Results 1 to 17 of 17
  1. #1

    Please Help! They Hacked Me Twice!

    Hi
    im running an IB forum and i got hacked twice!!
    They were able to access to my MySQL database and drop it and they put an index.html file saying that site is hacked!!

    My forum was running under Windows 2000 IIS 5.1 server with Helm control panel when it was first hacked.
    I changed the hosting company immediately and went to a hosting company that provide Windows 2003 IIS 6 with HostingAcceleratorControl panel.
    I changed all my passwords and my usernames, and i updated and scanned my PC using Norton AntiVirus 2004. i also installed a Firewall.
    but they hacked me again!!!
    i looked at the access log and i found the following:
    2004-05-30 13:40:54 OPTIONS /conf_global.php - 193.188.97.152 HTTP/1.1 Microsoft+Data+Access+Internet+Publishing+Provider+Protocol+Discovery - 403 221 263

    2004-05-30 13:41:20 PROPFIND /conf_global.php - 193.188.97.152 HTTP/1.1 Microsoft+Data+Access+Internet+Publishing+Provider+DAV - 403 221 332
    2004-05-30 13:41:24 GET /conf_global.php - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MS+FrontPage+6.0) - 403 221 362
    2004-05-30 13:41:25 GET /conf_global.php - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MS+FrontPage+6.0) - 200 175 367

    2004-05-30 13:42:07 GET /conf_global.php - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - 200 175 348
    Someone is trying to read the conf_global file, which holds the database information.
    in the second day log file i found:
    004-05-31 16:28:29 GET /phpmyadmin - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - 404 1795 451
    2004-05-31 16:28:34 GET /index.php - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) MySiteURL/index.php?act=Msg&CODE=03&VID=in&MSID=19117 200 8426 1053
    2004-05-31 16:28:47 GET /index.php - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+FunWebProducts) MySiteURL/index.php?showforum=15 200 8431 1212
    2004-05-31 16:28:47 GET /phpMyAdmin - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - 404 1795 451
    2004-05-31 16:28:51 GET /index.php - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) MySiteURL/index.php?showtopic=2518&st=165 200 8081 1296
    2004-05-31 16:28:53 GET /index.php - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) MySiteURL/index.php?showuser=78 200 2592 1305
    2004-05-31 16:28:55 GET /phpMyAdmin/ - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - 404 1795 452
    PLEASE HELP! i cant re-upload my site until i find a way to stop this hacker and prevent him!

    How can he hack me in that easy!? is it because im running PHP under windows?! or maybe there is a problem with the IB forum?!
    even if they were able to read the conf_global, how they were able to place an index.html file in my server?!

    Please tell me what i should, im going crazy!

  2. #2
    Join Date
    Aug 2003
    Location
    Richmond, BC
    Posts
    196
    Well, you could take a look at the developers site of your forum software, IB Forum and see if they have any security issues that have been resolved.

    Of course, before doing this I would take a look at the basics. I really do not mean to insult you with this, but did you change your password for your database, forum username and use a different password for your webhosting account?

  3. #3
    I changed every password i have. Database, FTP, Control Panel and even the email password!!
    I searched for "microsoft data access internet publishing provider Protocol Discovery" in google which i found in my access log.
    i found the following
    www.webmasterworld.com/forum47/1375.htm
    http://www.experts-exchange.com/Web/..._20969775.html
    its seems there is a bug with windows servers?!

  4. #4
    Greetings:

    1. If a server has been hacked, your best bet is to do a system wipe, re-install what needs to be re-installed, and then restore from a backup made prior to a hack.

    Otherwise, the hacker may have a back door in place that was not caught.


    2. WebDav has holes; and PHP can have holes too if not coded properly.

    Rory gave good advice about checking with the PHP developers for known vulnerabilities.

    3. Security has to be done in as many practical layers as you can manage throughout each and every day.

    A firewall is but one of those layers; and, as you found out hackers can get through firewalls just like spies can get past boarder patrols and check out points.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  5. #5
    Join Date
    Dec 2003
    Location
    Fairfax, Virginia
    Posts
    6,834
    2. WebDav has holes; and PHP can have holes too if not coded properly.

    Rory gave good advice about checking with the PHP developers for known vulnerabilities.
    I agree. There are countless exploits for WebDav, and PHP for IIS. Check out http://www.securityfocus.org for some of them, and the corresponding patches.

  6. #6
    Join Date
    May 2004
    Location
    Texas
    Posts
    53
    UMU,


    Are you familiar with the .ASP language? Why not use .asp instead of php on a windows machine?

  7. #7
    Join Date
    Aug 2003
    Posts
    2,733
    Install all of the security updates etc

  8. #8
    Can i disable any requests that come from "Microsoft Data Access Internet Publishing Provider" and how?!
    What is WebDav exactly?! and how they use it to hack me?!
    Would it solve the problem if i moved to a linux host?!
    If the problem is from PHP, then how they were able to access and upload files to my server?!

  9. #9
    Join Date
    May 2004
    Location
    Texas
    Posts
    53
    UMU,
    Once they find holes... they can plant backdoors on your machine and access anything they wanted to on your site. Including uploading files, creating users etc... Find out more info on what you can do to prevent such a thing. Why are you using php on a windows maching anyway?

  10. #10
    I am using a shared server so i dont have a control over the machnine.
    i am using PHP under windows because i need to use the .NET tecnology. Beside there are no ASP Forums that have features like the PHP forums

  11. #11
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    4,721
    What version of InvisionBoard are you running?
    Hyperconfused (™)

  12. #12
    Join Date
    May 2004
    Location
    Texas
    Posts
    53
    BTW... what version IB are u using?

  13. #13
    Join Date
    Nov 2003
    Location
    Youngstown, OH
    Posts
    4
    My advice is always watch your forum developer's website - alot of times there are updates released to close any security holes...

    The same think happened to me with my XMB forum

  14. #14
    Join Date
    Apr 2004
    Location
    Texas
    Posts
    163
    May want to switch to a linux system with phpbb2 seems much more secure. I have 2 sites that have "Hack Attempts" constantly one using phpbb2 and the other using PHP-Nuke sofar (with proper updates) these attempts were unsucessful.

    I agree with RoryErickson check with the developers to see if there is a known exploite that may need patching.

    Hope this helps

    Regards,
    Lee
    DSL WebHosting Solutions
    Fast Affordable WebHosting Solutions
    24/7/365 Support

  15. #15
    Join Date
    Dec 2001
    Location
    Toronto, Ontario, Canada
    Posts
    6,896
    This may be a stupid question, but....

    2004-05-30 13:42:07 GET /conf_global.php - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - 200 175 348
    Is your "conf_global.php" in your main directory? If so, then its not to difficult to figure out how they're "hacking" you. Move your configuration php out of the directory that IIS is serving from, surely you can store it seperately.
    Myles Loosley-Millman - admin@prioritycolo.com
    Priority Colo Inc. - Affordable Colocation & Dedicated Servers.
    Two Canadian facilities serving Toronto & Markham, Ontario
    http://www.prioritycolo.com

  16. #16
    Originally posted by Loon
    What version of InvisionBoard are you running?
    im using version 1.2 .
    i checked the access log, the hacker did not attemp to send GET or POST requests to the IB PHP files.
    The hacker was using OPTIONS, PROPFIND and LOCK http commands. he used a tool called "Microsoft Data Access Internet Publishing Provider"
    so, i was wondering if i could disable any requests made from this tool

  17. #17
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    4,721
    Originally posted by umu
    im using version 1.2 .
    I'm not sure if this is the cause of your current problem but there are exploits for 1.2, you need to update it.
    Hyperconfused (™)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •