WBTA Forums hacked

[bigben2k]

WBTA Forums restored

I'm sorry to report that the Forums on my site have been hacked.

So far, this hacker used the email addresses of registered members, to spam them with an invitation to his new site.

*** I'D URGE ANYONE ELSE WHO'S ALSO BEEN HIT BY THIS SPAMMER TO REPORT THEM TO: reportabuse@yahoo-inc.com . Try to include the message header, which shows the originating information. ***

***TO THOSE AFFECTED; i CAN ONLY HIGHLY RECOMEND THAT YOU RESET YOUR PASSWORDS*** both there and anywhere else that you login, should you be using the same password anywhere else.

(Details in the link above).

[pHaestus]

That's no good Ben. What forum software were you using?

[jaydee]

IPB 1.2. It is old and broken.

[bigben2k]

Yep.

I'm going to use the Mambo Forum software from now on (SimpleBoard).

I suppose that it's my fault really: the attack is apparently an SQL injection (I'm still investigating it). I have a bit more research to do, but I believe that this hacker essentially spoofed himself into the MySQL database, which would require the following information: the table name, and structure. The part where it's my fault is that I didn't change the prefix to the table, I used the default one (so the table name is public knowledge).

I've got a lot of work to do today, to change a number of settings, transfer the forum data to the new software, and reset all the passwords, again.

Otherwise, I don't believe that this hacker had any malicious intent; he just grabbed the list of emails, and sent out invitations to his new site (a hacking site, of course). They didn't deface the site or anything like that, but I have to double check everything.

They don't appear to be too smart either; I've got a long trail of their actions. They're based in Mexico, and get on the net through Prodigy. I have their IP addresses, so I'm going to redirect them to their own site, as soon as I can set it up.

If anyone knows how to setup the ".htaccess" file, let me know.

I'll post updates on the progress.

[bigben2k]

Some progress:

I found out that the SQL injection was indeed done through a vulnerability of the IPB forum software.

The hacker essentially followed these steps:
1-Identify a weakness in some open source software, in this case IPB forum 1.2.

2-Google the net for any site running it.

3-Apply the hack.

Much more work to do.

[bigben2k]

The old forum software has been disabled.

The whole site was backed up yesterday, along with the database. I'll double check the content later.

The new software has been installed, but needs to be reconfigured (It's been running for two weeks already, so I have to assume that it's compromised).


I reported the hacker to his ISP: I don't expect much though, it's in Mexico...

[killernoodle]

Someone must really be bored to hack your website. I mean, really. Come on.

[bigben2k]

Yep... an email list is 'bout the most valuable thing on there, as far as other people are concerned.

It amazes me how much work I have to do to fix this. I've got a backup of the DB, but accessing it is not so easy from the office: I don't have any database program here. I'll bring MS Access with me tomorow.

I plan to rename all the tables, because I have to assume that the table names are known now. It's probably not relevant, but I'd rather start fresh.

My hosts on-line tools won't let me rename the DB, so I have to delete it, then recreate it (which I was going to do anyways).

I've isolated the faulty software in its own folder, and removed all permissions. I have to leave it on there, until I complete the data transfer, because I might have to access the old Forums, to make sure that all the data is going to be transferred correctly.

Ugh.

[jaydee]

Has your host updated to the newest version of MySQL and PHP? That was supposed to fix the Injection probelms.

[bigben2k]

Yeah, they did.

[jaydee]

Must just be the old forum software. As far as I can tell SMF 1.3 is pretty secure. Havn't heard of any problems yet. What is also nice about it is it auto updates itself. There is the package manager in the control panel and all you have to do is make a few clicks and it updates to the newest version.

[mastermind2004]

For the IPB 1.x series, current is 1.3. I wouldn't be surprised if there are a few unpatched holes in 1.2. As they've moved to a pay to play system, IPB is a bit hard to justify for a lot of things. It's still a very nice forum software.

[bigben2k]

Agreed, thank guys!

I've got MS Access here at the office today, so I'm going to be porting the new content over to SMF. The new forum software is up, but I locked it for "maintenance".

The hardsest part is going to be renaming the DB and tables. Apparently an SQL injection allows one to find out the table names, so even if I did use something custom, it wouldn't have done anything. It really came down to the fault in the old software.

I'll report the progress.

[bigben2k]

The forums are now restored. Old passwords are in effect.


There's still a bit of cleaning up of the converted data to do, most of which I've done manually, because I can't setup a database program here at the office (administrator restrictions), and I don't know enough about MySQL to design a query to fix it... (Anyone have any ideas? I'm very handy with MS Access :shrug: )


Otherwise, I don't believe that the hacker actually got anyone's password; the hack was not *that* involved (but I'm not able to verify that).

[mastermind2004]

What exactly do you need to sort with the query? I'm sure there are several of us here that are handy with mySQL that should be able to help.

[bigben2k]

Actually, I need to replace part of a post, with some new code.

For example, an emoticon was listed as <!--emot> then the html address for it, then an end tag.

Right now, I'm manually correcting the posts, using the PHPMyAdmin interface.

I have to replace the tags for html links, and the Quote feature.

Another bugger is that the new software requires every post to have a "subject", which is the same as the first post in the thread, preceded by "Re:". (I manually set the first post's subject, because otherwise the thread name are blank. The old software kept the thread title in another table).

[Joe]

Theres a reason I run vbb

[bigben2k]

Must be nice!


All right, I have it down to one last task; updating the post "subject" field. Can anyone help me formulate the SQL query to do this?

The field in table A is called "subject". (Table A contains the post's information)

It needs to be updated to the field called "title" from table B (Table B contains the thread info).

The two tables are linked as follows:
table A , field "ID_TOPIC"
and
table B, field "tid"

The trick is that in the update, the information has to be preceded with "Re: " .


Anyone?

[bigben2k]

Never mind, I figured out the query.

The forums are now fully operational, and all data has been converted to the new software.

Pfew!