's a target for people that cut & paste lines of code made by someone else, same as happened to 3dtapestry recently...
tda42 [ Saturday, 16 February 2008, 12:59 AM ]
Post subject: Re: Hacked
Yes I know that Davide. What I was trying to say is that they may be doing this just for sport because we had talked about Hacking before and they fed of the conversation as a challenge. <img src="https://www.posetteforever.com/images/smiles/ph34r.gif" alt="" />
Tormie [ Saturday, 16 February 2008, 01:04 AM ]
Post subject: Re: Hacked
maybe we're not winning but we're not even losing <img src="https://www.posetteforever.com/images/smiles/biggrin.gif" alt="" /> <img src="https://www.posetteforever.com/images/smiles/winner_second_h4h.gif" alt="" />
tda42 [ Saturday, 16 February 2008, 01:18 AM ]
Post subject: Re: Hacked
<img src="https://www.posetteforever.com/images/smiles/lmao.gif" alt="" /> <img src="https://www.posetteforever.com/images/smiles/redembarrassed.gif" alt="" />
Tormie [ Saturday, 16 February 2008, 10:01 PM ]
Post subject: Re: Hacked
Well, after today's work on the site I think we've reached the maximum security level EVER, lol.
<br />
<br />
There were a couple of "phpBB security" packages that I never installed because they collided with other packages installed, but in the last period I became a little more skilled in understanding PHP (that is the programming language of the site) and I succeded in doing what I think is a good work.
<br />
<br />
Now if someone tries an UNION attack or some other tricks, he is automatically banned and blacklisted with a message that says "Posy Thinks You Should Go In Our Black List."
<br />
<br />
This system blocks different kinds of attacks, but expecially on DDOS attacks it can fails sometimes, so if you got banned for an error, contact me asap (I'll set the DDOS attacks on "BLOCK" instead of "BAN" anyway)
<br />
<br />
So now it's time to go back to normal businness ... <img src="https://www.posetteforever.com/images/smiles/tele_darkBG.gif" alt="" /> <img src="https://www.posetteforever.com/images/smiles/connie_yoyo.gif" alt="" /> <img src="https://www.posetteforever.com/images/smiles/d_bubble.gif" alt="" /> <img src="https://www.posetteforever.com/images/smiles/lazy.gif" alt="" />
ahjah [ Saturday, 16 February 2008, 10:31 PM ]
Post subject: Re: Hacked
<img src="https://www.posetteforever.com/images/smiles/XXfart.gif" alt="" /> <- forgot this one??
Tormie [ Saturday, 16 February 2008, 10:57 PM ]
Post subject: Re: Hacked
Damn... <img src="https://www.posetteforever.com/images/smiles/connie_ashamed.gif" alt="" />