Where to start?
This all happened two days ago while I was away from my computer. I was eating a melted bologna and cheese sandwhich with a glass of cold milk, listening to the radio and reading a poker magazine when I heard the AIM “BA-BING” message sound from my computer. Obviously I didn’t go and check who it was since it’s not exactly a rarity for me to receive IM’s and e-mails.
I took my time, doing errands around my apartment, and went back to my computer a couple of hours later.
At first, I didn’t notice anything. I usually have a ton of windows open, so I didn’t see the message from my friend and moderator of PokerForums.org, which said “so I assume you know about the hacker”. Hmmm. Hacker? Say what now, sir? I didn’t reply just then, and went on to check the status of my sites as I always do throughout the day. It’s my routine.
When I got to PokerForums.org, the first thing I noticed during the milliseconds the site loaded was that I was logged out. The second thing I noticed was that the forum was replaced with a message along the lines of “PokerForums has been hacked. Please do not be mad. E-mail me at *email* to contact me.”
I didn’t get mad or upset. I don’t think I even furrowed an eyebrow; I have a pretty good poker face, but I have an even better demeanor. I also try not to get upset over things that I shouldn’t be. However, I was most definitely concerned and eager to solve this issue.
I also wasn’t terribly worried as I was pretty sure that the compromised site was limited to PokerForums.org. I also was pretty confident that the compromise was obtained through a vBulletin exploit; most likely being one that was found post v3.6.1 which is what I was running. I was beginning to wish I had upgraded to 3.6.4.
Lastly, I felt that the hacker was a reasonable person to deal with; why else would he leave his e-mail? If he really wanted to do damage, he’d remain as hidden as possible, trying to deep further and further in. Or he’d erase everything, or something. I used to be a script kiddy/hacker way back in the day, in my mid-teens. I enjoyed the culture, but enjoyed the challenge and the learning process even more. I actually obtained the highest levels on such (lame) online hacking challenges such as Arcanum, CyberArmy, and SlyFx (However, that was nearly a decade ago and the Internet has changed a lot, and whatever I knew then, I forget now). Therefore, I understood that many hackers today still do go by the old hackers code (no pun intended), which is really to hack for the challenge of it and not to really inflict any harm. Usually such a hacker will hack a site, put up a splash page or message, then explain to the owner how they got in and how to secure it.
Basically, if you’re going to get hacked, you want to get hacked by this type of hacker. In a way, and this is how they view it as well, they’re helping you out before a more malicious hacker gets in and does some real damage.
So, while I felt that he may be one of these ‘robin hood hackers’, I was also annoyed that he had essentially shut down my site.
The first thing I did was contact the head of the server administration company I hired. I prepaid them up front for a year’s worth a couple months ago, and I’ve been absolutely loving them.
Me> Hey you there?
Me> I just got hacked.
Him> Okay, hang on, I’m getting my head of security in here.
Within 15-20 seconds of contacting them, I was already talking to their head of security guy. Nice.
He went in and tried to solve the issue. Apparantly my forum username’s e-mail and password were changed. He believed that the server wasn’t compromised beyond the forum:
“well so far it looks like the server wasnt in any way compromised, no commands were executed, so my best guess is an SQL injection vulnerability in the vbulletin forum or another script”
While he was working away on the problem, I sent an e-mail to the hacker, giving my MSN and AIM and asking him to contact me back.
After about half an hour or so, the site was basically restored back to normal. The security guy went into the database and changed my e-mail to his, requested the password through the site’s password request feature, then changed the password and got the forum back up again.
However, obviously we weren’t safe just yet. It was more a race with the hacker; we didn’t want him to come back and see the forum restored as it may just make him angrier. So after I fixed some image and style changes he made (basically changing the forum status icons to ‘hacked’ images, etc.) I went and upgraded the forum to 3.6.4, the latest vBulletin version.
However, I checked the change logs for the versions, and didn’t see any security upgrades other than a pretty small XSS issue. So I was still a bit apprehensive as to the security of the site.
The next day, the hacker added me to MSN and we spoke.
I believe he was Russian, judging by his speech. And I found out that he was indeed a ‘robin hood hacker’, as I had suspected. Lucky for me. The biggest surprise, and scare, to me was when I found out that the compromise wasn’t limited to just the forum after all. He actually had server/database access!
I trudged through his broken English and found out step by step how he gained such access:
1. I run a few plug-ins on the site, one of them being a chatroom. This was how he got in. Apparantly the install files were still on the server and active and accessible. He simply went to the install URL of the chatroom script and hit the “continue” button. From there, the script automatically detects and fills out the site’s database information including the database name, username, and password.
2. He then went into the database and changed the e-mail on my account, which obviously had administrator access. He then requested a password request from the forum, and then changed the password (he couldn’t do this via MySQL as it is encrypted).
3. Already now he has database access and forum access. He then changed the forum’s settings to allow PHP files to be added as attachments, and uploaded a malicious confige.php attachment by posting it on the forum.
4. He then ran this file which, fortunately for me, could have been really bad and wiped out the site completely or plant some trojans around the server. Actually, it was a script which searched for more exploits throughout the server, probably trying to obtain root.
And there you have it.
Now, I’m normally pretty good at being secure and aware to security. When I had isntalled the chatroom plugin, it had never stated (I double checked this yesterday) in the installation instructions to remove certain installation files after installing. I followed their instructions to the tee, but since they didn’t tell me to delete the install files, I had assumed that they’d be inaccessible or something. Really though, I kind of just forgot about them.
I’ve since upgraded the chatroom from 4.7.2 to 4.7.7, and fortunately the new instructions clearly state to remove the installation files afterwards. The installation script even prompts red text if they are still there after it’s installed. Good.
Lesson to be learned here?
I believe there are two lessons here:
1. There are still hackers out there, so be aware and pay attention to security. I believe there used to be a lot more hackers in the late 90′s than there are today, partly because of tougher laws, but also because technology has advanced and programming practices, etc. have become a lot more secure. But don’t let that give you a false sense of security; there are still hackers out there, as I know all too well now!
2. Don’t take security for granted. That’s what I did with the chatroom script. I had assumed, since I followed the installation instructions perfectly, that I had done everything I could and should have. I shouldn’t have taken the security for granted, and checked if the installation files were still accessible by others.
Be safe out there folks
Good luck and good earnings!