Hacked Ii

[I, Brian]

Hi -

Last night my site was hacked - all that appears to have happened is that the YaBB SE index file was replaced.

I didn't think to download raw logs at the time - just the forum db. But this morning, 9 hours later, I have downloaded a raw .gz log file of 303kb.

I don't know whether the log file will cover the period in question - the attack was around 22:40 GMT on the 14th June, and the log file was downloaded at 08:10 GMT.

But I have it if anyone wants to check to make sure it wasn't a vulnerability in YaBB SE. So...who wants the log file?

E-mail me and I'll send you it.

Brian

[David]

As always, [email protected].  Hopefully you can send me just the time around the hack and not the whole log.

[[Unknown]]

Please send a copy ot me as well - [email protected].

-[Unknown]

[Mach8]

Can you please send me a copy of the log as well - something similar happened on my website and I'd like to cross-reference, see if the same thing happened on both sets of logs.

(when I can read my logs that is, my host has been hacked )

[Mach8]

I just found the logs I downloaded from yesterday, and as I guessed - there's no information from what I can see that would point to the attack. I'll still email you the logs though.

I took a look at I, Brian's file and it seems to be the same way as well.

[phark]

Well, its not just YaBB SE that is being hacked...

http://www.umu.man.ac.uk/muisoc/phpBB2/index.php

EDIT:  fady911x is a busy person

[David]

https://www.europe.f-secure.com/v-descs/naco_f.shtml+fady911x&hl=en&ie=UTF-8
http://vx.netlux.org/~melhacker/+fady911x&hl=en&ie=UTF-8

[I, Brian]

Yes, he's easy to track on Google.

However, I'd like to post the reply from VenturesOnline about the incident, because there's a possible suggestion of accessing the site through YaBB SE (I run no other scripts on my account - just normal .html files constructed through php includes):

Since this is a shared server allowing, anyone to write to a directory is a big mistake and will likely be exploited. If you have world readable configuration files it is also possible this is how this user got in.

If you have a world writeable directory as listed above, it would be wise to remove

I don't actually understand the application of the terms "world readable configuration files" or "world writeable directory".

I wondered if someone could comment:

[andrea]

Since this is a shared server allowing, anyone to write to a directory is a big mistake and will likely be exploited. If you have world readable configuration files it is also possible this is how this user got in.

If you have a world writeable directory as listed above, it would be wise to remove

I don't actually understand the application of the terms "world readable configuration files" or "world writeable directory".

I wondered if someone could comment:

http://www.yabbse.org/community/index.php?board=135;action=display;threadid=15904

[Aeon]

from his name "Fady" I can tell he is an Arabic ! also all the sites he hacked are for Arabic ...

well well ... we have some good hackers in our land

[I, Brian]

Thanks for that Andrea - much appreciated.

As for Fady - yes, he lives in Egypt. Nothing great about being a hacker though.