Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 10 May 2012, 09:32
pzet pzet is offline
 
Join Date: Jul 2007
Post Forum hacked, version 4.0.6 Patch Level 4

Hello,

Just found this morning that my forum was hacked. All IP's in "who is online" point to one and the same IP-address: 194.1.150.194
The last registration attempt comes from this IP. From what I can remember few days ago someone with the same email address was trying to register from a Russian IP address.

I am using the advanced IP manager as well as the stop forum spam addon - I banned the initial IP address from registering.

Can anyone help please.
Thanks
Peter
Reply With Quote
  #2  
Old 10 May 2012, 09:53
deadlySniper deadlySniper is offline
 
Join Date: Dec 2008
Location: New York
Real name: Ryan Carr
I know for one, I would upgrade. Second, have you banned the IP? Also, I usually would ask my host to ban certain countries. I was having issues with turkish spam, so I had the country blocked.
Reply With Quote
  #3  
Old 10 May 2012, 10:03
pzet pzet is offline
 
Join Date: Jul 2007
I am running the latest available security patch (for version 4.0.6) so from that end it should be fine.

To ban certain countries won't really help. By using the Tor browser a hacker can attack virtually from any country.
Reply With Quote
  #4  
Old 10 May 2012, 10:10
deadlySniper deadlySniper is offline
 
Join Date: Dec 2008
Location: New York
Real name: Ryan Carr
The only thing I can think of, is that the version you have is not secure. I know when I was running 3.8.4 with PL. They released 3.8.5 which fixed more security issues that the previous patch level didnt fix. Also do you allow same IP registrations or duplicate registrations?
Reply With Quote
  #5  
Old 10 May 2012, 10:29
pzet pzet is offline
 
Join Date: Jul 2007
no duplicate registrations allowed.
Reply With Quote
  #6  
Old 10 May 2012, 10:32
deadlySniper deadlySniper is offline
 
Join Date: Dec 2008
Location: New York
Real name: Ryan Carr
My other thought is, did the person actually hack? Like did they get any admin? It could just be the person registering multiple accounts.
Reply With Quote
  #7  
Old 10 May 2012, 10:34
pzet pzet is offline
 
Join Date: Jul 2007
No, that user was blocked - no registration.

There must be another loop hole to access the database.
Reply With Quote
  #8  
Old 10 May 2012, 12:12
borbole's Avatar
borbole borbole is offline
 
Join Date: Jan 2010
Originally Posted by pzet View Post
I am running the latest available security patch (for version 4.0.6) so from that end it should be fine.

To ban certain countries won't really help. By using the Tor browser a hacker can attack virtually from any country.
No, it is not fine. As there are many security issues found in the later versions that affect your version as well. The best thing would be to upgrade to the latest stable version.

That said, can you ask your host to check their access logs for around the time of the hack and see what happened and how it did happen? That would help in identifying the point of entry and patch it up.
__________________
My mods.
Reply With Quote
  #9  
Old 10 May 2012, 12:42
cellarius's Avatar
cellarius cellarius is offline
 
Join Date: Aug 2005
Real name: Sven
Originally Posted by pzet View Post
Hello,

Just found this morning that my forum was hacked. All IP's in "who is online" point to one and the same IP-address: 194.1.150.194
This is an IP address in Great Britain, belonging to Global Gold Network Provider. Any chance you're hosting with them?

Make sure your provider did not make any settings to his proxy, firewall or other network related setup. If IPs are not passed properly, all your users/guests will show as having the IP address of the proxy.
__________________
Please note that there will be no further updates to my addons, especially they will not be upgraded for vB5. I'm leaving vB, since IB choose to go the banana-way yet again.

http://www.roma-antiqua.de

Last edited by cellarius; 10 May 2012 at 12:49.
Reply With Quote
  #10  
Old 10 May 2012, 12:52
pzet pzet is offline
 
Join Date: Jul 2007
Originally Posted by cellarius View Post
This is an IP address in Great Britain, belonging to Global Gold Network Provider. Any chance you're hosting with them?

Make sure your provider did not make any settings to his proxy, firewall or other network related setup. If IPs are not passed properly, all your users/guests will show as having the IP address of the proxy.
Thanks for your reply. Yes I am hosting my forum with Globalgold.
Just contacted the hoster, they are working on the issue.

Thanks
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 17:19.

Layout Options | Width: Wide Color: