I have to run to work now, so I'll expand the topic later.

Today an user from 76.106.153.204 (comcast, USA) hacked the site. he did no damage and impersonated me and Andreas
It used a hole in the file links.php that has been removed, I'll investigate more when I'll be back.
I've also banned the Ip address and emailed at the abuse service at comcast.

It seemed to use a cookie "impersonation" so please Andreas, log out go here:

http://www.posetteforever.com/mycookies.php

close the browser, open it and login again.

Please, please, read the other topic about how to shut off the site when something like this happens   , try it and memorize the procedure, it's very important        

Back later

Davide

____________

Update:

I came home form work and I found that this was bad but it could be worse.

The Hacker attacked the file links.php (no more existing...) using this code:




Edit: DON'T try that code now, I've just installed a security code and you will be banned on the spot!!

this resulted in giving him the list all the hashes of the password (encrypted passwords in the database) and thus building a session key and simply steal the user's identity.

What he did and tried to do ?

First he tried to access the administration control panel, but it has a double password (that is what saved us) so he could not deface the site and limited the attack to steal Andreas identity and to lurk in some profiles, actually the one of grouchocaesar trying to change things but was stopped by the antispam protection. So he went to the shoutbox and wrote something about the lack of security and how he was a good hacker and did nothing (actually sure he could have done damages with my account but he wanted to do something worse in the admin control panel).

What I did ?

He had ALL the encrypted passwords (all the passwords in the site are encrypted, not even I can know what is the original password, but knowing the encrypted password in the database one can build a link with a working session id) So I searched and found a tool to re-encrypt the password twice, this tools also prevents the use of the encrypted password to enter the site. the alternative would have been to ask EVERYONE to change password.

Now, even if I changed the encrypted passwords, I suggest you to go to your control panel and change your password with a new one. I'll also chenage the password for the control panel with a new one and I'll send you the data with an email (if one steal your identity here he can go to this forum and simply see what the password is...)

Plus, having the complete log, I already cintacted comcast but I'll contact the FBI in the USA too.

More about this "phpBB Links MOD 1.2.2 Remote SQL Injection Exploit" can be found here:

http://www.waraxe.us/ftopict-1916.html

You can see that this autonamed "hacker" did only a simple cut and paste from a code someone else did.

What he did is go to google and use this search string:

allinurl:links.php

he found us here (I can't see posetteforever now but it was one of the results)

http://www.google.com/search?q=alli...n&start=80&sa=N

then he went to the site and applied the hack code above, next he searched for my nickname:



here he is "me":



The first thing he tries is to go to the admin panel (and it was stopped by the password protection)



Andreas was on the site so he went to see his account number (78)



here he is "Ahjah"


here he goes to Andreas preferences (please andreas check them)


and that's all for now ...

____________

I'll check my stuff and change my password ( )...

____________

it is "just in case" Andreas, I've already re-encrypted them with a different method, to put it clearer, no one can know what your password is if not you , what is in the site is a MD5 encrypted string based on your password, the hacker got a list of this strings, but I've already changed them all so everyone is safe , but you know... maybe ...

For some reason that i don't understand we have been "under attack" since some months ago, however we where lucky this time. I'll do backups more often...

____________

... but we won't back down!   

____________

So what is with all of this Posy is welcoming around here? Greywolf and all. Is that part of the Hacker? It is really surprising that we are getting hit now.

____________
Two wrongs don't make a right.
But six left turns will get you around the block
and back in the driveway again.

No, it's an old feature that I resurrected, Posy will hug all new registered users . Yes it is surprising Kenny, it was also my fault not to keep certain files updated. I'm actually working on a major upgrade of the main security package installed, ctracker (at night, as usual )

____________

Maybe when it comes to topics like Hacking we need to keep it in the Mod area. It seems like some of the forum may have started a challenge with a Hacker out on the net. It has been quite and then this happens. Really makes you wonder. Very strange.

____________
Two wrongs don't make a right.
But six left turns will get you around the block
and back in the driveway again.

Kenny, the people that tries to hack Posetteforever are not real hackers, for a hackers PF can't be a target, it's a place without any commercial involvement. I's a target for people that cut & paste lines of code made by someone else, same as happened to 3dtapestry recently...

____________

Yes I know that Davide. What I was trying to say is that they may be doing this just for sport because we had talked about Hacking before and they fed of the conversation as a challenge.

____________
Two wrongs don't make a right.
But six left turns will get you around the block
and back in the driveway again.

maybe we're not winning but we're not even losing

____________

  

____________
Two wrongs don't make a right.
But six left turns will get you around the block
and back in the driveway again.

Well, after today's work on the site I think we've reached the maximum security level EVER, lol.

There were a couple of "phpBB security" packages that I never installed because they collided with other packages installed, but in the last period I became a little more skilled in understanding PHP (that is the programming language of the site) and I succeded in doing what I think is a good work.

Now if someone tries an UNION attack or some other tricks, he is automatically banned and blacklisted with a message that says "Posy Thinks You Should Go In Our Black List."

This system blocks different kinds of attacks, but expecially on DDOS attacks it can fails sometimes, so if you got banned for an error, contact me asap (I'll set the DDOS attacks on "BLOCK" instead of "BAN" anyway)

So now it's time to go back to normal businness ...

____________

<- forgot this one??

____________

Damn...  

____________