Announcement

Collapse
No announcement yet.

How was I hacked?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • borbole
    replied
    Originally posted by Jump View Post

    Yes the host helped out with the logs, this was explained on the previous page, your obviously skipping over posts and not reading all the details.
    I saw that they helped you with logs but I did not see that they told you what exactly went down and what was the point of entry for the hackers

    Leave a comment:


  • Jump
    replied
    Originally posted by snakes1100 View Post
    @Jump
    Fact 1. You got hacked
    Fact 2. You fail to update your site or server
    Fact 3. You try to protect your site with htaccess, because you fail to do the right thing.
    Fact 4. You will get hacked again regardless, because you again fail to update.
    Fact 5. Your postings that htaccess is going to protect them from exploits is a false statement & numerous people have tried to explain that to you, you simply don't get it.
    Fact 6. You don't even remove your install directory & then you tell people to protect it as well, it shouldn't even be there after a install/upgrade/if you have to rebuild your indexes.

    Nobody is denying that htaccess is a valid source of protection in some aspects, but your statements, simply arent true.

    People upgrade your sites, if your running 3.8.x, use the plugin patch, there is no reason to do a full upgrade even, but dont be fooled that htaccess is going to 100% protect your site from being hacked.

    There is no excuse to not update your sites if a security patch is released!
    Fact 1, is the only correct fact here.
    Fact 4 is is not true, hasn't happen since October 2009.
    Fact 5 is incorrect, where is your proof that it is not effective?
    I have definitely proved that it is effective and it has been effective since October 2009, and explained on the previous page. :-)

    You still have not provided any proof as to why the install directory should not be still there.
    If the staff here is reading this, can you please clarify this for me, thank you. :-) I would appreciate it.

    May be you should stick with something you know, obviously, your experience is limited with these types of files. You seem to only pop in here to feed negative information about tactics that I have experienced with, and that have definitely worked and are still working. Stick with the administration....you love your job!

    Originally posted by borbole View Post
    And fact 7 you should ask your host to check the access logs to see how they got in so the security issue/hole can be patched up. Otherwise the same thing will happen again and again, no matter what precaution you might take.
    Yes the host helped out with the logs, this was explained on the previous page, your obviously skipping over posts and not reading all the details.

    Leave a comment:


  • borbole
    replied
    And fact 7 you should ask your host to check the access logs to see how they got in so the security issue/hole can be patched up. Otherwise the same thing will happen again and again, no matter what precaution you might take.

    Leave a comment:


  • snakes1100
    replied
    @Jump
    Fact 1. You got hacked
    Fact 2. You fail to update your site or server
    Fact 3. You try to protect your site with htaccess, because you fail to do the right thing.
    Fact 4. You will get hacked again regardless, because you again fail to update.
    Fact 5. Your postings that htaccess is going to protect them from exploits is a false statement & numerous people have tried to explain that to you, you simply don't get it.
    Fact 6. You don't even remove your install directory & then you tell people to protect it as well, it shouldn't even be there after a install/upgrade/if you have to rebuild your indexes.

    Nobody is denying that htaccess is a valid source of protection in some aspects, but your statements, simply arent true.

    People upgrade your sites, if your running 3.8.x, use the plugin patch, there is no reason to do a full upgrade even, but dont be fooled that htaccess is going to 100% protect your site from being hacked.

    There is no excuse to not update your sites if a security patch is released!

    Leave a comment:


  • Jump
    replied
    Once again, did you have the proper directories protected with a .htaccess file and a .htpasswd (encrytped) file when your forum got hacked?

    Leave a comment:


  • Jump
    replied
    Originally posted by kmike View Post
    You can't say that for a fact. From the description it was a "hit and run" job, and the hackers just moved on after injecting the malicious payload.
    Yes Mike, I can say that as a fact. Obviously you are not reading my posts very carefully or you missed it.

    The main reason for my posts are to help SIM, the guy who started this thread.

    As you define the "hit and run" happened continuously, each time I used the fix-it template mod, the attack would happen again within 24 hours. Continuously 3 times in a row over a course of 4 days. Each time using the fix-it template mod, which only fixed the templates.

    After experimenting with it, I decided to play with it by installing .htaccess and .htpasswd (Encrypted) in those directories after fixing the templates the 4th time!

    Waited a week, and no 24 hour injection attempts!?

    I then removed the .htaccess and .htpasswd (Encrypted) files, and guess what? Within 24 hours the injections started again!

    So I fixed the templates again with the fix-it mod, and since then no more injections. That was in October 2009.

    Was this all just coincidence? That's what I thought, so I did another week of experimenting and the same thing happened.

    I think we can sum all this up by saying that...from my experience this is a true story, and it was effective, and the bottom line....the facts prevail !:-)
    Last edited by Jump; Fri 16 Jul '10, 8:01am.

    Leave a comment:


  • mcrider
    replied
    Originally posted by Jump View Post
    You still have not answered a simple question? ...Have you been hacked before?
    I have been hacked before...please explain how password protecting directories will help provide protection from RFI exploits or SQL injection exploits...

    I was hacked using a RFI exploit...using the RFI exploit and a shell script they simply go to your config file grab your info and log into your database and directly modify your database.

    Leave a comment:


  • Jump
    replied
    Thanks

    Hello Mike,

    Thanks for the overload of information! Let's keep it simple by taking it one thing at a time, instead of blasting off so much information that you are confusing people who need help.

    TGIF! Glad to see that you are admitting that my intentions are finally valid. :-)

    The parse tool hack from VB.org changes the templates back to the originals, so not sure if that fixed the hole, but it seems that it wiped out the injection and put the infected templates back to normal.

    Like I have mention before, the next step was to protect the directory with .htacces and .htpasswd (encrypted) files that were put in that directory, and the hacks were stopped. Sorry to tell you, but it worked. Hole or no hole, it has been protected. Injections were stopped. Very simple.

    You still have not answered a simple question? ...Have you been hacked before?
    Also, were is your proof? I gave you a few links about these types of files and how powerful they are.
    Where is your proof? All your proof seems to be hearsay.

    For example, we have all heard that it is possible to modify files in the ADMIN or INCLUDES directory without using the files inside the directories. Were is your proof that .htaccess and .htpasswd (Encrypted) files inside that directory will not stop external injections? So far it has worked, do you have proof to back up your claim? Did the VBSEO have these files in those directories when they got hacked? Do your research Mike and stick to to things that you are 100% sure of! :-)

    The only level of confusing here is that.... you find it hard to believe because you have not done this yourself before or had any experience with .htaccess and .htpasswd files, and using them to see if it works and what the effects towards injections and hacks.

    Template ID 737 forum page, which is located in the ADMINCP directory does make sense, because the forum.php is located in the ADMINCP that communicates with the database.

    The forum index was redirected, the parse tool fit-mod fixed the templates, and the .htacces files prevented further injections. :-)

    All pretty simple, may be you should try it, it worked, and is still effectively working since last year! :-)

    Leave a comment:


  • kmike
    replied
    Originally posted by Jump View Post
    All your info above you posted is not necessary, the fact that a simple fix for me has held of hackers for almost a year now, and a fact that it works.
    From what I read here, you still don't know what vector of attack the hackers have used to inject code into your forum. Most likely the hole is still there, and the hackers just moved on as they usually do. Or even worse, they may have left a shell script in an unrelated directory, and still use your site for the malicious purposes.

    Originally posted by Jump View Post
    Like I mention a few posts up, the malicious code was injected into template ID 737 forum page, which is located in the ADMINCP directory. What? This seems to hard to believe eh Mike?
    The level of confusion is off scale here: "template ID 737 forum page, which is located in the ADMINCP directory". Templates are located in the database. The whole sentence doesn't make any sense whatsoever.

    Also, I don't question that the template was modified. But _how_ was it modified? Do you know that? From the looks of it, you seem to believe that it was done by logging in to the admin CP, hence your naive belief that adding another level of password protection there would stop the same attack. But even if the attackers indeed just logged in to your admin CP to modify the template, had it occurred to you that they had to get the password first? And if they were able to get it for the first time, nothing stops them to do it again with the .htaccess password, unless the particular vulnerability used to steal the password is removed?

    Also, this may come as a surprise to you, but it's possible to modify a template without logging in to admin CP, and even not using any files from /admincp/ or /includes/. Case in point is the last year VBSEO vulnerability.

    Originally posted by Jump View Post
    The .htaccess file and encrypted .htpasswd file I put in that directory on October, 2009, has completely prevented any other attempts since then. Is this so hard to believe Mike? Want to come over to my house and look at the documents?
    You can't say that for a fact. From the description it was a "hit and run" job, and the hackers just moved on after injecting the malicious payload.

    Originally posted by Jump View Post
    I have provided links and proof, weather you see it or believe it or not, to help the person who started this thread. How about you? No help, no links, no evidence at all.....funny.
    Yes, your intentions are good, but you should understand the limitations of your advice. Adding .htaccess protection limits just a few classes of attacks:

    1) logging in with the stolen admin password (but if the admin password was stolen, so could be the .htaccess password)

    2) exploiting a vulnerability in one of the files in the protected directory, but only if the vulnerability involves a direct HTTP access to the file. For example, the vulnerabilities in the supplement files located in the /includes/ directory generally aren't exposed by accessing the file through HTTP, but only indirectly when the vulnerable file is included by some frontend script like showthread.php.

    You should understand that when advising .htaccess files as an omnipotent fix for all and every forum hack. Yes, it's a good additional security measure, but that's it.

    I already gave my opinion about the thread starter's incident based on the evidence he gave here: most probably the attackers logged in with the stolen admin password. Hence your .htaccess advice is relevant here, but with the caveat I mentioned before - what stops the attackers from getting the .htaccess password using the same attack vector?

    I hope that clarifies some of the misconceptions you have been spreading here. There are some more I haven't touched (like that .htpasswd files should reside in the same directory as .htaccess - BAD idea for the security reasons!), but you are just too prolific.

    Leave a comment:


  • Jump
    replied
    Evidence...

    Yes Mike, I still do have the evidence of the hacking attack on my forum.

    I save all my records for future reference and learning, sometimes my wife cannot believe how organized I am.

    Like I mention a few posts up, the malicious code was injected into template ID 737 forum page, which is located in the ADMINCP directory. What? This seems to hard to believe eh Mike?

    The .htaccess file and encrypted .htpasswd file I put in that directory on October, 2009, has completely prevented any other attempts since then. Is this so hard to believe Mike? Want to come over to my house and look at the documents?

    I have provided links and proof, weather you see it or believe it or not, to help the person who started this thread. How about you? No help, no links, no evidence at all.....funny.

    Never underestimate the power of .htaccess files! :-)

    Leave a comment:


  • Jump
    replied
    Nice work Mike! :-) Lot's of info, hope all is correct.

    Not changing the subject here. Real simple, the fact remains that every forum owner should protect their sensitive directories from unauthorized access via HTTP, which is what most cyberspace people surf on.

    All your info above you posted is not necessary, the fact that a simple fix for me has held of hackers for almost a year now, and a fact that it works.

    People who have had the same problem can at least try and see if it holds off further attempts, like you mentioned somewhere above in that mess.

    Have you been hacked before Mike?

    Leave a comment:


  • kmike
    replied
    Originally posted by Jump View Post
    Yes Mike, no guessing here,

    When I got hacked I looked at the logs from the hosting, server, etc.
    It listed when and where the injection took place.
    I hope you have saved the evidence. What script was vulnerable?

    Originally posted by Jump View Post
    When it shows a malicious code that was injected into a PHP file on line 1309, and that file is located in the admincp directory, and that directory holds many other templates, then why not protect that directory with .htaccess files with an encrypted password and deny access to it? To prevent it from happening again...it works.
    So much confusion in the above...
    The script in admincp could have been modified by another script on the same server, and .htaccess can't prevent that. The script in admincp could have been modified by FTP, and htaccess also can't prevent that. It's because .htaccess only affects accesses to files via the HTTP protocol. If a PHP script accesses another file (script) on the filesystem, it doesn't do that through HTTP, but by using a direct filesystem call.
    Again, putting .htaccess in /admincp/ only prevents access via HTTP to the files in /admincp/. Of course that still limits a certain class of attacks, but it doesn't magically protect admincp files from modification caused by many many other attacks.

    Originally posted by Jump View Post
    Where are all the automated bots? LOL Answer...on the net...you don't think all hacks are done manually by hackers do you?

    A lot of the hacking is done with automated bot hackers just like crawlers, bots, etc. Professional hackers can create these that run automatically, without a hacker having to try and hack a forum manually......
    Somewhere along the way you deftly changed the subject - I'm not arguing that automated bots do not exist, I'm arguing about the existence of automated hacking bots for the specific admincp hackery. You claimed the admin CP is the main point for hacking, and there are automated bots to assist in that. Please point me to the evidence of their existence.

    Also I wouldn't argue that creating such bots (for example, for performing dictionary attacks on admin cp interface) is impossible and would never happen. It's that as of today, it's nowhere near a main point of hacking attacks, and there is no evidence that such bots are in the widespread use, if they exist at all.

    Originally posted by Jump View Post
    I'm sorry, I can't see any evidence about admincp hacking there. All I see is many logged attempts at SQL injection and remote file inclusion, but not in the admin CP. Search for "admincp" in that forum yourself.

    Originally posted by Jump View Post
    May be these administrators don't have experience or time for this, or are you guessing that they have mass experience and still have no clue?

    This looks like hearsay on your part.....find the facts! :-)
    No guessing on my part, only reading. I saw only one report with a decisive resolution of a hack. Most posts deal just with the consequences of the hack, and do not get to the cause of it.

    Leave a comment:


  • Jump
    replied
    Originally posted by kmike View Post
    From what I read in this forum, generally the administrators of the hacked boards have absolutely no clue how the attackers do this. Was it a vB vulnerability? Was it a 3rd party mod or script vulnerability? a host vulnerability? or maybe the admin password was leaked by some malware on the admin's PC? (most likely the case of the thread starter)
    May be these administrators don't have experience or time for this, or are you guessing that they have mass experience and still have no clue?

    This looks like hearsay on your part.....find the facts! :-)

    Leave a comment:


  • Jump
    replied
    Yes Mike, no guessing here,

    When I got hacked I looked at the logs from the hosting, server, etc.
    It listed when and where the injection took place.

    When it shows a malicious code that was injected into a PHP file on line 1309, and that file is located in the admincp directory, and that directory holds many other templates, then why not protect that directory with .htaccess files with an encrypted password and deny access to it? To prevent it from happening again...it works.

    Where are all the automated bots? LOL Answer...on the net...you don't think all hacks are done manually by hackers do you?

    A lot of the hacking is done with automated bot hackers just like crawlers, bots, etc. Professional hackers can create these that run automatically, without a hacker having to try and hack a forum manually......

    Here is evidence those exist:
    http://www.forumpostersunion.com/forumdisplay.php?f=217

    Leave a comment:


  • Joe D.
    replied
    Originally posted by Jump View Post
    BOP, when creating the .htaccess file, you also use a .htpasswd file and encrypt the password. http://www.htaccesstools.com/htpasswd-generator/
    Yes I know... actually my host has a cpanel plugin that creates password protected directories automatically- you just browse to the directory and check a box to add password protection- makes life a little easier.

    As for the discussion, even if only 5% of hackers target admincp why not still have the extra password, it doesn't hurt in any way.

    Leave a comment:

Related Topics

Collapse

Working...
X