Thanks, info passed on to owner. Hopefully he will find something.
Printable View
Thanks, info passed on to owner. Hopefully he will find something.
He's operating off a stolen dial-up address outside the United States huh? DHs like that piss me off.
If he's smart he'll have a few more stacked somewhere. Pretty easy to come by these days, unfortunately.Quote:
Originally posted here by RoadClosed
He's operating off a stolen dial-up address outside the United States huh? DHs like that piss me off.
Morgue: Is the site hosted? Do they also maintain the database?
If that's the case odds are only your site got hosed.
Do they also make backups or do you have take care of that yourself?
Did you change anything to the source of phpBB?
If you didn't change anything you could download the same version from a trusted source and diff it. Anything he changed (backdoors i.e.) will popup. But then again, he probably only added himself as an admin to your site so he can change things at will.
The site is hosted by fluxservices.com, as I understand it they had backed it up three days after it was hacked!!! I don't think the owner made a backup :(Quote:
Originally posted here by SirDice
If he's smart he'll have a few more stacked somewhere. Pretty easy to come by these days, unfortunately.
Morgue: Is the site hosted? Do they also maintain the database?
If that's the case odds are only your site got hosed.
Do they also make backups or do you have take care of that yourself?
Did you change anything to the source of phpBB?
If you didn't change anything you could download the same version from a trusted source and diff it. Anything he changed (backdoors i.e.) will popup. But then again, he probably only added himself as an admin to your site so he can change things at will.
Everything was up to date, we had 0.012 installed, except the last patch which came out on 28th Feb, just a few days before we were hacked, only one person had admin, and the source code was default. Maybe he simply guessed the pw, I remenber the site owner saying to me, that we has SIX MILLION hits in one month, yet we only have 120-140 registered users, maybe it was a pw scanner running?
Yes. That's definitely possible. It may take a while but eventually...Quote:
Originally posted here by [ACE]MORGUE
I remenber the site owner saying to me, that we has SIX MILLION hits in one month, yet we only have 120-140 registered users, maybe it was a pw scanner running?
But all those attempts should have been logged somewhere.
Probably too late now.... but somebody should have noticed that...
...and here lies the problem with trusting others with your property... They just don't care about it like you do....Quote:
but somebody should have noticed that...
Assuming it had been noticed, what steps could have been taken to stop such an attack?
Firewall rules would have been a good start - block the offending IP entirely. IDS would have been useful too. Maybe even packet dump all activity from the IP and allow it to break your BBS and then see how he is getting in. It really depends upon your strategy and intent.
Firewall rules would be a good start to block. In the mean time I would send the logs I already got to the ISP of the offending IP. If that ISP is any good they would take that "stolen dial-up" off the net. If you keep this up he (marx) will quickly run out of options. That ISP may even help you to find out who is using that "stolen dial-up".
There's also an 'unethical' way to track the culprit. If he (marx) can hijack that PC, chances are you can do it too. Install some monitoring software on it and wait untill he tries again. That will bring you one step closer to him. At least it'll give you an idea where he's coming from. Beat him at his own game. But as I said it's rather unethical and probably illegal.