Recent Hacking Discussion (continued...)

[adbasque]

Hello everybody

first of all thanks to you all, for treating this subject and got everybody involved, as i posted previously i had my website hacked couple a days ago, this is the very first time it happened to me, i had websites for over 13 years now, i must admit i was a bit shocked, when i discovered that all my db was wiped out.

so my question is if we discuss here on this forum, about hacking etc.. and first of all it's sad to use this term "hacking" for these idiots whom are enjoying themselves to destroying, cause a real hacker builds doesn't destroy, if we discuss here and we are given security patches etc.. how can we make sure that the hackers are not actually members here, so they get the answers too, which means they can find ways aroud these security patches, <img>

(i also noticed that any integramod site i went to visit including mine, i found them very very slow they drag)

i use 10MB connexion and still as if i am using a dial up when i am surfing sites "Integramod" is it me or is it a fact? i don't have problems with other sites except integramod, not even with phpbb boards.

i am rebuilding my new site, downloaded Integramod 140, running phpBB 2.0.17, is there a way to upgrade to the new versions straight from phpBB 2.0.17 to phpBB 2.0.21?



i always get this message "Your Daily Database Backup Failed"
how can i fix this please, because it's mainly security updates?

Please help, i don't want to go through this again, it took me almost a year to get my site finally looks like a real website, and this ***** destroyed it in few minutes or hours.

I know that who ever hacked my site used an sql injection, how can we protect ourselves against such attacks please? and finally i read about "register globals being on or off" where exactly do i need to turn it on and off?
Thank you all for your hard work!!

[Dioncecht]

Code: Select all

Hello everybody  first of all thanks to you all, for treating this subject and got everybody involved, as i posted previously i had my website hacked couple a days ago, this is the very first time it happened to me, i had websites for over 13 years now, i must admit i was a bit shocked, when i discovered that all my db was wiped out.  so my question is if we discuss here on this forum, about hacking etc.. and first of all it's sad to use this term "hacking" for these idiots whom are enjoying themselves to destroying, cause a real hacker builds doesn't destroy, if we discuss here and we are given security patches etc.. how can we make sure that the hackers are not actually members here, so they get the answers too, which means they can find ways aroud these security patches,  ]

The problem is, you can't really tell if you have a  hacker here lurking and analyzing the code or whatever, but the devs always try to create a package without big gaping holes in the first place.  Since thats nearly impossible, the only real defense we have is having guys like the devs here who are quick to identify and patch holes.  Also the community here is always trying to help the devs out, so that makes thier life a little easier.

[code]  (i also noticed that any integramod site i went to visit including mine, i found them very very slow they drag)  i use 10MB connexion and still as if i am using a dial up when i am surfing sites "Integramod" is it me or is it a fact? i don't have problems with other sites except integramod, not even with phpbb boards.[/code]

Integramod is big with lots of mods.  Alot of times a faster host like mine can take some of the sluggishness out, but the fact still remains, IM is really big with lots of features.  As the development goes on, I am sure they are taking load times and number of queries into consideration and looking for ways to reduce them.  If you take a vanilla phpBB and mod the hell out of it, you'll get the same effect.  As the number of queries increase, so does the load on the processor and as a result, the speed starts to suffer.  Problem is, when you start changing code to adjust one thing, it has an effect on many other things, so it's a delicate process tinkering with it


[code]i am rebuilding my new site, downloaded Integramod 140,  running phpBB 2.0.17, is there a way to upgrade to the new versions straight from phpBB 2.0.17 to phpBB 2.0.21?[/code]

Nope.. .17 -> .19  security patch 1.0.2 -> 1.0.3  -> .20 -> .21 .... in that order



[code]i always get this message "Your Daily Database Backup Failed"how can i fix this please, because it's mainly security updates?[/code]

One of the updates fixes that.. not sure which one


[code]Please help, i don't want to go through this again, it took me almost a year to get my site finally looks like a real website, and this ***** destroyed it in few minutes or hours.  I know that who ever hacked my site used an sql injection, how can we protect ourselves against such attacks please? and finally i read about "register globals being on or off" where exactly do i need to turn it on and off?Thank you all for your hard work!!

I'll let Michaelo answer that one.. I dont remember.. I think it's a statement in the .htaccess?

[evolver]

Please help, i don't want to go through this again, it took me almost a year to get my site finally looks like a real website, and this ***** destroyed it in few minutes or hours.

The best advice for every system:
ALWAYS TAKE BACKUPS!!!
...and keep them in a safe place (not on the server)

That's always be the most secure way of protecting your work against destruction...

But I know...
People tend to forget about that...especialy when nothing bad seems to happen for a long time...
But everybody knows that bad things happen most when it's not expected anymore...

[computerz]

[code]so my question is if we discuss here on this forum, about hacking etc.....we are given security patches etc.. how can we make sure that the hackers are not actually members here, so they get the answers too, which means they can find ways aroud these security patches,  ]

The patches given here are merely input filters, in this case very good ones. So its nothing they can do about it unless they manage to rewrite PHP or find a completely different vulnerability. So I wouldn't worry too much about their seeing the patch.

[evolver]

I know that who ever hacked my site used an sql injection, how can we protect ourselves against such attacks please? and finally i read about "register globals being on or off" where exactly do i need to turn it on and off?
Thank you all for your hard work!!

I have looked at some hackers scripts...
SQL injection is something they are working on...
Their scripts are already testing this, but it's not fully supported yet.

Yes, they have support for this too
Attacks come from Script-Kiddies who don't know much about coding themselves, they just use prepared scripts and have support for these things as well...

In their scripts I've found lines like these:

Code: Select all

Attention! SQL-Manager is NOT ready module! Don't reports bugs.

Code: Select all

But, you can't connect to forum sql-base, because db-software="".$dbms."" is not supported by c99shell. Please, report us for fix.

Code: Select all

If you think, it is mistake, please send us url and dump of $GLOBALS.

It's very obvious that they are not working alone...

[Michaelo]

True, and worrying but same as beforeà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦
Backup failure... need to know if you are using Windows or Linux server here as the backup method may require alterations but as evolver alludes to in his post, Manual back up from time to time (monthly/weekly) to you local machine is very of paramount importanceà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

The current automatic backup is intended for normal restoration and simple breakdowns and not for restoration after hackingà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦ i.e. some hacker are quite capable of removing your automatically backup files so a local copy is neededà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

Mike

[adbasque]

I have looked at some hackers scripts...
SQL injection is something they are working on...
Their scripts are already testing this, but it's not fully supported yet.

Yes, they have support for this too
Attacks come from Script-Kiddies who don't know much about coding themselves, they just use prepared scripts and have support for these things as well...

I totally agree with you, a real hacker will not spend his/her time hacking into people's websites, real hackers create, help people, and most of the time they help people protect their organisations and so on.

These idiots, they get ready made scripts and some instructions, but the truth is, which ever technique they use, they haven't got a clue, what's happening after they launch the script. they simply start the script with the set of instructions, and they call themselves hackers, Big "Joke".
yes they are destructive, but idiots if anybody writes a script and hacks peoples sites, even though i don't like what he is doing but, i will show him some respect, but these guys are parasites.

Anyway, thanks for all your hard work and we will not let them beat us.
I personally think that the Goverments world wide, should really crakc down on these viruses, i call them viruses personally. and please don't tell me they can't because i know they, they find excuses, as if it's very costly to track them down, i think it's loads of B***. go and hack into a bank and you''ll see if they don't turn up the next morning <img>

Anyway lol i don't want to turn this into a political debate,
Thanks again guys for all you hard work, help and support.

[Michaelo]

Sorry tekguru... missed you question... there should be no need to turn off Style Select now... Be safe turn off Registered Global if you can...

[tekguru]

Hi michaelo, cheers for replying, the Style blocjk has been turned back on for Admins only for testing but even though the hacks are in place correctly I still get a 'Hacking attempt' warning whilst trying to use any style change.

The style change we need working is on the main top menu instigated via QBar entries:

http://www.4winmobile.com/portal.php

Registered Globals has always been turned off on the server.

Any ideas which file I need to start looking at?

Really need help to get this working as otherwise my PDA using users can't use the mobile version of the site to access.

[Michaelo]

Confirm the functions.php edit are as per 2nd post here (second edit in functions.php)...

[sasan]

hi my friend i test your site and i most say your site have a buge!
Warning: main(./includes/functions_categories_hierarchy.): failed to open stream: No such file or directory in /home/windows/public_html/includes/functions.php on line 37

Warning: main(): Failed opening './includes/functions_categories_hierarchy.' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/windows/public_html/includes/functions.php on line 37

if register global is on your site no hacking!! pleas fix this bug on your forum thx sasan

[dan0042]

[quote=""Michaelo";p="14453""]Patch: To protect from a recent remote hack please add the following patches...

Look here for the latest updates. Note I have added a revision number to this post so keep a eye on it

Note with this fix you do not need register_globals off however setting to OFF is advisable... register_globals will disappear in php6...

functions.php 2 fixes Rev 05a

Code: Select all

 Open]) || (int)isset($HTTP_GET_VARS[STYLE_URL]) )     {         (int)$style = urldecode( (isset($HTTP_POST_VARS[STYLE_URL])) ? $HTTP_POST_VARS[STYLE_URL] ] );         if($style == 0) { die('Hacking attempt'); exit; }         if ( $theme = setup_style((int)$style) )         {             setcookie($board_config['cookie_name'] . '_style', $style, time() + 31536000, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);             return;         }     }         if ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style']) )     {         $style = $HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style'];         if ( $theme = setup_style((int)$style) )         {             return;         }     }  

function_portal.php 1 fix Rev 05

Code: Select all

 Open]

functions_mods_settings 1 fix [color=red]Rev 05[/color]
[code]  Open]

[color=green]If you have been hacked, remove all unknown files, change you passwords for main admin, admins and moderators and upload files again from original source making sure the above fixes are added.[/color]

I am aware that people may have the above files with 2.0.21 updates installed so I am not attaching updates as my files probably wont match everyones...

Mike
[color=red]Updated]Rev 006[/b][/color][/quote]
[code]Find]) || (int)isset($HTTP_GET_VARS[STYLE_URL]) )    {       (int)$style = urldecode( (isset($HTTP_POST_VARS[STYLE_URL])) ? $HTTP_POST_VARS[STYLE_URL] : (int)$HTTP_GET_VARS[STYLE_URL] );       if($style == 0 || $style > 49) { die('Hacking attempt'); exit; }       if ( $theme = setup_style($style) )       {          setcookie($board_config['cookie_name'] . '_style', $style, time() + 31536000, $board_config['cookie_path'], $board_config['cookie_domain'], $board_config['cookie_secure']);          return;       }    }        if ( isset($HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style']) )    {       $style = $HTTP_COOKIE_VARS[$board_config['cookie_name'] . '_style'];       if ( $theme = setup_style($style) )       {          return;       }    }  

Dont see that one its missing

[Drop-Forged]

hi my friend i test your site and i most say your site have a buge!
Warning: main(./includes/functions_categories_hierarchy.): failed to open stream: No such file or directory in /home/windows/public_html/includes/functions.php on line 37

Warning: main(): Failed opening './includes/functions_categories_hierarchy.' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/windows/public_html/includes/functions.php on line 37

if register global is on your site no hacking!! pleas fix this bug on your forum thx sasan

If that is copied correctly it looks like you are missing $phpEx on that line.

Open includes/functions.php,

find:

Code: Select all

includes/functions_categories_hierarchy

Replace entire line that is in with ]include_once( $phpbb_root_path . './includes/functions_categories_hierarchy.' . $phpEx );[/code]

That should resolve that issue.

[color=red]Note] To be clear, replace the entire line of code with the one I gave you, in the end those 4 lines should look like:
[code]  //-- mod ]

[Michaelo]

I have update the security fixes and removed the php_root_path test as the standard IN_PHPBB should be enough to block hackers... I would prefer to initialise all variables use in a file rather than disallowing access based on a external definition however the simple solutions is easier and removes problems that affected others while at the same time blocking the hackers...

It still remains bad programming practice to have uninitialised variables in a file but we have no option. <img>

[url=http]See post for details...[/url]

Mike

[Michaelo]

Just a note re syntax...

If you see code like Find:
includes/functions_categories_hierarchy...
This indicates only partial text in find, that is the line to find start with includes/functions_categories_hierarchy but is longer.

dan0042
I will redo this post to clarify what I intended but basically the code at the bottom goes between the
// BEGIN Style Select MOD

(REPLACE this with code)

// END Style Select MOD

comments ie replace this: (all code between these comments) with the code at the bottom...

Mike