Tyler Got Hacked!

January 8, 2007 Posted by Tyler Cruz

Where to start?

This all happened two days ago while I was away from my computer. I was eating a melted bologna and cheese sandwhich with a glass of cold milk, listening to the radio and reading a poker magazine when I heard the AIM “BA-BING” message sound from my computer. Obviously I didn’t go and check who it was since it’s not exactly a rarity for me to receive IM’s and e-mails.

I took my time, doing errands around my apartment, and went back to my computer a couple of hours later.

At first, I didn’t notice anything. I usually have a ton of windows open, so I didn’t see the message from my friend and moderator of PokerForums.org, which said “so I assume you know about the hacker”. Hmmm. Hacker? Say what now, sir? I didn’t reply just then, and went on to check the status of my sites as I always do throughout the day. It’s my routine.

When I got to PokerForums.org, the first thing I noticed during the milliseconds the site loaded was that I was logged out. The second thing I noticed was that the forum was replaced with a message along the lines of “PokerForums has been hacked. Please do not be mad. E-mail me at *email* to contact me.”

Uh-oh.

I didn’t get mad or upset. I don’t think I even furrowed an eyebrow; I have a pretty good poker face, but I have an even better demeanor. I also try not to get upset over things that I shouldn’t be. However, I was most definitely concerned and eager to solve this issue.

I also wasn’t terribly worried as I was pretty sure that the compromised site was limited to PokerForums.org. I also was pretty confident that the compromise was obtained through a vBulletin exploit; most likely being one that was found post v3.6.1 which is what I was running. I was beginning to wish I had upgraded to 3.6.4.

Lastly, I felt that the hacker was a reasonable person to deal with; why else would he leave his e-mail? If he really wanted to do damage, he’d remain as hidden as possible, trying to deep further and further in. Or he’d erase everything, or something. I used to be a script kiddy/hacker way back in the day, in my mid-teens. I enjoyed the culture, but enjoyed the challenge and the learning process even more. I actually obtained the highest levels on such (lame) online hacking challenges such as Arcanum, CyberArmy, and SlyFx (However, that was nearly a decade ago and the Internet has changed a lot, and whatever I knew then, I forget now). Therefore, I understood that many hackers today still do go by the old hackers code (no pun intended), which is really to hack for the challenge of it and not to really inflict any harm. Usually such a hacker will hack a site, put up a splash page or message, then explain to the owner how they got in and how to secure it.

Basically, if you’re going to get hacked, you want to get hacked by this type of hacker. In a way, and this is how they view it as well, they’re helping you out before a more malicious hacker gets in and does some real damage.

So, while I felt that he may be one of these ‘robin hood hackers’, I was also annoyed that he had essentially shut down my site.

The first thing I did was contact the head of the server administration company I hired. I prepaid them up front for a year’s worth a couple months ago, and I’ve been absolutely loving them.

Me> Hey you there?
Him> Hi.
Me> I just got hacked.
Him> Okay, hang on, I’m getting my head of security in here.

Within 15-20 seconds of contacting them, I was already talking to their head of security guy. Nice.

He went in and tried to solve the issue. Apparantly my forum username’s e-mail and password were changed. He believed that the server wasn’t compromised beyond the forum:

“well so far it looks like the server wasnt in any way compromised, no commands were executed, so my best guess is an SQL injection vulnerability in the vbulletin forum or another script”

While he was working away on the problem, I sent an e-mail to the hacker, giving my MSN and AIM and asking him to contact me back.

After about half an hour or so, the site was basically restored back to normal. The security guy went into the database and changed my e-mail to his, requested the password through the site’s password request feature, then changed the password and got the forum back up again.

However, obviously we weren’t safe just yet. It was more a race with the hacker; we didn’t want him to come back and see the forum restored as it may just make him angrier. So after I fixed some image and style changes he made (basically changing the forum status icons to ‘hacked’ images, etc.) I went and upgraded the forum to 3.6.4, the latest vBulletin version.

However, I checked the change logs for the versions, and didn’t see any security upgrades other than a pretty small XSS issue. So I was still a bit apprehensive as to the security of the site.

The next day, the hacker added me to MSN and we spoke.

I believe he was Russian, judging by his speech. And I found out that he was indeed a ‘robin hood hacker’, as I had suspected. Lucky for me. The biggest surprise, and scare, to me was when I found out that the compromise wasn’t limited to just the forum after all. He actually had server/database access!

I trudged through his broken English and found out step by step how he gained such access:

1. I run a few plug-ins on the site, one of them being a chatroom. This was how he got in. Apparantly the install files were still on the server and active and accessible. He simply went to the install URL of the chatroom script and hit the “continue” button. From there, the script automatically detects and fills out the site’s database information including the database name, username, and password.

2. He then went into the database and changed the e-mail on my account, which obviously had administrator access. He then requested a password request from the forum, and then changed the password (he couldn’t do this via MySQL as it is encrypted).

3. Already now he has database access and forum access. He then changed the forum’s settings to allow PHP files to be added as attachments, and uploaded a malicious confige.php attachment by posting it on the forum.

4. He then ran this file which, fortunately for me, could have been really bad and wiped out the site completely or plant some trojans around the server. Actually, it was a script which searched for more exploits throughout the server, probably trying to obtain root.

And there you have it.

Now, I’m normally pretty good at being secure and aware to security. When I had isntalled the chatroom plugin, it had never stated (I double checked this yesterday) in the installation instructions to remove certain installation files after installing. I followed their instructions to the tee, but since they didn’t tell me to delete the install files, I had assumed that they’d be inaccessible or something. Really though, I kind of just forgot about them.

I’ve since upgraded the chatroom from 4.7.2 to 4.7.7, and fortunately the new instructions clearly state to remove the installation files afterwards. The installation script even prompts red text if they are still there after it’s installed. Good.

Lesson to be learned here?

I believe there are two lessons here:

1. There are still hackers out there, so be aware and pay attention to security. I believe there used to be a lot more hackers in the late 90’s than there are today, partly because of tougher laws, but also because technology has advanced and programming practices, etc. have become a lot more secure. But don’t let that give you a false sense of security; there are still hackers out there, as I know all too well now!

2. Don’t take security for granted. That’s what I did with the chatroom script. I had assumed, since I followed the installation instructions perfectly, that I had done everything I could and should have. I shouldn’t have taken the security for granted, and checked if the installation files were still accessible by others.

Be safe out there folks :P

Good luck and good earnings!

If you enjoyed this post, please consider leaving a comment below, subscribing to my RSS feed, or following me on Twitter.
Posted: January 8th, 2007 under My Websites  

20 Responses to “Tyler Got Hacked!”

  1. Lewis says:

    You should change your MySQL access hosts to just localhost. That way only the server will be able to connect to the MySQL database. So he wouldn’t have been able to do anything with your MySQL details even after exploiting the chat room :P

  2. tylercruz says:

    You know, you’re right. I believe I had changed it to “ALL” when I was doing some remote work between servers or something. I’ll go change that now.

  3. tylercruz says:

    Actually, I remember why I can’t now. I have MySQL on one server and Apache on another. In Webmin I can only specify one IP/hostname at a time; when I actually need two…

  4. zigire says:

    At least now you’ll always remember to delete install files after use! ;)

    Good post.

  5. Nice post Tyler, glad to see you got hacked without suffering any major losses.

    It look like you’re taking everyone’s advice and getting back to discussing your web sites!

  6. […] PokerForums.org hacked A large poker site was hacked on Jan.6/2007, find out how it was done, and how to avoid this happening to you. TylerCruz.com: An Internet Entrepreneur’s Journey Tyler Got Hacked! Geoserv. […]

  7. Eli Burford says:

    Is every user on Digg so extremely harsh? You should check out some of the comments on your Digg post..

  8. rayden says:

    Ah so you played Cyberarmy? ;) I was there too, around 2002. Just thought you might enjoy the games at the url below:

    http://www.rankk.org/

  9. tylercruz says:

    Eli – Yeah, well that’s Digg for you. All that matters is how many people ended up Digging it. Obviously the ‘haters’ are gonna comment more than the non.

    rayden – That was a long time ago :) I was on Lt.Kernal forever (level 6).. like 8 months or something.. couldn’t find a .su proxy, then I believe they changed it to allow .ru then I made it to Kernel if I remember correctly… Cyberarmy was fun.. real sense of community.

  10. John D says:

    good to see site related blogs again :)

  11. Idris says:

    Seems a few others have been attacked as well (at the moment JohnChow.com is down (screenshot: http://img393.imageshack.us/img393/236/jchackedep3.jpg) as it appears the server his blog is hosted on has been hit.

    I guess it should serve as a reminder for people to back up their sites and ensure that they have plans in place to restore damaged sites (it can be a pain to get into the habit of such backups but scripts are exploited everyday and there are a whole host of hackers, good or bad, ready to use them to deface and damage vunerable sites).

  12. Jane says:

    That’s strange. I was linked to John Chow’s site about 2 or 3 hours ago and to my dismay, it didn’t show up. What showed up instead was a black screen with Death riding on a horse. Apparently, the hacker was Turkish and sent a nasty anti-bush message that I don’t care to repeat. Anyone else see this?

  13. maps says:

    be lucky u got hit by a dombass real hackers know how websites makes money and thats what a real hackers after. $$$

    And u wouldnt have ever knew enless you checked every piece of you code

  14. maps says:

    and why could i write post on u blog just know when i signed up????????????????? thats wierd

  15. Tyler says:

    Crazy!

    Odd little streak of hacking eh?

    Stephen told me that it was Joomla that got exploted on their server and that is how they got access to his and John’s site.

    Nice to see though that you found out how he did it and he wasn’t malicious about it.

  16. dr00t says:

    I’m a bit puzzled about how the “Head of Security” at your hosting company claimed the server was not compromised, but you went on to say that it was in fact actually compromised.

    I would call the guy back and tell him how he was wrong. Maybe he isn’t such a good head of security after all?

    What company do you use to manage your servers?

  17. tylercruz says:

    dr00t – That’s a good comment.

    The hacker told me that he had removed all traces of his path of destruction inside, except for the malicious script he left there.

    I could be wrong, but I don’t think that there was any real way of detecting his presence as a result…

    But I could very well be wrong…

  18. […] Tyler Cruz The strongest post with 60 backlinks is Tyler Got Hacked! […]

  19. John Merle says:

    great post. 271 diggs, wow, i dugg 1 more.

PeerFly

Leave a Reply