FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » Possible exploit- hackers access my ACP
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
Possible exploit- hackers access my ACP [message #158455] Thu, 26 February 2009 05:52 Go to next message
TheBarnes is currently offline  TheBarnes   United Kingdom
Messages: 19
Registered: February 2009
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
Hi, I have had a problem where hackers are running a script to access my Admin files, can I e-mail someone my error log please?

Regards
James
Re: Possible exploit- hackers access my ACP [message #158456 is a reply to message #158455] Thu, 26 February 2009 06:29 Go to previous messageGo to next message
naudefj is currently offline  naudefj   South Africa
Messages: 3624
Registered: December 2004
Karma: 17
Senior Member
Administrator
Core Developer
remove from buddy list
ignore all messages by this user
Hi James,

How do you know they accessed your site via the Admin Control Panel?

My site was also hacked a couple of times, however, it never turned out to be FUDforum's fault.

PS: You are welcome to mail the logs to me.

Best regards.

Frank
Re: Possible exploit- hackers access my ACP [message #158458 is a reply to message #158455] Thu, 26 February 2009 07:03 Go to previous messageGo to next message
TheBarnes is currently offline  TheBarnes   United Kingdom
Messages: 19
Registered: February 2009
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
Have e-mailed you Frank, many thanks.

Just from viewing the error logs it appears they are running scripts to browse directly to the admin contol panel files. I may however be completely incorrect.... I'm on v2.7.7 by the way.
Re: Possible exploit- hackers access my ACP [message #158460 is a reply to message #158458] Thu, 26 February 2009 07:34 Go to previous messageGo to next message
naudefj is currently offline  naudefj   South Africa
Messages: 3624
Registered: December 2004
Karma: 17
Senior Member
Administrator
Core Developer
remove from buddy list
ignore all messages by this user
I'm busy working through your log. For starters:

1) lock your forum's files.

2) block the offending IP addresses from your site (add "Deny form <ip>" in you .htaccess file).

3) Ensure the forum's default ".htaccess" files are all in-place:

data/cache/.htaccess
data/errors/.htaccess
data/files/.htaccess
data/include/.htaccess
data/messages/.htaccess
data/scripts/.htaccess
data/sql/.htaccess
data/src/.htaccess
data/thm/.htaccess
data/tmp/.htaccess
Re: Possible exploit- hackers access my ACP [message #158462 is a reply to message #158455] Thu, 26 February 2009 08:07 Go to previous messageGo to next message
TheBarnes is currently offline  TheBarnes   United Kingdom
Messages: 19
Registered: February 2009
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
Thanks Frank-

1) I thought they already were locked, hence my concern. I've checked the files on the server and they're now set to 644. (not sure what the data files should be set to though....)

2 + 3) I have no htaccess files!! They must not have been restored last time I had a backup....
Can I get these from somewhere?

[Updated on: Thu, 26 February 2009 08:11]

Report message to a moderator

Re: Possible exploit- hackers access my ACP [message #158463 is a reply to message #158462] Thu, 26 February 2009 08:44 Go to previous messageGo to next message
naudefj is currently offline  naudefj   South Africa
Messages: 3624
Registered: December 2004
Karma: 17
Senior Member
Administrator
Core Developer
remove from buddy list
ignore all messages by this user
1) If your forum is locked your files will be chmod'ed to 0600.

2) Create one in your root htdoc directory (/).

3) You can manually recreate them. They contain a single line:

Deny from all
Re: Possible exploit- hackers access my ACP [message #158465 is a reply to message #158455] Thu, 26 February 2009 09:26 Go to previous messageGo to next message
TheBarnes is currently offline  TheBarnes   United Kingdom
Messages: 19
Registered: February 2009
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
As usual you've been superb Frank.

I manually had to CHMOD all the files to 600 (they were set as 644 otherwise). I can't set the images and themes files to 600, because otherwise the images don't show up, is that correct?
Should the actual adm directory as well as the files within be set to 600, or does that not matter?

I also assume that when I want to perform admin tasks I'll have to go onto the server and CHMOD all the files back again?
Re: Possible exploit- hackers access my ACP [message #158466 is a reply to message #158465] Thu, 26 February 2009 09:49 Go to previous messageGo to next message
naudefj is currently offline  naudefj   South Africa
Messages: 3624
Registered: December 2004
Karma: 17
Senior Member
Administrator
Core Developer
remove from buddy list
ignore all messages by this user
You can lock/unlock your forum from the Admin Control Panel. See documentation at http://cvs.prohost.org/index.php/Administration#Lock.2FUnlock_Forum.27s_Fil es
Re: Possible exploit- hackers access my ACP [message #158467 is a reply to message #158455] Thu, 26 February 2009 09:55 Go to previous messageGo to next message
TheBarnes is currently offline  TheBarnes   United Kingdom
Messages: 19
Registered: February 2009
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
Yes, the only trouble with that is 'locked' sets things to 0644 and 'unlocked' sets things to 0666 Laughing
Re: Possible exploit- hackers access my ACP [message #158468 is a reply to message #158467] Thu, 26 February 2009 11:07 Go to previous messageGo to next message
naudefj is currently offline  naudefj   South Africa
Messages: 3624
Registered: December 2004
Karma: 17
Senior Member
Administrator
Core Developer
remove from buddy list
ignore all messages by this user
Yip, the script will decide between 600 and 644. You can change it if you always prefer 600.
Re: Possible exploit- hackers access my ACP [message #158469 is a reply to message #158455] Thu, 26 February 2009 11:56 Go to previous message
TheBarnes is currently offline  TheBarnes   United Kingdom
Messages: 19
Registered: February 2009
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
Oh, ok.

So 644 is also locked? That's what they were previously set to when the above 'incidents' happened... Sad
Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: Resize Controls code broken
Next Topic: error rebuilding search index
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Oct 22 07:43:27 EDT 2017

Total time taken to generate the page: 0.00772 seconds