We are under attack! help

[Eyelfixit]

someone today has deleted  our database, we got news from our installer (Nonya) and he tols us it was because our database was merged with our old database which was a proboard database. (we have Identified and recorded the intruders info etc.. and reported it)

We are slowly recovering from that and now we have another problem there is an intruder hat can see our staff board (which is invisible to regular users) and he is deleteing our threads.

here is the link to the forum:

http://learningtheinternet.net (click on forum)

What can we do. I I.P. baned the intruder but he has an annanymous proxie.

Help!

Eyelfixit

[[Unknown]]

Have every administrator change their password.  If possible, change your MySQL and FTP passwords.

Delete any administrators you didn't make administrators.

-[Unknown]

[Nonya]

I've fixed it for you Eyelfixit

[Nonya]

BTW the hackers dosen't use any Admin account they have the login info to cpanel  

[Eyelfixit]

BTW the hackers dosen't use any Admin account they have the login info to cpanel  

I will notify mike immediately, NONYA, your a god in my eye, so you so very much friend.

[Eyelfixit]

Why does the board not work when I change the password?

Why does the logo reside on another server?

I had to change the password back to the old one becuase the board doesn't work if I don't.

What file do I have to edit to match it to a new password if I wanted to change the account and FTP password?

Help.

[Eyelfixit]

How do I restore that database?

Do I have to ad a user to the database? if so is the user tha same as the FTP and Account Username?

What are the proceedures for reconnecting it?

[[Unknown]]

Edit Settings.php.

-[Unknown]

[Eyelfixit]

Thank you, ya'll saved my but on this one, Nonya, A special mention for you my freind:

With out you we would still be up SH** creak with out a padel.

Thank you for all of your help, we appreacite it.

L-T-I Admins

[Eyelfixit]

Well we still have problems, I thought that it might help if I showed you the error Im getting:

2: mysql_fetch_array(): supplied argument is not a valid MySQL result resource
(/home/learning/public_html/Sources/Blocks.php ln 216)

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Here is the post's that the Hacker has left behind( perhaps tit can give you an idea on how he's accessing the admin only files:



CourtneyDS 05-02-2003 10:57 PM
Newbie

Registered: May 2003
Location:
Posts: 10
Unreal
I can not believe "eyelfixit" banned me off the LTI forum ... I am not the hâcker ... Matrix / David Lindon.. it is NOT :



quote:
--------------------------------------------------------------------------------
Corrupted mysql database I'd say. It seems it removes all messages after 5 minutes or something.
--------------------------------------------------------------------------------



^^ Your kind of correct with that statement ... In all actuallity.. "Vader" deleted posts and threads with-out even being on that forum ... Obviously.. as soon as someone posts.. you either have the Config or the database that stores that data ... <<>> Simply alter the files ... Hence : Root access ... Once a person get's one (1) the rest are simple ... Servers are not as secure as you might think ...

I can post the commands on how this is done but it is considered Crâcking ...

eyelfixit.. lighten up a bit.. I am not the hâcker / crâcker ... My god.. you really know how to make friends that can do what happened to you ... <<>> Personally speaking.. Vader backed up the config and database of every post he deleted ...

Believe it or not eyelfixit.. there are people out here that are alot smarter then you are.. even though you have "Almost God" under your name ...

Sincerely
CourtneyDS



>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
CourtneyDS
Newbie

Registered: May 2003
Location:
Posts: 10
offtopic
Hi David Lindon.. prior to getting started here.. I have looked around your board and find it quite interesting ... There are a few topic's that I feel I can assist and or add some positive input ...
/offtopic

Eyelfixit.. I have been reading alot of your posts on the LTI forum and I find you almost as hysterical as the Iraqi information minister.. ( Remember him on TV.. lol ) ...

Who tought you people @ LTI PHP MySQL ? Why do you insist on telling people "Everything is OK" and It's fixed and or patched ?

^^ I believe it was less then 4 minutes after you made that statement that some of that boards posts mysterically vanished ... <<>> How can that be ? ...

What did you type.. let me see if I can Quote you Eyelfixit :



quote:
--------------------------------------------------------------------------------
We have Identified, I.P.'s and Block's from the offending Proxie.

We alerted his I.S.P. and yes, the F.B.I. Cyber Crime Division.

Also, Pipson is not a hacker, he simply gainned access to our database and corrupted it. No big deal and the hole has been patched up.
--------------------------------------------------------------------------------



^^ Now if I am banned.. how did I get the ^^ above ^^ Quote ?

Secondly.. it's spelt "Proxy" not Proxie

Thirdly.. You alerted his ISP and the FBI ? .. <<>> LMAO.. do you have any idea of the nonsense your trying to push off on people with "Cyber Crimes" ... LOL ...

To top it all off Mr. abundents of information "eyelfixit from BC".. your banning Internet proticol numbers galore in attempts to stop this ... <<>> Have you not a clue that this is not executed by being on any forum ... <<>> It is executed from outside the forum while your banning every IP# in site.. lol

Who is Pipson ? and what happened to that nice big thread on your board named "Pipson" ? ... OMG my ribs hurt from laughing so hard at the foolishness ...

Sincerely
CourtneyDS



Report this post to a moderator | IP: Logged

05-04-2003 10:13 PM


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
CourtneyDS
Newbie

Registered: May 2003
Location:
Posts: 10

quote:
--------------------------------------------------------------------------------
Your quote is bogus and your a fool. simply copy and paste .
--------------------------------------------------------------------------------



^^ lol.. Vader took screen shots galore.. oh how we laugh ... First you stated it was a corrupted database.. <<>> as your members read that stuff ... Then.. you come up with someother nonsense for what happened as people read that to and now everything is bogus.. lol

If only you listened and not drove yourself into a name calling "hacker / Cracker" panic.. I would have told your elite portal installer how to block such attacks ... <<>> But no.. you start with the names as your still doing while posts are still mysterically vanishing ...

We have helped numerous people concerning this "Flaw" ... First the database is backed up.. then the vanishing posts.. then block the "Flaw" and then re-instate the origional posts ... <<>> I do not see that happening on your forum.. you must be new at this stuff Iraqi information minister with that typically large male ego your have Eyelfixit ... Interesting name "Eyelfixit".. well then fix it ...:

Sincerely
CourtneyDS

Edit = Sorry David.. did not mean to disrespect your forum ...


Last edited by CourtneyDS on 05-04-2003 at 10:34 PM

Report this post to a moderator | IP: Logged

05-04-2003 10:32 PM

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
CourtneyDS
Newbie

Registered: May 2003
Location:
Posts: 10
Yes David.. I'd say this is just about over ...

EyeLid.. Oooops.. Eyelfixit.. lol had abundance of confidence that ALL is well.. <<>> again.. lol ...

Excuse me Eyelfixit.. Were you not to have a **STAFF MEETING **
or that thank you post for unbanning virturoso.. (or whatever his name is ) ... Didn't I tell you banning blocks of IP's would ban all sorts of people.. people that haven't even been to your forum ...
The funny thing is.. I am still not banned as you ban the heck out of every other IP.. lmao ...

What happend to the ** Staff MEETING ** post ?
What happened to the virturoso thank you post ?
What happened to all your other posts that you cut and pasted off the OLD Learning the internet forum ?

While were on the subject.. how on god's green earth did all those Admin / Mod (sticky posts) from the OLD Learning the internet forum simply vanish ? ...

Sooooooo.. everything is all "patched up" now right ? ... lmao

Sincerely laughing her butt off
CourtneyDS

Ps : Oh.. those authorities are banging down our doors ... LMAO
Go back to bed kid and try another day  

Court



Report this post to a moderator | IP: Logged

05-05-2003 02:15 AM

[Gobalopper]

Have you changed your admin and cpanel passwords yet?

And where is Blocks.php coming from? That file isn't included in the default install.

Or does that come from PfaBB?

[Michele]

One problem is allowing embedded Flash files in the forums. Go into Installed Mods and remove the checkmark from "Embed Flash?". That will change all flash into links that open in a new window.

Second, change the passwords of all the Admins and GMs immediately - allowing flash has compromised them all. Change them yourself if you don't think your admins and GMs will actually do it themselves. Change your database password and CPanel password too if you can.

View your Member List by MemberGroup and double check the Position of everyone... make sure no one has admin/gm status that shouldn't. Check who else is "online" when the deletes happen - it could be your hacker logged on with a GM's name and password.

Check the raw access logs provided by your host. Scan them for "removeth" - when you find the IP that deleted the threads, add it to your ban list.

Right now, someone named Administrätor is on your site - are they real?

Gobalopper: Yes, Blocks.php is coming from PfaBB.

Good luck, Michele

[Eyelfixit]

Have you changed your admin and cpanel passwords yet?

And where is Blocks.php coming from? That file isn't included in the default install.

Or does that come from PfaBB?

Yes, all passwords were changed.

Blocks came from pfabb

[Eyelfixit]

One problem is allowing embedded Flash files in the forums. Go into Installed Mods and remove the checkmark from "Embed Flash?". That will change all flash into links that open in a new window.

Second, change the passwords of all the Admins and GMs immediately - allowing flash has compromised them all. Change them yourself if you don't think your admins and GMs will actually do it themselves. Change your database password and CPanel password too if you can.

View your Member List by MemberGroup and double check the Position of everyone... make sure no one has admin/gm status that shouldn't. Check who else is "online" when the deletes happen - it could be your hacker logged on with a GM's name and password.

Check the raw access logs provided by your host. Scan them for "removeth" - when you find the IP that deleted the threads, add it to your ban list.

Right now, someone named Administrätor is on your site - are they real?

Gobalopper: Yes, Blocks.php is coming from PfaBB.

Good luck, Michele

So you think that this is do to flash?

Are you sure?

Here is the method they used:

$socket = IO::Socket::INET->new(Proto => "udp") or die "Socket error: $@\n";
$ipaddr = inet_aton($host);
$portaddr = sockaddr_in($port, $ipaddr);
send($socket, $buf, 0, $portaddr) == length($buf) or die "Can't send: $!\n";
print "Now, '$host' must be dead : )\n";

So I think.

Please advise for this is still happening, we have been down for almost a week now.

[Gobalopper]

So these guys have no way to access your cpanel or forum admin pages yet they are still able to delete threads?