Hack attempt on the forum http://www.indianwebmaster.org

Discussion in 'Security' started by invincible.vib, Nov 3, 2006.

0
  1. #1
    invincible.vib, Nov 3, 2006 IP
  2. Finale

    Finale Peon

    Messages:
    204
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Reinstall your forum software?
     
    Finale, Nov 3, 2006 IP
  3. invincible.vib

    invincible.vib Peon

    Messages:
    244
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Well i fixed that prob...reinstalling is the extreme case!!!
    I just removed instances of "mustim" from the DB and now the forum comes up fine:)
    Seems he signed up and exploited any of vbulletin code, i checked vbforum site and they seem to say its server problem on most issues rather than to accept that there can be security holes in php based codes.
    I think any mods or pluggin needs an update!

    I've also found this info in DB regarding the user mustim (may be username "hacked"
    IP ADDRESS : 88.229.10.160

    So finally i got my forum up and running:)
    (But i still don't know how it was hacked, so need to put some time in resolving that security loophole!)
     
    invincible.vib, Nov 3, 2006 IP
  4. roy77

    roy77 Active Member

    Messages:
    1,088
    Likes Received:
    15
    Best Answers:
    0
    Trophy Points:
    78
    #4
    glad to see that you solved the problem, check your fourm security, so it wont happen next time :)
     
    roy77, Jan 6, 2007 IP
  5. thuonghieu

    thuonghieu Peon

    Messages:
    105
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #5
    I still access your site. Maybe your PC infect malware. Check it
     
    thuonghieu, Jan 6, 2007 IP
  6. hans

    hans Well-Known Member

    Messages:
    2,923
    Likes Received:
    126
    Best Answers:
    1
    Trophy Points:
    173
    #6
    if you know the user account thru which changes were made - then search your entire access_log files from the past MANY months back and extract any access to that account using

    zgrep "mustim" access_log.gz >mustim_access.txt

    replace "mustim" by a precise work that always occurs in the URL string for all logins and replace the precise access_log file-name

    then find the first visits of the user "mustim"
    where did he first visit your site
    referral ( exact Google search string ! if he used G before hitting your site)
    then walk thru his path of site visit
    where - what precise folder - did he place his files

    his files may have file names equal to common files existing on your site - I found on my site after a hacker intrusion a year ago files such as index.php - but that file contained hacker script and NOTHING like common index files!! I also found other common file names such as php-info.php and other similar common files that usually always reside on a server - hence files that never arise any suspicion - unless you open them and see that the script content is totally different from what it normally would be.

    finding exact entry and weak security hole may be a matter of dozens of hours of researching all kinds of access_log, messages-log, warn-log, error_log files

    Good luck
     
    hans, Jan 22, 2007 IP