Ok my forum got hacked lol

[@ruantec]

it seems like somebody with lots of free time on his hands managed to hack the forums and write some stupid text on it.. i hope admins of the CG can fix that.

Here the link:
http://aruantec.ngemu.com/forums/

Regards
@ruantec

__________________

Current development tools:

Visual C++.net, Visual C#.net
Visual VB.net, Visual Webdeveloper.net
Bloodshed Dev C++, Borland C++
Visual Basic 6

[aceloop]

what the coño? @ruantec what have you be doing in the undergrounds of the interweb?

[hanibal81]

Damn ... thats some serious **** out there :/

__________________

العرب بدو الفلاة، رعاة النوق اكتشفوا الصفر وظل لصيقاً بهم وفياً لهم حتى تمنوا التبرء منه وعيروني بالواحد الأحد
1 = Aothem, 0 = Thaothemth ^_^


| Markunda Princess of Tamazgha(^_^) | Tinariwen | General Emulation | Xtemulation |

[zidine00]

ok what he wrote there doesn't make sense to me, can anyone elaborate what it means?

__________________

Quote:

Why do we have a million doomsday devices, and no answering machine?

[Xtreme2damax]

Seems like the permissions issue on the aruantec subdomain finally came back to bite them.

When I was performing some work for @ruantec, I noticed that some/most/all of the files in the forum directory had improper permissions, it seems a hacker exploited this and hacked the forums.

Either that or the hacker got in through another back door. When something like this happens it needs to be figured out exactly what they exploited, fix the issue that was exploited, re-upload all files and a database backup from before it was hacked.

However @ruantec can't re-upload the files unless he has FTP access. In order to fix this he needs FTP access so he can set proper permissions on the files and patch up the holes.

From what I could gather, the aruantec forum was using Mybb 1.4.2. Since then a security audit was done on Mybb 1.4.x and some security issues fixed in the later versions of Mybb 1.4.x.

It could of been either of those things or an unknown backdoor that was exploited by these low life scumbags.

__________________

| Xtemulation Forums | Dolphin SVN Builds |
| XTemulation Wiki | PCSX2 SVN Builds |

If you like Xtemulation, please Digg Us! | Download the free Xtemulation Toolbar!

[@ruantec]

Thanks God we moved the forums thanks to Xtreme2damax

Quote:

Originally Posted by aceloop

what the coño? @ruantec what have you be doing in the undergrounds of the interweb?

YAY the magic word!!! that makes me happy XD

__________________

Current development tools:

Visual C++.net, Visual C#.net
Visual VB.net, Visual Webdeveloper.net
Bloodshed Dev C++, Borland C++
Visual Basic 6

[Xtreme2damax]

Quote:

Originally Posted by @ruantec

Thanks God we moved the forums thanks to Xtreme2damax



YAY the magic word!!! that makes me happy XD

Speaking of that, I'm going to go through and double check everything although I'm fairly certain everything is secure.

Someone from CG might want to remove the affected page in question, find out how it was exploited, patch the issue and upload a backup from before the hack occurred.

I hope these low life scumbag hackers get a taste of their own medicine some day, I hate idiots that get off on ruining others hard work, hacking and plastering their own crap up. We should start a movement to hack the flocking hackers.

Hopefully they will see this thread upon browsing and take note of the problem, or an administrator can contact one of them.

In fact I will contact one of them right now to take care of this.

__________________

| Xtemulation Forums | Dolphin SVN Builds |
| XTemulation Wiki | PCSX2 SVN Builds |

If you like Xtemulation, please Digg Us! | Download the free Xtemulation Toolbar!

[@ruantec]

Quote:

Originally Posted by Xtreme2damax

Speaking of that, I'm going to go through and double check everything although I'm fairly certain everything is secure.

Someone from CG might want to remove the affected page in question, find out how it was exploited, patch the issue and upload a backup from before the hack occurred.

I hope these low life scumbag hackers get a taste of their own medicine some day, I hate idiots that get off on ruining others hard work, hacking and plastering their own crap up. We should start a movement to hack the flocking hackers.

Hopefully they will see this thread upon browsing and take note of the problem, or an administrator can contact one of them.

In fact I will contact one of them right now to take care of this.

that sounds like a great idea.... anyways i hope this hacker or probably lucky guy doesn´t make me mad.. i´ll try to keep cool but if he piss me off am going to hack his ass out of him... anyways CG refused somehow to give me direct access to the site so at least someone got it and thats why am not pissed right now but rather happy somehow

__________________

Current development tools:

Visual C++.net, Visual C#.net
Visual VB.net, Visual Webdeveloper.net
Bloodshed Dev C++, Borland C++
Visual Basic 6

[zidine00]

Quote:

Originally Posted by @ruantec

anyways CG refused somehow to give me direct access to the site so at least someone got it and thats why am not pissed right now but rather happy somehow

ahhh i love irony.

__________________

Quote:

Why do we have a million doomsday devices, and no answering machine?

[Xtreme2damax]

It seems it was only the index page that was hacked as far as I could see. Other pages such as threads load normally, I was able to check since I had a couple threads bookmarked.

__________________

| Xtemulation Forums | Dolphin SVN Builds |
| XTemulation Wiki | PCSX2 SVN Builds |

If you like Xtemulation, please Digg Us! | Download the free Xtemulation Toolbar!

[BigIg]

Quote:

Originally Posted by Xtreme2damax

Someone from CG might want to remove the affected page in question, find out how it was exploited, patch the issue and upload a backup from before the hack occurred.

Has anyone else been able to make up a backup? (I doubt it, since apparently noone had direct access). I doubt CG made proper backups of the secondary sites.

__________________

.esrever ni dootsrednu eb ylno nac efiL
...But must be lived forwards.

[Chrono Archangel]

I sent a message to people from CG. Hopefully they can get around to fixing this.

__________________

When Pigs Fly: The Death of Oink, the Birth of Dissent, and a Brief History of Record Industry Suicide.

[Xtreme2damax]

I just wanted to issue an update, I was able to log into the ACP here is what was done:

Once I logged in, I viewed the administrative logs..

1. Hacker was possibly able to delete some language files

2. Hacker was able to gain admin access, once in he/it/she modified the index template to the hacked page.

3. I'm not absolutely sure if any files were affected, it just seems like a lame index page/template hack. On second thought it seems the hacker was able to gain administrative access through some vulnerability, then proceeded to edit the index template for the forum and possibly change some other things in addition to modifying the index template.

4. Hacker is registered under the guise khodam, last user to register was khodam, and khodam was listed in the administrative logs as the one who modified the index template to the hacked page.

Here is what I did:

Banned the khodam account, in banning options both the hackers name "khodam", it's email address and IP address were banned in the ACP from being allowed to access the forum. I also ensured the account was no longer able to be logged into by changing the email and password.

I then proceeded to restore the index page/template back to what it was originally. Index page is able to be loaded normally, not sure how much else was affected.

The rest can be left up to the CG folks to patch up and fix this issue, I'm not sure if the hacker was able to gain access due to improper permissions on the files or if it was an SQL vulnerability exploit that allowed them to gain access.

In any case after the vulnerability is patched, an upgrade on the Mybb install should be performed to bring it up to the latest version.

Files and directories that are in need of write permissions:



Permissions for other files may need to be tweaked as well. I can provide the IP address of the hacker as well if it is needed. May I also suggest changing the name of the admin directory to something more difficult to guess?

Attached Images

aruantec.jpg (197.1 KB, 260 views)

__________________

| Xtemulation Forums | Dolphin SVN Builds |
| XTemulation Wiki | PCSX2 SVN Builds |

If you like Xtemulation, please Digg Us! | Download the free Xtemulation Toolbar!

---

Last edited by Xtreme2damax; July 1st, 2009 at 01:32.

[Chrono Archangel]

gj, x2dm
seems like it was a forum vulnarability. Funny he didn't demote the other admins of the board before making the changes.

__________________

When Pigs Fly: The Death of Oink, the Birth of Dissent, and a Brief History of Record Industry Suicide.

[Squall-Leonhart]

Quote:

MyBB 1.4.7 is a security update to the MyBB 1.4 series. It fixes 1 high risk security vulnerability. We recommend everybody upgrades to this release immediately or patch their boards with the manual patching instructions below.
This vulnerability affects MyBB 1.4.6. MyBB 1.2 is not affected.
Thank you to Jesse Labrocca for alerting us of this vulnerability.

heh

__________________

VBA-M | Xtemu | NGOHQ | Post Impact Productions | TNHW | XBCD 0.2.6 | Satanic666's Emulator Compiles
Don't be a NOOB, READ THE NGEmu/EmuForums Rules of Conduct
Need Help with ePSXe? This is your first stop!.
If you don't post all the required information, you don't get help.
Everytime someone posts a romsite, God kills a beautiful woman.

[Xtreme2damax]

Looks like I'll be upgrading a Mybb forum tonight. :o

__________________

| Xtemulation Forums | Dolphin SVN Builds |
| XTemulation Wiki | PCSX2 SVN Builds |

If you like Xtemulation, please Digg Us! | Download the free Xtemulation Toolbar!

---

Last edited by Xtreme2damax; July 1st, 2009 at 02:14.

[P3R3]

I have backups of your forums, how much did you lose? Also what day did this happen, I take backups every morning. Give me the day BEFORE all this happened and I will restore it to that time.

[@ruantec]

Quote:

Originally Posted by P3R3

I have backups of your forums, how much did you lose? Also what day did this happen, I take backups every morning. Give me the day BEFORE all this happened and I will restore it to that time.

well all i need is a full backup of the forums and i will be happy.. after i get the backup you guys can remove the subdomain as i´ve moved most of my data to another place.

Regards
@ruantec

__________________

Current development tools:

Visual C++.net, Visual C#.net
Visual VB.net, Visual Webdeveloper.net
Bloodshed Dev C++, Borland C++
Visual Basic 6

[P3R3]

Quote:

Originally Posted by @ruantec

well all i need is a full backup of the forums and i will be happy.. after i get the backup you guys can remove the subdomain as i´ve moved most of my data to another place.

Regards
@ruantec

What day do you need?

[@ruantec]

Quote:

Originally Posted by P3R3

What day do you need?

well as far as i know the hacker just changed the main file but didn´t deleted any data and now everything is there so i would say i just need a backup of today

__________________

Current development tools:

Visual C++.net, Visual C#.net
Visual VB.net, Visual Webdeveloper.net
Bloodshed Dev C++, Borland C++
Visual Basic 6