Service restored

[miskie]

once his site is hacked -- its PhpBB-- its coming.. they can't blame me for doing out of vengance.

I've seen so many phpBB sites wiped out from hacker's attentions (although mostly last year),

certainly if I was to have a forum it wouldn't be that brand.

 

I note the site is called Vote For The Worst - they'll be able to vote for themselves soon enough I imagine.

 

 

the only reason its survived so far is because of the blankets of server security Ive thrown on top of it.. One of my sets of hack-protection rules has pages of exploits to check for specifically on phpBB -- when I first got him as a client I advised against it, but since his buddy had a skin good to go, he refused. I have stopped many attacks on that forum each day, one day, someone spent about 4 hours banging it at about 3 hits persecond from a series of rotating IPs -- it was a sight to behold.

 

but his forum, and the server, stood tall. All I had was reams of log data from it.

 

since he as already angried the blood of the hacker natives, they will learn soon that most of those layers of security have vanished. Im sure in a few days, the site will redirtect to a web-page somewhere in russia or china once it gets tagged. But, Im IP banned -- so, its not going to be me in those logs, thats for sure.

[Lucandrake]

Well just laugh at him when karma bites him in the ass.

[miskie]

Well just laugh at him when karma bites him in the ass.

 

 

Im prett sure it will -- It kinda did when he tried to take his data and run, and he lost an entire days worth of posts.

 

Then he and his new admin apparantly couldnt fix it. And they blamed me Or so it seems, since he was all pissed off and wouldnt share why publically.. After I locked the door behind them I fixed the data. took one MySQL command to do it.

 

BTW, this self-corruption is a phpBB trademark - the forum is craptacular.

 

So, in short, within 24 hours, they lost a day worth of posts, had many other posts vanish, or endup posting wrong (wrong thread, wrong user etc) and people locked out of their own accounts who needed manual resetting.

 

Im sure they blame me -- SO, I got myself totally banned -- screamed the truth about their forum in the most obtuse way I could, so when it all starts to come totally unraveled, I can have nothing to do with it.. everyone including the owner should have changed logins and passwords, and most of the clients should have as well.

 

I know when the ship is sinking, and I know when to run.

 

IF the transition went smoothly, I would have said/done none of this.. but as I watched the bricks fall one by one I knew I needed to do something totally erm, UnMiskie...

 

If any of you see any other gems in that forum, dont be afraid to amuse me by posting them

[CJ Jackson]

Even the good guys can get banned from forums.

[miskie]

ehh, maybe so, maybe not..

 

I think that whole episode went wrong -- the server was hacked, And I spent a few days putting it back together. I was tired, waaay tired from salvaging data, reinstalling a server and putting everyones stuff back who was affected. I think both the admin of VFTW and I were busy pushing each others buttons.

 

When he went after me telling me the server hack was my fault, I got angry.. And when I discovered in the logs that the server hack was his fault, I got really, really angry.

 

You see, when I identified the first three affected sites, all of them were getting logged into at the same time, kinda a chicken and egg scenario -- one of them had to be first, so I figured I would find the original leak. after I went back far enough in the logs, I found that what the hacker did was he got into VFTW first, then from there found other weak logins and passwords. He/she then abandoned VFTW and logged into the three affected sites 'cleanly' -- meaning right login, right password, first time. Which, of course, raises no alarms, except that the hacker logged into all three of them at the same time, every time. BUt, a computer isnt going to notice that, it only picks up on mistakes. So, I blew up.

 

I was tired, hungry and feeling sick from the lack of sleep, and I let my emotions get the beter of me.

 

And for that I apologise, And wish them well..

 

There is still the matter of the back door in his site - It's a renamed copy of Php Shell -- its an old old tool that basically allows the user to fire off shell commands from a php interface. the file is in there, but has been renamed to something else -- I dont remember what. This is what the hacker did to his site and the three others affected, the names were something that made the file look like part of the software used. the one giveaway is the date.What I would sugggest to VFTW at this point is deleting all the control files from that site, and replacing them with clean copies. Leave the database intact. that should catch that program., and result in minimal downtime.

 

Ive picked though all remaning hostees and have found no other instances.

[Robert]

As a matter of curiosity, about how many sites are on this server?

[miskie]

As a matter of curiosity, about how many sites are on this server?

 

 

on this particular box, 27 clients and 30 domains.. when you add in subdomains (http://something.domain.com) the hosted sites increases to about 75 or so.