phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

Some Questions After My Site Was Hacked


 
Search this topic... | Search General Support... | Search Box
Register or Login to Post    Index » General Support  Previous TopicPrint TopicNext Topic
Author Message
roadhog
Board Member



Joined: 19 Nov 2008

Posts: 95
Location: Central Texas


flag
PostPosted: Fri Dec 19, 2008 6:03 am 
Post subject: Some Questions After My Site Was Hacked

Early Sunday morning, my site was hacked. The index page wouldn't load when I tried to access it, and a check of the database showed that the phpbb_users table contained zero rows, (which explained why the index page wouldn't load, since the anonymous user was even deleted). Anyway, after restoring the contents of that table from a backup, I ran a security check, using "Toolkit", and found nothing wrong.

Everything seems to work correctly, except that when I access the admin panel, (by means of a re-authorization), if I click on the "User list" link, after it loads, another "Authentication Required" window will pop up, and it includes this line:

Quote:
Enter username and password for http://63.147.61.47


Clicking on the "X", or the "Cancel" button, will close the window, and everything seems to work normally after that, except that if I re-enter the admin panel, and click on the "User list" link again, the same thing will happen.

Anyway, suspecting that IP address might be a clue left by the hacker, I tried to check it out, but a reverse DNS lookup either times out, or shows a nonspecific U. S. location, or yields a message that it doesn't exist.

I'm far from an expert on this stuff, so can anyone offer some insight on what's happening here? Where is that window coming from, (where in the files might it be located), and what might it imply, (in terms of spying, or whatever)? What am I overlooking? Is there a way to actually track that IP address down?

I'm wondering if someone got upset after the board's registration procedure wouldn't let his bot register, so he tried something else that didn't work, but it deleted everything in the table - or maybe he did that intentionally, for all I know. I checked with my host, but they assured me that no one else's board on that server was hacked, so it may not have been a random act. Anyone ever hear of this before?

I'm running phpBB2.0.23, but I've probably added between 150 and 200 mods, over the years. Thanks for any insight that anyone might be able to offer.

Wayne

This is the site: http://www.perskyfarms.com/phpBB2/index.php
Back to top
Sylver Cheetah 53
Board Member



Joined: 17 Dec 2008

Posts: 426
Location: Milky Way


flag
PostPosted: Fri Dec 19, 2008 10:21 am 
Post subject: Re: Some Questions After My Site Was Hacked

Here is what I've found:
IP Address 63.147.61.47
Host 63.147.61.47
Location US US, United States
City Emeryville, CA 94608
Organization Evocative
ISP Qwest Communications
AS Number AS11691
Latitude 3783'42" North
Longitude 12228'97" West
Distance 10410.26 km (6468.63 miles)

OrgName: Qwest Communications Corporation
OrgID: QCC-18
Address: 1801 California Street
City: Denver
StateProv: CO
PostalCode: 80202
Country: US

NetRange: 63.144.0.0 - 63.151.255.255
CIDR: 63.144.0.0/13
NetName: QWEST-INET-8
NetHandle: NET-63-144-0-0-1
Parent: NET-63-0-0-0-0
NetType: Direct Allocation
NameServer: DCA-ANS-01.INET.QWEST.NET
NameServer: SVL-ANS-01.INET.QWEST.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment: NOTE: For abuse issues, please email abuse@qwest.net.
RegDate: 2000-03-13
Updated: 2005-11-15

I've used this: http://cqcounter.com/whois/
I think you can send an email at abuse@qwest.net

_________________
Image link
My Forum || My Blog

phpBB2 forever! icon_smile.gif
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 551
Location: North West UK


flag
PostPosted: Fri Dec 19, 2008 12:04 pm 
Post subject: Re: Some Questions After My Site Was Hacked

I take it that the IP is not the IP of your site server?
No one who's bot failed to register would go to the trouble of doing anything. Why bother when there are 100's of 1000's of sites that it could register on.
It may not be a hack at all - after all what has the hacker gained? Have they defaced your site with "U woz hacked by Turkish crew" or anything like that>
Check your sites configuration and see what is in the place of your domain name. My "guess" would be that something has happened to your database (maybe host had a mysql server problem)
Have any files been changed or added?
The toolkit looks at database entries only - look manually yourself by ftp. Look for anything that you may not have uploaded yourself. Do not delete anything you do not recognise without downloading it and checking it as some files/directories may be added by the system when the account is created.

Jim
Back to top
roadhog
Board Member



Joined: 19 Nov 2008

Posts: 95
Location: Central Texas


flag
PostPosted: Fri Dec 19, 2008 3:20 pm 
Post subject: Re: Some Questions After My Site Was Hacked

Thanks gents,

I had found the "Quest" info, of course, but certainly not the "Evocative" info, so thanks, I'll look into that.

One of the first things I did was to ask a techie at my ISP if he recognized that IP address, and he assured me that it had nothing to do with them. The domain name and everything else in the configuration file appears to be fine. I did go through the directory, before I posted, to check the "date modified" on all the files, and nothing appears to have been changed, (except for the phpbb_user data, of course), other than changes that I made myself, a few weeks ago. I also looked through a few of the files, (such as the index page, usercp_register, etc.), and I was unable to detect anything out of order.

I'm gonna do some more checking. I definitely appreciate the help.

Wayne
Back to top
roadhog
Board Member



Joined: 19 Nov 2008

Posts: 95
Location: Central Texas


flag
PostPosted: Fri Dec 19, 2008 4:32 pm 
Post subject: Re: Some Questions After My Site Was Hacked

OK, I think I found the problem. I discovered that IP address inside a user's avatar data, which means that it had to be in the backup data, that I restored:

Quote:
http://63.147.61.47/10504/10504-020-013t.jpg


Evocative, Inc, appears to be a legitimate service provider, and that is indeed their IP address. This user is a trusted friend, but she hasn't posted in about three months, and I had noticed that her avatar wasn't showing up as far back as maybe a year ago. This "Authentication Required" window, however, didn't show up until Sunday, (after the data were restored). It's possible that her avatar was indeed stored on one of their servers, since they are in the business, and they do indeed list Quest as a business associate.

I still don't understand the implications of all this, but I note that when I delete the data from the avatar field for that member, the problem disappears.

So now I wonder if the site was actually hacked, or what? My ISP admits that they were having server problems during that time frame, but they insist that after checking everything out, what happened, (the deletion of all the user data), couldn't have occurred because of their server issues. I'm suspicious, of course. Are my suspicions unjustified?

Thanks for all your help.

Wayne
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 551
Location: North West UK


flag
PostPosted: Fri Dec 19, 2008 6:34 pm 
Post subject: Re: Some Questions After My Site Was Hacked

roadhog wrote:
I'm suspicious, of course. Are my suspicions unjustified?

Thanks for all your help.

Wayne


Jim_UK wrote:
My "guess" would be that something has happened to your database (maybe host had a mysql server problem)


The first thing that crossed my mind as hackers usually deface or "take over"

Jim
Back to top
Display posts from previous:   
Register or Login to Post    Index » General Support  Previous TopicPrint TopicNext Topic
Page 1 of 1 All times are GMT
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.0272 seconds using 15 queries. (SQL 0.0021 Parse 0.0008 Other 0.0242)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo