Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Sign In
Not a member yet? Click here to register.

Hackable?

Please scoll down to this post, as it is the relevant post for this topic being bumped.

Ok, so a user has been spamming my site for a good while now. I was going to make a thread on it, but this is much more serious.

I made a deal with him(?) and if he could unban the first account he made (he said he could) .... , but if he couldn't, he'd stop visiting my site completely. He agreed, and what do you know? He unbanned the first account that I banned.

I am not sure if he somehow knew my password, or if he actually hacked v7 RC2. He kept going on about how he looked over the code of PF and said it was easily hackable.

I put my site in maitenance mode, as he edited one of my shoutbox posts. I looked and he is NOT an admin.

Any ideas about what could have happened?
This sounds very strange :o
Maybe he has access to your database?

Have you any infusions or mods installed?
Did you share your webserver with any other persons?

Change all your passwords and then ask him again if he can do things like that ;)

Also take a look at this:
http://www.php-fusion.co.uk/forum/vie...d_id=21480
@googlebot: if you can ask him how it did that and post it here would be nice... Really can't imagine how he do that so DEV team will be gratefull for info...
Well ANYTHING is hackable. Theres no such thing as UNHACKABLE website.
We know, but we are doing our best to secure them!
B) maybe the hacker is the web host administrator? - but that would be such a nuisant web hosting company, till the employee could do such annoying thing hehehe.

my guess is, he is a php fusion user and got your DB password. so he can do anything with the administrator priviledge and then turn back to a banned member...........dunno:(
Ok guys, <maybe reason="rethought">I am going to take my website off maintenance mode</maybe>. I have already sent "testing" a pm asking how.

I was planning on that, TammyK (sending a pm), but I'm leaning toward he knew one of my (database or admin account) passwords. I have yet to change the database password, and am doing that now.

[edit]
Ok, so I have changed all passwords (my account password, sql password, ftp password, cpanel password). But I am not sure whether or not I should take my site off maintenance mode.

Oh, and someone said might be a web admin. Nope, it can't be. I have my reasons, but I know it's not, and it's backed up with solid proof (well, solid to me, won't mean anything to you guys...)

Quote

satikas wrote:
Well ANYTHING is hackable. Theres no such thing as UNHACKABLE website.
It's like having an armoured security door. Won't keep Ocean's Eleven from entering your home, but the local gangs will not.
Check to see if there is any odd php/asp files in all your directories as well. Many times people can gain accsss to server itself through these files, as they have done in the past. So changing passwords will do no good till this is sure.

Previously, I have had someone upload a malicious php file that gave all server info: versions, passwords, root pass, etc. And not till blocking all these did it solve my issues.

Quote

Lazarus wrote:
Check to see if there is any odd php/asp files in all your directories as well. Many times people can gain accsss to server itself through these files, as they have done in the past. So changing passwords will do no good till this is sure.

Previously, I have had someone upload a malicious php file that gave all server info: versions, passwords, root pass, etc. And not till blocking all these did it solve my issues.


That's all in the link of the first post, which I wrote in this thread.

Quote

Quartzkyte wrote:
It's like having an armoured security door. Won't keep Ocean's Eleven from entering your home, but the local gangs will not.

Who is Ocean's Eleven and who cares?
Olsenbande rules :P

Greets to Josso, Jan Mol and helmuth b)

Quote

alcazar wrote:
Greets to Josso, Jan Mol and helmuth b)


... didn't get it... :|

Quote

Lazarus wrote:
Check to see if there is any odd php/asp files in all your directories as well. Many times people can gain accsss to server itself through these files, as they have done in the past. So changing passwords will do no good till this is sure.

Previously, I have had someone upload a malicious php file that gave all server info: versions, passwords, root pass, etc. And not till blocking all these did it solve my issues.

Yes, just a tiny bit not seen code can be enough that the hacker gets back in. Code can also have been added to your panels. A bad thing is that when a hacker have first got in to your site, ftp, etc. it is hard to be totally sure that you have removed all of his codes.
@Josso: Probably you are to young to know the aforementioned series :)
Its from Denmark, that why the greetings...
Ok guys, can we please get back on topic? This is REALLY serious now.

I changed every password I know of, and they are different from each other (ie. None are the same).

I banned his 2nd account, and he unbanned it! I am restoring all files, and going over an indepth check of my database for anything. (I mean business.)

I don't have any infusions currently active that didn't come with the package. But I'm replacing them (obviously).

What can I say? It's definitely hackable. And it has now been hacked. Although he gave me a zip code he thought was mine, and was way off. I don't even understand that part...

And lastly, it's kind of sad. My site is about security, and it got hacked, easily (I think. It was done pretty fast.). It seems so, well, hypocritical. :|


I still have no idea how, he still won't share. Well, I'm going to try to hack my own site. In the mean time, it would be a good mod/infusion to log what's done in the admin panel, sort of like in phpBB, and it could be cleared with the admin password, but that would be logged, along with the member who cleared it. And an option would be good to log every page any member you choose visits, so for example I could track all of testing's moves. It wouldn't be hard, just using the member id ( if member id is testing's id ... ). In fact, I'll try to get him on this one. :evilgrin:
Ok, I don't mean to bump this thread, but I found something interesting today: http://www.hellboundhackers.org/profi...tdown.html

That is a hacking site that runs on PHP-Fusion v6.something

If you scroll down to the hall of fame entries, you can see that website patched a lot of vulnerabilities in PF. Could you guys make sure they aren't in v7? And in the v6.01.15 package?

Quote

googlebot wrote:
Ok, I don't mean to bump this thread, but I found something interesting today: http://www.hellboundhackers.org/profi...tdown.html

That is a hacking site that runs on PHP-Fusion v6.something

If you scroll down to the hall of fame entries, you can see that website patched a lot of vulnerabilities in PF. Could you guys make sure they aren't in v7? And in the v6.01.15 package?

I found something VERY disturbing to me today, directly related to this.

You guys probably know my site by now, and what type of content is on it. Well, I was using a handheld device, and I typed in to the url bar

CodeDownload  
javascript:alert(document.cookie);


I expected the usual fusion visited cookie, and the like, but then I saw this:

CodeDownload  
__utmz=long_number.utmccn=(referral)lutmcsr=hellboundhackers.orglutmcct=/profile/a_user.htmllutmcmd=referral; __utma=another_long_number


I googled around a bit, and found out this is tracking code. I used that javascript on my computer (not my handheld device), and that code wasn't there. I haven't cleared my cookies yet, because I have that javascript message still up.

Have I been social engineered? How do you implement this tracker? What's going on??
Any google results or other words of wisdom MUCH appreciated!

Edit: Ok, this is REALLY disturbing me now.
I googled a bit more, and came across this: http://userscripts.org/forums/1/topic...opics/2391
And I got to thinking, how could that be incorporated into the situation? Could it be executed upon visiting an image, where a .htaccess file has used a ForceType to use PHP? And furthermore, has called to include an image, so that it wouldn't look suspicious? This is really getting to me.

And could all of my passwords have been stolen?

[edit]Well, I cleared my cookies and cache on my handheld. And now if I visit my site on my handheld, nothing. No cookies, no nothing. Everything is back to normal. The only cookie that is set is fusion_visited.[/edit]

And I have to get a lot of rest tonight, oh joy. Well, I really hope someone can pull together a loose end or two.. Anything helps!
Thread Information
Author
Replies
17 posts
Views
2385 times
Last Post
Last updated on 12 years ago
Related Threads
Hackable?
Started by
G
googlebot - 17 posts
You can view all discussion threads in this forum.
You cannot set up a bounty in this discussion thread.
You can start a new discussion thread in this forum.
You cannot reply in this discussion thread.
You cannot start on a poll in this forum.
You cannot upload attachments in this forum.
You can download attachments in this forum.
You cannot up or down-vote on the post in this discussion thread.
Users who participated in discussion: Ken, Wooya, Lazarus, Quartzkyte, starefossen, alcazar, Josso, Basti, jipeus, satikas, googlebot