Site Hacked - Is there a hole ?

[Touti]

Hi Forum,

My site was hacked last night.

SMF 1.1.11
TP 1.0 Beta 4

The hacker managed to upload a compressed script using TP.  He put a file called dbc.php.pjpg in the tp-images/File folder and then used it to replace my index.php file.

My access log for that period

This what I get in my browser when I navigate to myserver/tp-images/dbc.php.pjpg





It looks like a nice little hacking interface.   But how did he get to upload a file ?  I checked the IP Address and it's not a registered member of my forum, is there a security hole somewhere in there ?

[Touti]

Ok, just after posting the above I decided to try all the links that the hacker used which I see in my access log.


This is what he used
http:// web site address /FCKeditor/editor/filemanager/browser/default/browser.html?connector=connectors/php/connector.php

That shows the content of the tp-images/File folder and with a file upload box at the bottom. 

[Touti]

I hate replying to myself 

Is FCK Editor part of SMF or does it come with TP ?

[Lesmond]

It's more than likely that your, computer has been compromised by a virus/malware.
There are a number of different malicious tools that steal password details for mailboxes, FTP, etc and use these to spam or make changes to a website.

Therefor I would..
* perform a full virus and spyware scan on your own computer
* change all passwords associated with your hosting account and ftp accounts.
* check with your hosting company.

Is FCK Editor part of SMF or does it come with TP ?

It comes with tp, but is made by a different company.

[Touti]

Lesmond,

Of course I will do as you suggest and scan my computer and change my passwords but the hacker never logged in.  The link I posted above allows anyone to upload files to any TP installation.  I understand that FCK is made by someone else but I think it should be modified to include a check to make sure it can only be used by a logged in forum member.

I'm a bit confused with the new support site and tinyportal.net closed.  Has Bloc only closed the web site or has he also stopped development on TP ?  If I feel there's a security hole should I report it in the TP Mod forum on SMF's web site ?

[Lesmond]

No, TinyPortal is not being discontinued.  It will continue to be coded by Bloc and edited to work with newer versions of SMF and supported by him over on the SMF Mod site.  However, we don't expect that he will be as active on the support side as he has been in the past.  This is why the TinyPortal Team have taken the step to setup this site for support of the best Portal available for SMF at this location.  Our primary focus for support will be for the latest TinyPortal though very limited support for previous versions, at least for awhile, will be available here.

ZarPrime

[Touti]

Thanks Lesmond,  and thansk to you all for starting a new support site.