I was Hacked

[ErikG]

Could it be that it is simply written "down below". As they seem to search via google or some such and look for powered by integramod etc, but here it says powered by kismod.

Could it be so simple?

[Solomon]

Could it be that it is simply written "down below". As they seem to search via google or some such and look for powered by integramod etc, but here it says powered by kismod.

Could it be so simple?

My latest referrer was http://www.alltheweb.com and the search text was "Powered by KisMod ÂÂÂ © 2004, 2006 The Integramod Group".

I see the only difference here is 2001, 2006, but mine doesnt say KisMod, it said IntegraMOD, so it was found anyways. They use the search engines to find forums to victimize, but I'm sure they know the main url here as well. So no it cant be that simple. I would think they would target this site first then the rest of the sites. It would sure suck if we couldnt get help here because it was down. *knock-on-wood*

You can block referres in the ACP or a better method is to block them in the ".htaccess" file. Information on how can be found here <img> http://www.javascriptkit.com/howto/htaccess14.shtml

[evolver]

Euhm, how many of these hacked sites have a link on integraMOD2.com...
...or maybe even still on integraMOD.com ??

No need for Google to find these...
No need for 'Powered by' keywords to find these...

There are easier ways to find integraMOD sites than just by using Google...
And ofcourse, that could also be a very good reason why integraMOD.com hasn't been hacked yet...

Just don't focus at one direction only...
Think about every possibility, because that's how hackers think as well...

[joescamera]

Hello - I was also hacked on the 24 and again the 25th (after I'd successfully got my site back and running by replacing the config.php file)

Unfortunately, when "they" hacked me on the 25th, EVERY file and folder was deleted from my host's server. <img> (this was Saturday and have been siteless since).

I received an email from my host this evening after constant chasing, which may or may not help the current issue:


Thank you for contacting us.

Searching your access logs it seems your site was hacked on the 24th
(and again today). I will restore a backup from the night of the 23rd
which should contain everything you are missing. I recommend updating
your phpbb forum to the newest version because it seems that is how they
got in. If you look in your logs folder at the access.log.34.4.gz file
you will see they posted a pomponk.txt file which is actually a php
script used to hack your space. The IP it comes from is 202.138.226.3
which is an Indonesian ip, which has a high rate for these things. I
will let you know as soon as the back is restored.

Obviously I don't want to just start using the software again as is, but am pretty new to "locking down" software etc - can anyone recommend some sensible precautions to make that will enable me to continue using my site for visitors to upload and post, without too much risk to my site / server?

Many thanks.

[Unregistered]

hi joescamera, ttry goin thru
http://integramod.com/forum/viewtopic.php?t=1944

[jwernerny]

I'm pretty sure these hacks are actually cross contaminations from a master server. The quick and simple way to prevent them may be to obfuscate (hide) the forum source directories and use .htaccess to make it look like things are in the expect location.

I'll explain. Let's say I am a hacker and I have compromised a website with the c99 shell script. If I know that IM1.4.0 is normally installed in "forum" and has open directories of "files," etc., and I am on a host that seems to assign user names in a regular fassion, then I can quickly infect other sights by trying to blindly write into the directories.

For instance, let's say on host "ABC_XYZZY_Hosting.com", I know have found that user are given id's in the form of "user0001", "user0002", "user0003", etc., then I can start randomly trying to write to /home/user0001/forum/files, then /home/user0002/forum/files, etc.

BTW, I got hacked this morning. I found 2 copies of c99 shell, one in files and the other someplace else. I am on WB-Hosting. If you use WB-Hosting, I strongly suggest you check things out and take some steps to make sure the well known directories are not accessible.

- John

[jwernerny]

PS: Once you are hacked, I would suggest creating a new database user name with a new password.

[Michaelo]

Cross contaminations from a master server!

This is definitely happening, I have come across it earlier today... If some one hack a site they can by the use the c99 shell script (and other scripts), as explained by jwernerny above, screw up any other phpBB/IntegraMod based site on the same server...

It is up to us to be vigilant therefore it is necessary to check you site for any file that should not be there. Note some of these files may have a php extension, if in doubt about a file check you original upload source.

Mike

[jwernerny]

Okay, I have just looked at my raw logs. My hacker definitely came through the functions.php exploit, not cross contamination. Still, I would be wary.

- John

[gcomfx.com]

My host shut me down.

my integramod forum was spamming.

includes folder was sending out 4540 emails.

UGH.... I'm trying to get my host to let me put up an announcement page and leave everything else off until a solution is found for all of this.

[gcomfx.com]

Okay guys, I basically killed my cpanel account and started all over. I have yet to upload integramod.

However, in my error log, I'm showing a lot of attempts to get to:

community/phphtmllib/tag_utils/divtag_utils.php

and

community/export.php

Could this be the hackers still looking? I've never seen the directory /phphtmllib before.

[InoculateIT]

[quote=""InoculateIT";p="13996""]
Did you CHMOD the files?

CHMOD all files 644 exept the ones mentioned in the integramod_install_guide_page1.htm

I have never been hacked

[Jacky]

So people with files CHMOD to 644 and folders CHMOD to 755 won't get affected by this?

[Michaelo]

[url=http]Security updates located here[/url]