Topic: Hacked again..

[smokester]

I thought I'd set up a thread with info about when we are hacked or an attempted hack that has caused the site to fail.

Today we were hacked and when that happens access is restricted to only my IP so I can get in and fix things.  It was awkward because I had to go to East London to a client so I could only inspect half of the site before I had to leave.  It looks ok now and I will try and get full access back to the members.

[goldshirt*9]

seems ok for me know.
I wont post a picture of the screen i got when i tried to log in  as all seems ok

[smokester]

We were hacked at around 9am (GMT) which really pissed me off as that it a bad time for me to sit down and wade through the site files. Next time can the hacker (if you are reading this) hack us around 1pm as I'll be all calm and drinking tea at that time.

[xtopave]

 

[dweez]

Any idea on how we were compromised?  Is there a SMF exploit we need to look into?

[Beatrix]

Sorry there Smokes.

[smokester]

Any idea on how we were compromised?  Is there a SMF exploit we need to look into?

Tricky one really.  In the past when the site shared the same password with the database, I assume they exploited a vulnerability to obtain it, and then created FTP user accounts and had a field day.  But now that is not the case and just last week we upgraded to MySQL 5.5, I have no idea how they got to upload some crap, even bypassing the SMF firewall while they did?

You could have always done it?  If it's more pay your after then consider your salary doubled as of today.

 

[ohcheap1]

I did email dweez when I saw it. Sadly he never responded.

[dweez]

Sorry oc1, I don't normally get a chance to check my e-mail on the weekend.

[smokester]

I did email dweez when I saw it. Sadly he never responded.

Did you get the "...forbidden" page?  The system is pretty good now as when malicious files are detected, access is automatically forbidden to all IPs.  Then when I see the notification they grant access to my IP and then I can go in a fix things.

Essentially this means if the site is hijacked, no one can unsuspectingly fall foul to a phishing scam or the like. 

[goldshirt*9]

I had the forbidden page and the 403 also
looked pretty impressive.

[smokester]

I had the forbidden page and the 403 also
looked pretty impressive.

The problem is that if the hack was to do with a MySQL vulnerability, it is not that straightforward to change the password for the database (that I know of). You have to rebuild it using a new user account which then has new credentials and then use that new database for the site.

What I am saying, without saying too much, is it could happen again.

[goldshirt*9]

O well
s==t happens 

[smokester]

O well
s==t happens

I don't think it will as it was futile, and tomorrow I'll be able to do the above.

[dweez]

I know it's fairly simple to reset the root password on MySQL.  Not sure if that applies to other accounts, but once you have the root password, you're pretty much golden for the whole thing.

http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html

This assumes we have root access to MySQL.  If we're sharing the MySQL instance with other sites, we might just have a specific user for Diasfora.  In cases like that, the hosting company should have root and should be able to reset the db account password for you.