TinyPortal

i donno how this happened guyz... but my TP has been hacked...   :-\
its v0.86 and has been patched with the shoutbox patch.
but hey... i havent enabled guest shouting... still i wonder how it happened.

the hacker posted a shout as shown in the screenshots... with the following url
http://dogu_bey89.sitemynet.com/turkishackers.htm

bloc, mods... how to see if there are any changes that the hacker made to my site... i dont see any other visible defacements or changes that the hacker made...

check out the screenshots

It seems that someone found the way to change the username, as a member. Since that redirect link just show up there and don't do anything, its should be safe. Although its a annoying shout of course.

I am testing out something now that will stop that from happening.

BobbyKashyap did the redirection work? I believe not, it' s just displayed.

Bloc I believe that by putting a link to member name that made the shout (as in TP 0.9.x) will show the member' s name and ID.

In TP 0.8.6 there is no such link. With a ready string copied, someone can change the displayed name in one screen, then try the hack in Shoutbox! in another (the changed name will be displayed and will remain) then back to the profile screen and change again display name.

thx for the reply Bloc and agridoc.

yep.. i have manually removed the shout for now.

the shout and even the member name came up as 

Quote
location="http://dogu_bey89.sitemynet.com/turkishackers.htm"

so, the redirection didnt go.

i havent gone through logs (if any) and the actual server files...
right now.. im at my day job...
so i'll update you guys, laters... if any other stupid things these hackers did...

:laugh: :laugh: never knew my site is sooo famous, to get hacked  :laugh: :laugh:

and i saw a similar posting here..
http://www.tinyportal.net/smf/index.php?topic=6216.0

just cant wait for TP 0.9 to be released.. to knock these hackers  :knuppel2:

Looks like we all got hit tody. I got it too. Didn't do any thing though.

Quotehttp://dogu_bey89.sitemynet.com/turkishackers.htm

I was also "hacked" today. They managed to leave a guest shout (even though guest shouts are disabled) with the string >> location="http://etc.etc.somewhere" << It's happened once before but this time the portal page was redirected by the string. I can't work out how they did it though.  >:(

I've turned off the shoutbox block until Bloc works something out. No biggie, shoutboxes are a bit redundant on a forum anyway  :D Filtering for "location=" might be a start.

I moved the shoutbox off the main part of my site so its only in the arcade

those bastards are still trying 2 hack... two times after the 1st one this morning.

any solution?

Bloc/mods... is 0.9 test version open for us?

Got the same in the shoutbox at smfarcade.net and we are using tp 9.1. Nothing seems to be out of place tho...

hmmm i disabled shoutbox for now

I will send out updated v0.8.6 files today. Just needs to verify and check first.

Bloc.. no worries bro.. take your time. We can still disable the shoutbox.

I too was visited today.  They were unable to accomplish anything though.
I went ahead and blocked their IP's in .htaccess and haven't seen them since.

here are several of the IP blocks I've denied in .htaccess..  Seems to be mostly from cybercafe's. 
deny from 88.226.0.0-88.226.255.255
deny from 212.156.180.0-212.156.189.255
deny from 81.210.0.0-81.219.255.255
deny from 85.119.0.0-85.119.255.255
deny from 85.10.241.0-85.10.241.255
deny from 85.153.0.0-85.153.255.255
deny from 85.158.90.0-85.158.99.255
deny from 85.158.100.0-85.158.109.255
deny from 85.159.0.0-85.159.255.255
deny from 85.235.0.0-85.235.255.255
deny from 85.90.0.0-85.99.255.255
deny from 85.100.0.0-85.109.255.255
deny from 85.110.0.0-85.110.255.255
deny from 85.111.0.0-85.111.255.255

palorber... Bloc as released a patch for this. update your site and its spam free now.

Ok the same guy got us but he actually succeded.It redirects everything from forum to website to that site.How do i remove it?

alright nvm i applied the patch and it works fine now.

So it only redirects and they can't get our passwords or anythign right?

yep.. according to gurus here and Bloc and from what i saw on my site, its basically a type of spam. NOT hacking.

we got it all wrong, when we posted these threads and used the title hacked instead of spammed :-D

true lol. its in fact spamming. :)

I noticed your site was hacked. http://dogubey.by.ru/

what 's the reason  . I hope not smf bug

Not SMF, and Not a real hack eather.
It's a redirect post in the shoutbox.
Download the update pack for TP from the downloadsection, and replace the old files with the ones from the package. That will take care of every thing and the page should come back to normal.

This same thing happened to me and it didn't do anything to my smf site but it allowed them to gain acces somehow to my files and they put in some nasty bugs on the server and caused my email to send out over 2000 emails an hour. It screwed up the server enought that the company called me and had to move every customer off that server to fix it...

This doesn' t seem like  Shoutbox hack but rather a server hack.

I there any evidence that the hackers went in through the Shoutbox?

My server company only said that they gained acess through an out dated script. SMF and TP are the only 2 scripts that I run....when it all happened I had simaliar stuff in my shout box...

Sounds more like your host didnt really know what happend, and had to blaim some one

sad to heard your issue . I wish not to get the same thing .

but now i meet some issue with shoutbox , spammer almost put 20 spam link on it . HORROR .

ps: I deleted the spam all . 5 times per one day.. @@#@$#)*#*$#

ΨPorkΨ you say that your forum and database were intact.

The recipients of the mails were members or other e-mails? You surely can' t say about other but you would have some messages from members if the database was used.

and caused my email to send out over 2000 emails an hour
I have similar problem months or two ago ,they hack my site via coppermine gallery with some weird script/picture ,I and my host realize that something is wrong after I send aprox 350 000 spam mail  :o in few days . Ichbin help me in this situation ,upgrade my gallery and I just delete all mails from my mail acount .

my site also hacked :( by turkish hackers

I could really use .0.9.5 right about now.  I was hacked twice today.  One signature was from some God Father hacker and the second was from hackers.org.  It appears to be a server hack, not the hack via the shoutbox.  Any suggestions to prevent this from happening?

See attached signature from last hacker.

If it was through the server not even TP V.095 would have helped you, and keep your index,php file tight on the permission, i would have mailed my host and really asked about their security  >:(

Quote from: Mrs G6 on September 06, 2006, 11:05:09 PM
If it was through the server not even TP V.095 would have helped you, and keep your index,php file tight on the permission, i would have mailed my host and really asked about their security  >:(

What do you recommend as far as protecting index.php file?

 :(This is a recurring event it would seem to be effecting quite a few. I too was hacked by turkish hackers a few weeks back. I don't run a shoutbox so I know it wasn't that

Just when I thought all was lost..I did a bit of investing through Cpanel.

I went in to the index.php ( as well as all the other pages) and they only messed with index.php. ( this is where hacked by blah blah...)
I went to a test site I have for trying new mods, scripts, etc.

copied the whole index.php and pasted it on to the hacked and voila! all was fixed.

while in Cpanel I noticed that I had left my permissions at 777 on settings.php ( as well as a few others that I can't recall darn it!), don't know if that had anything to do with it, but I haven't had  problems since...

I have been getting A LOT of those hacker types trying to register on my site lately.....you can tell by the email they use.....*@gawab.com or *@gawab.ru

most use those but some dont.....

they dont ever actually confirm their email to register and they apparently cant hack the shoutbox anymore due to security fixes....

so I have just been deleting these accounts when I see them.

Quote from: Mrs G6 on September 06, 2006, 11:05:09 PM
If it was through the server not even TP V.095 would have helped you, and keep your index,php file tight on the permission, i would have mailed my host and really asked about their security  >:(

Thats exactly what anyone should do is contact their host.

Quote from: IchBinâââ,¬Å¾Ã,¢ on September 07, 2006, 02:56:29 AM

Quote from: Mrs G6 on September 06, 2006, 11:05:09 PM
If it was through the server not even TP V.095 would have helped you, and keep your index,php file tight on the permission, i would have mailed my host and really asked about their security  >:(

Thats exactly what anyone should do is contact their host.

My host was clueless. 

Do a whois lookup on the website. You'll get all the owners private information and everything you need to sue em or get their website...well you know.

Quote from: RoarinRow on September 07, 2006, 03:15:08 AM

Quote from: IchBinâââ,¬Å¾Ã,¢ on September 07, 2006, 02:56:29 AM

Quote from: Mrs G6 on September 06, 2006, 11:05:09 PM
If it was through the server not even TP V.095 would have helped you, and keep your index,php file tight on the permission, i would have mailed my host and really asked about their security  >:(

Thats exactly what anyone should do is contact their host.

My host was clueless. 

Do you run just SMF+TP? Any other scripts..?

Quote from: Bloc on September 07, 2006, 06:43:00 AM

Quote from: RoarinRow on September 07, 2006, 03:15:08 AM

Quote from: IchBinâââ,¬Å¾Ã,¢ on September 07, 2006, 02:56:29 AM

Quote from: Mrs G6 on September 06, 2006, 11:05:09 PM
If it was through the server not even TP V.095 would have helped you, and keep your index,php file tight on the permission, i would have mailed my host and really asked about their security  >:(

Thats exactly what anyone should do is contact their host.

My host was clueless. 

Do you run just SMF+TP? Any other scripts..?

Just SMF + TP, but I also have Coppermine Photo Gallery and FlashChat.

What should my index.php by chom'd too?

I think to should probably be safe with 755 which makes it only writeable by the owner.

I've chmodded my index.php to 444 (only readable) as I do for settings.php

I've read somewhere else that sometimes hackers execute a php script in directories where you keep your image files, this can be prevented by placing and htaccess file in these directories

This was posted by bandit-x on the xoops forum :

for my uploads directory i got something like
:
Quote:
Order Deny,Allow
Deny from all
<FilesMatch "\.(gif|jpe?g|png)$">
Allow from all
</FilesMatch>

only the .gif .jpg .jpeg and .png image files are web accessible in that directory. the rest of the files in that directory get a 404

Just asking because I read others also experienced hacks and it seemed to come from among others Coppermine. You have the latest version of it?

Quote from: Bloc on September 07, 2006, 10:00:04 PM
Just asking because I read others also experienced hacks and it seemed to come from among others Coppermine. You have the latest version of it?

Yes, I upgraded Coppermine about two weeks ago to the latest.  I got hacked again, 3rd time in 2 days.  My server error log as some errors about Coppermine.  I think I will delete my Coppermine directory just in case.

Somehow they also deleted all the php files in the root of the forum directory, all put their index.php file.

the 1.4.8 had some security holes that are fixed now, the latest version is now 1.4.9 and came out just a few days ago.

Thanks for that info. I haven't even checked my Coppermine lately! :)

I have never had coppermine installed..and still got hacked.. :-\

Quote from: Maya on September 08, 2006, 04:13:46 PM
I have never had coppermine installed..and still got hacked.. :-\

What is your site Maya and how did they hack it?

Sorry it took so long to get back and reply...my best friend ( of 20 years) just got married this weekend, and what can I say.. :-X ;D

My site is just a pet project my husband and I have been working on..

took a break for a bit( kids and summer, etc  ::) ), and are now in the process of 'overhauling' it with a new focus.... not big at all...

How did they hack it...I would like to know...The only thing I can think of, was like i said in a prior post, my chmod settings  were at 777 and might have allowed access, but have since been changed (obviously) , nor have there been any problems since....

Ah ok Maya, thanks for your reply, because of this 777 they could easily exchange your index file for theirs.
Success with overhauling your site  :)