Results 1 to 17 of 17
-
06-01-2004, 10:48 AM #1Newbie
- Join Date
- Apr 2003
- Posts
- 8
Please Help! They Hacked Me Twice!
Hi
im running an IB forum and i got hacked twice!!
They were able to access to my MySQL database and drop it and they put an index.html file saying that site is hacked!!
My forum was running under Windows 2000 IIS 5.1 server with Helm control panel when it was first hacked.
I changed the hosting company immediately and went to a hosting company that provide Windows 2003 IIS 6 with HostingAcceleratorControl panel.
I changed all my passwords and my usernames, and i updated and scanned my PC using Norton AntiVirus 2004. i also installed a Firewall.
but they hacked me again!!!
i looked at the access log and i found the following:
2004-05-30 13:40:54 OPTIONS /conf_global.php - 193.188.97.152 HTTP/1.1 Microsoft+Data+Access+Internet+Publishing+Provider+Protocol+Discovery - 403 221 263
2004-05-30 13:41:20 PROPFIND /conf_global.php - 193.188.97.152 HTTP/1.1 Microsoft+Data+Access+Internet+Publishing+Provider+DAV - 403 221 332
2004-05-30 13:41:24 GET /conf_global.php - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MS+FrontPage+6.0) - 403 221 362
2004-05-30 13:41:25 GET /conf_global.php - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MS+FrontPage+6.0) - 200 175 367
2004-05-30 13:42:07 GET /conf_global.php - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - 200 175 348
in the second day log file i found:
004-05-31 16:28:29 GET /phpmyadmin - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - 404 1795 451
2004-05-31 16:28:34 GET /index.php - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) MySiteURL/index.php?act=Msg&CODE=03&VID=in&MSID=19117 200 8426 1053
2004-05-31 16:28:47 GET /index.php - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+FunWebProducts) MySiteURL/index.php?showforum=15 200 8431 1212
2004-05-31 16:28:47 GET /phpMyAdmin - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - 404 1795 451
2004-05-31 16:28:51 GET /index.php - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) MySiteURL/index.php?showtopic=2518&st=165 200 8081 1296
2004-05-31 16:28:53 GET /index.php - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) MySiteURL/index.php?showuser=78 200 2592 1305
2004-05-31 16:28:55 GET /phpMyAdmin/ - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - 404 1795 452
How can he hack me in that easy!? is it because im running PHP under windows?! or maybe there is a problem with the IB forum?!
even if they were able to read the conf_global, how they were able to place an index.html file in my server?!
Please tell me what i should, im going crazy!
-
06-01-2004, 11:08 AM #2Junior Guru
- Join Date
- Aug 2003
- Location
- Richmond, BC
- Posts
- 196
Well, you could take a look at the developers site of your forum software, IB Forum and see if they have any security issues that have been resolved.
Of course, before doing this I would take a look at the basics. I really do not mean to insult you with this, but did you change your password for your database, forum username and use a different password for your webhosting account?
-
06-01-2004, 11:25 AM #3Newbie
- Join Date
- Apr 2003
- Posts
- 8
I changed every password i have. Database, FTP, Control Panel and even the email password!!
I searched for "microsoft data access internet publishing provider Protocol Discovery" in google which i found in my access log.
i found the following
www.webmasterworld.com/forum47/1375.htm
http://www.experts-exchange.com/Web/..._20969775.html
its seems there is a bug with windows servers?!
-
06-01-2004, 11:44 AM #4Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Greetings:
1. If a server has been hacked, your best bet is to do a system wipe, re-install what needs to be re-installed, and then restore from a backup made prior to a hack.
Otherwise, the hacker may have a back door in place that was not caught.
2. WebDav has holes; and PHP can have holes too if not coded properly.
Rory gave good advice about checking with the PHP developers for known vulnerabilities.
3. Security has to be done in as many practical layers as you can manage throughout each and every day.
A firewall is but one of those layers; and, as you found out hackers can get through firewalls just like spies can get past boarder patrols and check out points.
Thank you.
-
06-01-2004, 12:29 PM #5Web Hosting Master
- Join Date
- Dec 2003
- Location
- Fairfax, Virginia
- Posts
- 6,834
2. WebDav has holes; and PHP can have holes too if not coded properly.
Rory gave good advice about checking with the PHP developers for known vulnerabilities.
-
06-01-2004, 12:42 PM #6Junior Guru Wannabe
- Join Date
- May 2004
- Location
- Texas
- Posts
- 53
UMU,
Are you familiar with the .ASP language? Why not use .asp instead of php on a windows machine?
-
06-01-2004, 12:42 PM #7Web Hosting Master
- Join Date
- Aug 2003
- Posts
- 2,733
Install all of the security updates etc
-
06-01-2004, 01:06 PM #8Newbie
- Join Date
- Apr 2003
- Posts
- 8
Can i disable any requests that come from "Microsoft Data Access Internet Publishing Provider" and how?!
What is WebDav exactly?! and how they use it to hack me?!
Would it solve the problem if i moved to a linux host?!
If the problem is from PHP, then how they were able to access and upload files to my server?!
-
06-01-2004, 01:09 PM #9Junior Guru Wannabe
- Join Date
- May 2004
- Location
- Texas
- Posts
- 53
UMU,
Once they find holes... they can plant backdoors on your machine and access anything they wanted to on your site. Including uploading files, creating users etc... Find out more info on what you can do to prevent such a thing. Why are you using php on a windows maching anyway?
-
06-01-2004, 01:31 PM #10Newbie
- Join Date
- Apr 2003
- Posts
- 8
I am using a shared server so i dont have a control over the machnine.
i am using PHP under windows because i need to use the .NET tecnology. Beside there are no ASP Forums that have features like the PHP forums
-
06-01-2004, 01:36 PM #11Retired Moderator
- Join Date
- Apr 2003
- Location
- London, UK
- Posts
- 4,721
What version of InvisionBoard are you running?
Hyperconfused (™)
-
06-01-2004, 01:38 PM #12Junior Guru Wannabe
- Join Date
- May 2004
- Location
- Texas
- Posts
- 53
BTW... what version IB are u using?
-
06-01-2004, 01:40 PM #13New Member
- Join Date
- Nov 2003
- Location
- Youngstown, OH
- Posts
- 4
My advice is always watch your forum developer's website - alot of times there are updates released to close any security holes...
The same think happened to me with my XMB forum
-
06-01-2004, 01:45 PM #14WHT Addict
- Join Date
- Apr 2004
- Location
- Texas
- Posts
- 163
May want to switch to a linux system with phpbb2 seems much more secure. I have 2 sites that have "Hack Attempts" constantly one using phpbb2 and the other using PHP-Nuke sofar (with proper updates) these attempts were unsucessful.
I agree with RoryErickson check with the developers to see if there is a known exploite that may need patching.
Hope this helps
Regards,
Lee
-
06-01-2004, 01:58 PM #15Web Hosting Master
- Join Date
- Dec 2001
- Location
- Toronto, Ontario, Canada
- Posts
- 6,896
This may be a stupid question, but....
2004-05-30 13:42:07 GET /conf_global.php - 193.188.97.152 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - 200 175 348Myles Loosley-Millman - admin@prioritycolo.com
Priority Colo Inc. - Affordable Colocation & Dedicated Servers.
Two Canadian facilities serving Toronto & Markham, Ontario
http://www.prioritycolo.com
-
06-01-2004, 02:06 PM #16Newbie
- Join Date
- Apr 2003
- Posts
- 8
Originally posted by Loon
What version of InvisionBoard are you running?
i checked the access log, the hacker did not attemp to send GET or POST requests to the IB PHP files.
The hacker was using OPTIONS, PROPFIND and LOCK http commands. he used a tool called "Microsoft Data Access Internet Publishing Provider"
so, i was wondering if i could disable any requests made from this tool
-
06-01-2004, 02:49 PM #17Retired Moderator
- Join Date
- Apr 2003
- Location
- London, UK
- Posts
- 4,721
Originally posted by umu
im using version 1.2 .Hyperconfused (™)