|
Joined: Jan 2007
Posts: 170
Member
|
Member
Joined: Jan 2007
Posts: 170 |
Any idea of how a hacker manages to gain access to put malicious code in my header.tpl file?
I have taken out Front page extensions and changed the admin passwords but it still keeps happening.
Any ideas?
UBB user since 1998
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
Was this an upgrade from a previous version of the software, like an older version of UBB.threads? If so, you may want to make sure that all of the old scripts, besides the redirects have been removed.
Second question would be what are the file permissions on the header.tpl file? You might want to change them to back to something like 644, or not world writeable if it's a windows server, which it sounds like it is, to see if it's being done through some type of web interface or through more direct means.
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
Also, make sure you review your admin logs in the control panel and check for anything out of the ordinary.
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
And one last thing. Any other php/cgi scripts on your domain?
|
|
|
|
Joined: Dec 2003
Posts: 1,796
Pooh-Bah
|
Pooh-Bah
Joined: Dec 2003
Posts: 1,796 |
and .pl - lots of shell scripts are perl.
|
|
|
|
Joined: Jan 2007
Posts: 170
Member
|
Member
Joined: Jan 2007
Posts: 170 |
Now I have done it - They hacked the file again last night and when I tried to edit it I must have missed something - now the header.tpl shows an error and the forums will not load. I do not have a bakup of the file and my license and password is being rejected in the members area!
Can someone email me a copy of a generic header.tpl contents for 7.1 to admin@rncinternet.com
UBB user since 1998
|
|
|
|
Joined: Jan 2007
Posts: 170
Member
|
Member
Joined: Jan 2007
Posts: 170 |
There is no trace of intrusion in the log files - someone suggested it could be sql injection. Would that be possible?
UBB user since 1998
|
|
|
|
Joined: Dec 2003
Posts: 1,796
Pooh-Bah
|
Pooh-Bah
Joined: Dec 2003
Posts: 1,796 |
I believe the license supports sharing of template files - whih version are you running?
|
|
|
|
Joined: Aug 2006
Posts: 1,358
Veteran
|
Veteran
Joined: Aug 2006
Posts: 1,358 |
I believe the license supports sharing of template files - whih version are you running? He mentions 7.1.
|
|
|
|
Joined: Jan 2007
Posts: 170
Member
|
Member
Joined: Jan 2007
Posts: 170 |
I managed to get into the members area and download the header.tpl - I am now up and running. They did hack the footer.tpl as well. I will try changing the permissions as suggested above.
UBB user since 1998
|
|
|
|
Joined: Dec 2003
Posts: 1,796
Pooh-Bah
|
Pooh-Bah
Joined: Dec 2003
Posts: 1,796 |
hmm, you might want to upgrade to the latest (7.2.2) - it's nearly impossible to support older installs against something like this without eliminating the obvious possible issue. A good number of bugfixes were fixed in the last year or so.
|
|
|
|
Joined: Jan 2007
Posts: 170
Member
|
Member
Joined: Jan 2007
Posts: 170 |
Please excuse my lack of prompt replies - I am currently out of town in a remote location - this could not be happening at a worse time.
I did change the permissions on both the header.tpl and footer.tpl files and a little while ago found that the footer.tpl had been hacked again. It may be that it was done right before I changed the permissions - I am not sure. Or it may have been done after the permissions were changed. If that is the case, what am I up against here?
UBB user since 1998
|
|
|
|
Joined: Dec 2003
Posts: 1,796
Pooh-Bah
|
Pooh-Bah
Joined: Dec 2003
Posts: 1,796 |
Well, there really are no known security exploits in current ubb.threads code - that's not saying someone hasn't found one tho. First option is to upgrade code to current released code. If you are unable to from your remote location I can do it for you very reasonably. PM me access details and I'll handle it today.
Outside the forum code itself - it really could be anything - if you recently upgraded from an older 6.5 series you could still have shell scripts on your server from the openings back then (prior to v 6.5.5). If there are any other scripts on your server they could be allowing access - anything else installed?
It could be the server software itself - are you running current software? (I would not run on anything less than current generally available versions on my own web sites).
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
Doug has filled out a support ticket so I was able to get in and at least look at the access logs for the past month. It's definitely not being done by any sort of web access.
|
|
|
|
Joined: Dec 2003
Posts: 1,796
Pooh-Bah
|
Pooh-Bah
Joined: Dec 2003
Posts: 1,796 |
Some prankster at the host?
|
|
|
|
Joined: Jan 2007
Posts: 170
Member
|
Member
Joined: Jan 2007
Posts: 170 |
I think I will back up the database using the utility within the UBB control panel this evening and then check tomorrow morning and see if the change of permissions stopped the hacks overnight and when I get back in the city on the weekend I will upgrade to the latest version and contact my host regarding possible pranksters.
Thank you for your help.
UBB user since 1998
|
|
|
|
Joined: Jan 2007
Posts: 170
Member
|
Member
Joined: Jan 2007
Posts: 170 |
Last night I removed all of the old files that were left over from version 6 and had changed the permissions on the header.tpl and footer.tpl files. This morning my site was hacked again - this time they inserted the code into the ubbthreads.php file - my ftp program gave the time the file changed as 4:52 am
Any ideas? Could the shout box be used to gain access? There was some shoutbox activity around 4:52
UBB user since 1998
|
|
|
|
Joined: Jan 2007
Posts: 170
Member
|
Member
Joined: Jan 2007
Posts: 170 |
I have contacted the host and they say they do not see any intrusion from others on the server. The host says this was likely done through one of the files still set to 777 on the server - the majority of those would be UBB files so I guess I can't change those.
Last edited by doug; 09/27/2007 9:29 AM.
UBB user since 1998
|
|
|
|
Joined: Aug 2006
Posts: 1,358
Veteran
|
Veteran
Joined: Aug 2006
Posts: 1,358 |
Nobody else with server access besides you? Old techy?
|
|
|
|
Joined: Jan 2007
Posts: 170
Member
|
Member
Joined: Jan 2007
Posts: 170 |
I am the only one with access to my account on the server. Never had a "techy" - I am a one man show.
Host says the file was not changed using FTP
UBB user since 1998
|
|
|
|
Joined: Aug 2006
Posts: 1,358
Veteran
|
Veteran
Joined: Aug 2006
Posts: 1,358 |
can't the host turn on some extended logging to see what is happening?
|
|
|
|
Joined: Apr 2007
Posts: 3,940 Likes: 1
Former Developer
|
Former Developer
Joined: Apr 2007
Posts: 3,940 Likes: 1 |
i'm curious as to what it's hacked into.
is it something obvious or just not what you think it should really be displaying.
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
I'll review your webserver access log again. I scanned through the past month when I last looked, now that you have an exact time, I can get a better idea.
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
It just so happens that all of your access logs for the month have conveniently disappeared. Instead of being able to see everything in the past month, I can only see everything starting in the past hour, so it looks like these were purged by someone.
You might want to contact your host and see if there is anywhere else a copy of these might be located as I can't find anything at this point.
|
|
|
|
Joined: Jan 2007
Posts: 170
Member
|
Member
Joined: Jan 2007
Posts: 170 |
Thanks to all for your help in this and especially to Rick for the excellent support and for rescuing my forum!
From what you all mentioned earlier in the post and from what I have subsequently found out - here is my theory of what has happened here...
I still did have all of the old version 6 cgi files on the server and for some reason many were set to 777. I think the intruder used those old files to acquire my account's Cpanel password and changed my files through Cpanel. I had changed the password after a previous incident but because the old files were still on the server he could get the new password.
This guy was even editing and deleting log files to cover his tracks - very persistant!
Last night I removed the old files and today I changed the Cpanel password (after multiple attacks this morning) - so I am hoping my "theory" is correct and that this is over.
We shall see what happens tomorrow I guess.
UBB user since 1998
|
|
|
|
Joined: Jan 2007
Posts: 170
Member
|
Member
Joined: Jan 2007
Posts: 170 |
Actaully, thinking back - Version 6 should not be given a bad rap. Version 6 may have not been the original cause of all this as I was hacked back in July and attributed it to the Front Page extensions that were "on" on my server. They probably originally gained access through Front Page extensions and may have modified some of the old CGI files for later use if needed...
UBB user since 1998
|
|
|
|
Joined: Aug 2006
Posts: 1,358
Veteran
|
Veteran
Joined: Aug 2006
Posts: 1,358 |
Let's hope you just changed the locks on your backdoor now!
|
|
|
|
Joined: Jun 2006
Posts: 16,301 Likes: 116
|
Joined: Jun 2006
Posts: 16,301 Likes: 116 |
well, there where several file inclusion issues in ubb.t6 for versions prior to 6.5.5
|
|
|
|
Joined: Jul 2006
Posts: 4,057
|
Joined: Jul 2006
Posts: 4,057 |
Fingers crossed for you Hope it settles down for you now. I guess your hacker could also be a member to watch the show as it happens from the stands so to speak.
BOOM !! Version v7.6.1.1 People who inspire me Isaac ME Gizmo
|
|
|
|
Joined: Jan 2007
Posts: 170
Member
|
Member
Joined: Jan 2007
Posts: 170 |
So far so good - usually by this time I have already been hacked. I searched for the perp's IP on Google and found it in several discussions about hacking into community sites - apparently it is a problem all over the web. I assumed that the IP was spoofed but maybe not - that would explain why he was deleteing log files and changing "last login from" files. In case anyone else suspects they have been hacked - what happens is the hackers place inline frames on your site using encryped code. These frames are invisible and sometimes you may not even realize that you have been hacked - especially on subsequent events. The worst thing about all of this is that your members think they are getting viruses from visiting your site and traffic (and ad revenue) drops due to the redirects and members avoiding the site. For me, the easiest way to check if I had been hacked was to click on "Show Hidden Elements" under the Miscellaneous tab on the Webmaster toolbar for Firefox. Maybe you should try that on your site every once in a while as this issue is rampant on the web right now
UBB user since 1998
|
|
|
|
Joined: Jun 2006
Posts: 956
Old Hand
|
Old Hand
Joined: Jun 2006
Posts: 956 |
There was a hole in cPanel. I read a security notice from 21.6.2007 about attacks with MPack. You are sure that your hoster close the holes in cPanel? This was used in 2006 to prepare lots of webserver with iFrames and now this servers respond to the MPack attack and deliver malicious code to the users.
|
|
|
|
Joined: Jul 2006
Posts: 4,057
|
Joined: Jul 2006
Posts: 4,057 |
Thanks for the feedback
BOOM !! Version v7.6.1.1 People who inspire me Isaac ME Gizmo
|
|
|
|
Joined: Jan 2007
Posts: 170
Member
|
Member
Joined: Jan 2007
Posts: 170 |
Zarzal, after reading up on Mpack, I believe you are correct. It sure irks me that tech support for hosts would not be aware of this issue. Instead they waste my time and ramble on and on about how I must have an insecure script when it is them that is insecure.
UBB user since 1998
|
|
|
|
Joined: Jun 2006
Posts: 16,301 Likes: 116
|
Joined: Jun 2006
Posts: 16,301 Likes: 116 |
This tends to happen sometimes; a webhost installs everything on the server and leaves it there; thinking "well I'm secure, everyone else is fine, so it has to be this guy", why do they do this you ask? They oversell the server, they don't want to maintain it (as it runs "properly" (IE isn't crashing) and they don't upgrade things they had to pay for (like their Control Panel) because they don't feel like dipping into their "profits" to do upkeep to protect their users.
IMO, if you have the misfortune to run into one of these shady operations, you should go elsewhere.
|
|
|
|
Bots
by Outdoorking - 04/13/2024 5:08 PM
|
|
|
1 members (Geoff),
865
guests, and
153
robots. |
Key:
Admin,
Global Mod,
Mod
|
|
|
|