[RiverSalmon]

Hello

I need your help guys/girls. My forum was hacked yesterday. Nothing out of the ordinary there, Ive seen other IPB boards hacked, but usually its a one time thing. Not in this case. We don't know the guy who is hacking us, never talked to him before, yet he is going personal with us. Changing our signatures, re-directing the main page to a [bleep] one (specially disturbing since ours is a soccer forum and many kids visit it). He signed his hack like this:



and he is using I suppose a proxy, with the IP 68.87.66.101.

We have tried to have a civilized conversation with him, but theres no use. He keeps basically destroying our forum. The main administrator is going to update the forum, but I don't think this type of behavior should go unpunished. What can we do? theres no doubt that two days of lost posts and all kind of inconveniences to our users should receive an explanation.

Regards

Edited by ScHwErV, 02 April 2006 - 07:03 PM.

[Advertisements]

Hey there RiverSalmon.

Yip you right, this issue has come up many times before. The first thing you should do is change your administrators password and if there are more administrators then ask them to change there passwords aswell. When selecting a password try using certain characters (eg. dsfd DGNB #%$ 34324) this is including numbers, special characters, upper and lower case letters and keep the number of characters at a minimun of 6. Many crackers use programs that brute force your account and try and guess your password. Choosing a multi typed character password will be almost unstopable.

Once you have changed your password it is best to check out your "admin logs" and look for an IP that is not firmilliar. You can then do a (WHOIS) this is to check things like what ISP he is using. You can then report his IP to his ISP and notify them that he has been doing melisious things. (eg. hacking you) They can iether take the problem futher and lay criminal charges against the guy, or they will disconnect his internet and try and stop him from using the internet again. (Shame)

If you have lost many posts on your forum, then it is best that you ask your forum provider (eg. Invision) to put back all the old posts. They usually keep backups on there database. You can do this by entering your admin Control Panel and sending a "Support Ticket"

I hope this helped a bit. It is best to keep your passwords safe and change them on a regular basis. If in future you have any suspision of being hacked. The first step is by changing your password to stop futher damage. There is also an option in your admin CP that allows you to close down the site for a number of days or hours. This is also to avoid anymore damage. If you have more questions dont hesistate to ask.

Cool

[Spike]

Hey there RiverSalmon.

Yip you right, this issue has come up many times before. The first thing you should do is change your administrators password and if there are more administrators then ask them to change there passwords aswell. When selecting a password try using certain characters (eg. dsfd DGNB #%$ 34324) this is including numbers, special characters, upper and lower case letters and keep the number of characters at a minimun of 6. Many crackers use programs that brute force your account and try and guess your password. Choosing a multi typed character password will be almost unstopable.

Once you have changed your password it is best to check out your "admin logs" and look for an IP that is not firmilliar. You can then do a (WHOIS) this is to check things like what ISP he is using. You can then report his IP to his ISP and notify them that he has been doing melisious things. (eg. hacking you) They can iether take the problem futher and lay criminal charges against the guy, or they will disconnect his internet and try and stop him from using the internet again. (Shame)

If you have lost many posts on your forum, then it is best that you ask your forum provider (eg. Invision) to put back all the old posts. They usually keep backups on there database. You can do this by entering your admin Control Panel and sending a "Support Ticket"

I hope this helped a bit. It is best to keep your passwords safe and change them on a regular basis. If in future you have any suspision of being hacked. The first step is by changing your password to stop futher damage. There is also an option in your admin CP that allows you to close down the site for a number of days or hours. This is also to avoid anymore damage. If you have more questions dont hesistate to ask.

Cool

[Major Payne]

and he is using I suppose a proxy, with the IP 68.87.66.101.

Had to query just out of curiousity for this.

Here's results:

Initiating server query ...
Looking up the domain name for IP: 68.87.66.101
The domain name for the IP address is: cdn-ce-den-t1-02.cmc.co.denver.comcast.net
Connecting to the server on standard HTTP port: 80
[Connected] Requesting the server's default page.
The server returned the following response headers:
HTTP/1.0 400 Bad Request
Proxy-Connection: Close
The server's response did not contain the expected 'Server:' header to identify itself. Therefore, server's identity can not be determined.
Query complete.

Ron

[Thef0rce]

you *must* keep forum software updated. If you subscribe to mailing lists such as bugtraq, you'll know that there's literally tons of exploits for forums every day. If the server is running old software, its just asking for script kiddies to come and mess around. The blessing is that IPB and phpbb both release patches very frequently.

up to date boards prevent people from taking exploit code that other people have written and trying them on your server. This alone helps to weed out the script kiddies who actually don't know how to hack but are running code randomly in hope that it works.

[RiverSalmon]

Thanks spike_hacker_inc, Major Payne and Thef0rce. Ive updated the forum to IPB 2.1.5 and things look fine so far.

spike_hacker_inc:

Ive followed your recommendations. Many thanks. You helped me/our forum a lot.