318ti.org forum

Go Back   318ti.org forum > Garage > Site Feedback > Announcements

Notices

.
» Recent Threads
1999 M-Sport For Sale
12-31-2023 05:10 PM
Last post by Coop540iT
03-23-2024 06:39 PM
1 Replies, 95,369 Views
Once again 318ti owner...
03-20-2024 12:39 PM
Last post by two30grain
03-22-2024 02:04 PM
1 Replies, 58,256 Views
What brakes do I...
03-20-2024 03:27 PM
Last post by huirtera
03-20-2024 03:27 PM
0 Replies, 55,739 Views
M50+manual swap bastard...
03-01-2024 11:00 PM
Last post by Andy318
03-18-2024 02:34 PM
3 Replies, 130,531 Views
Reply Share/Bookmark
 
Thread Tools Display Modes
Old 11-17-2012, 10:43 PM   #1
1996 328ti
Senior Member
 
1996 328ti's Avatar
 
Join Date: Jun 2003
Location: Greenville, SC
Posts: 9,356
Vehicles
iTrader: (1)
Default Hacked 11/13/2012

The database was hacked on 11/13/2012.
So far the only thing I noticed was that a plugin was installed adding 3 banner ads in the header using their pub id.
And one file was edited.
I haven't noticed anything else odd.
Doubt they where looking to do anything else other than to generate some revenue.

If anyone notices anything odd, please let me know.
__________________
...steven
BMW CCA #146825
1996 BMW 328ti • 2003 MINI Cooper S • 2016 M235i
www.bmwcca.org
1996 328ti is offline   Reply With Quote
Old 11-18-2012, 02:32 AM   #2
cooljess76
NOBODY F's with the Jesus
 
cooljess76's Avatar
 
Join Date: Oct 2006
Location: Ventura California
Posts: 7,824
iTrader: (6)
Default

uh oh...
cooljess76 is offline   Reply With Quote
Old 11-18-2012, 03:34 AM   #3
wolferj-RIP
Senior Member
 
wolferj-RIP's Avatar
 
Join Date: Jul 2007
Location: norcal - 94590
Posts: 3,186
iTrader: (16)
Default

That's a bummer, hope it all works out. I'm not seeing anything out of the ordinary.

Should we change our access passwords or something like that as a precaution?
__________________
James 95 active w/leather interior and sport interior conversion, Vaders, full M-Tech exterior conversion. Now m50 swapped* Eibach sway bars, D2 Coilovers, Depo's w/AE's, blacked-out sides and grills, LeatherZ console and door armrests, 1 series starter button mod, and custom finished Style 5's <--- in this color! Named "Roddy": *M50 6 cyl. swap with fan delete, S50 cams and chip, AFE stage 2 intake, M3 clutch and 11.5 lb Fidanza flywheel, 3.15LSD, battery relocated to rear and complete custom exhaust. Sweet! 97 318ti sport, Alaska Blue, Contours, coilovers, Dove Vaders and custom black/grey interior named "Max" 95 318ti Active in Cosmos, S50 swap in progress... named "Pit" SUPPORT 318ti.org! CLICK THE LINK ABOVE! Hosting a forum like this is not free. 318ti.org is one of the best BMW forums on the web because it is member supported, not vendor supported. The cost to become a Supporter is a nominal $10.00... A YEAR! DO IT! NOW!
wolferj-RIP is offline   Reply With Quote
Old 11-18-2012, 03:48 AM   #4
1996 328ti
Senior Member
 
1996 328ti's Avatar
 
Join Date: Jun 2003
Location: Greenville, SC
Posts: 9,356
Vehicles
iTrader: (1)
Default

Quote:
Originally Posted by wolferj View Post
That's a bummer, hope it all works out. I'm not seeing anything out of the ordinary.

Should we change our access passwords or something like that as a precaution?
I wouldn't worry about passwords. They are encrypted.
The hacker inserted his own adsense publisher code for the banner ads.
Even if I'd edit the template a cron job would change it back every 5 minutes.

I've managed to extract 1 row of a table from a backup earlier in the week.
Its a table that keeps track of plugins. I haven't added anything so it shouldn't have changed in several months.

The banner hasn't changed yet. There is a dot to the right of the banners to tell me that nothing has changed.

There is just one more thing I need to hunt down.
When I revert a template it reinserts the hackers code in the template.
__________________
...steven
BMW CCA #146825
1996 BMW 328ti • 2003 MINI Cooper S • 2016 M235i
www.bmwcca.org
1996 328ti is offline   Reply With Quote
Old 11-18-2012, 04:04 AM   #5
1996 328ti
Senior Member
 
1996 328ti's Avatar
 
Join Date: Jun 2003
Location: Greenville, SC
Posts: 9,356
Vehicles
iTrader: (1)
Default

The site may be down for a little while while php is updated.
Hopefully is doesn't break anything.
__________________
...steven
BMW CCA #146825
1996 BMW 328ti • 2003 MINI Cooper S • 2016 M235i
www.bmwcca.org
1996 328ti is offline   Reply With Quote
Old 11-18-2012, 06:19 AM   #6
bmvw
Senior Member
 
Join Date: Apr 2006
Location: San Diego
Posts: 231
iTrader: (0)
Default

It is very important to look for the backdoor!

Look thru the logs for a POST to an odd-named file. The datestamp on the altered PHP files will help you find it in the raw logfile

also, htaccess ban the offending IP ranges
bmvw is offline   Reply With Quote
Old 11-18-2012, 12:16 PM   #7
1996 328ti
Senior Member
 
1996 328ti's Avatar
 
Join Date: Jun 2003
Location: Greenville, SC
Posts: 9,356
Vehicles
iTrader: (1)
Default

Quote:
Originally Posted by bmvw View Post
It is very important to look for the backdoor!

Look thru the logs for a POST to an odd-named file. The datestamp on the altered PHP files will help you find it in the raw logfile

also, htaccess ban the offending IP ranges
My logs are only for 24 hrs.
__________________
...steven
BMW CCA #146825
1996 BMW 328ti • 2003 MINI Cooper S • 2016 M235i
www.bmwcca.org
1996 328ti is offline   Reply With Quote
Old 11-19-2012, 03:01 AM   #8
bmvw
Senior Member
 
Join Date: Apr 2006
Location: San Diego
Posts: 231
iTrader: (0)
Default

Monitor your site with changedetection.com. make a 0-byte php file in your main directory and monitor it. You'll get the alert within 24 hours and track them down.
bmvw is offline   Reply With Quote
Old 11-19-2012, 07:20 PM   #9
1996 328ti
Senior Member
 
1996 328ti's Avatar
 
Join Date: Jun 2003
Location: Greenville, SC
Posts: 9,356
Vehicles
iTrader: (1)
Default

Quote:
Originally Posted by bmvw View Post
Monitor your site with changedetection.com. make a 0-byte php file in your main directory and monitor it. You'll get the alert within 24 hours and track them down.
Don't see how that will help.
The hacker may have used the garage to gain access to the database.
It's still troubling that one of the vBulletin files was edited.
__________________
...steven
BMW CCA #146825
1996 BMW 328ti • 2003 MINI Cooper S • 2016 M235i
www.bmwcca.org
1996 328ti is offline   Reply With Quote
Old 11-19-2012, 09:05 PM   #10
bmvw
Senior Member
 
Join Date: Apr 2006
Location: San Diego
Posts: 231
iTrader: (0)
Default

The hack originally came thru SQL injection. The attacker got complete shell control of the account and altered all the php files with a script. The revised php files deliver ads, enhance the attacker's site's pagerank, etc.

The hacker also leaves a backdoor because the halflife of the hack is not usually that long and he may want to come back. You probably uploaded replacement files by now. The backdoor provides him shell access to your site, without having to look for another sql injection vulnerability in vbulletin.

By creating a dummy php file and monitoring it, you can detect if he tries it again. The first thing he will do is run a script that alters all the php scripts on the site with his code.

Most hackers are inept "script kiddies" who Google for sites displaying markers to scripts with known vulnerabilities and run attacks that someone else discovered. They are looking to 1) deface your site for underground fame and glory (pretty rare actually) or more commonly 2) subtly undermine your site while leaving main functionality for personal gain. Unlikely he is going after cash or passwords as there is no advantage to taking them on a non ecommerce site.

Google automatically monitors sites, and the search results for compromised pages will display the link "this site may harm your computer". A lot of webmasters find out about the hack that way.
bmvw is offline   Reply With Quote
Old 11-19-2012, 10:51 PM   #11
1996 328ti
Senior Member
 
1996 328ti's Avatar
 
Join Date: Jun 2003
Location: Greenville, SC
Posts: 9,356
Vehicles
iTrader: (1)
Default

If he replaced the single banner ad I never would have noticed until next month.
There doesn't seem to be any other files that changed.
__________________
...steven
BMW CCA #146825
1996 BMW 328ti • 2003 MINI Cooper S • 2016 M235i
www.bmwcca.org
1996 328ti is offline   Reply With Quote
Old 11-20-2012, 03:51 AM   #12
bmvw
Senior Member
 
Join Date: Apr 2006
Location: San Diego
Posts: 231
iTrader: (0)
Default

Sounds good, please let Google know of the attack and give them the adsense publisher's ID

http://adsense.google.com/support/bi...uthorized_code
bmvw is offline   Reply With Quote
Old 11-20-2012, 01:06 PM   #13
1996 328ti
Senior Member
 
1996 328ti's Avatar
 
Join Date: Jun 2003
Location: Greenville, SC
Posts: 9,356
Vehicles
iTrader: (1)
Default

Quote:
Originally Posted by bmvw View Post
Sounds good, please let Google know of the attack and give them the adsense publisher's ID

http://adsense.google.com/support/bi...uthorized_code
I already did but I used the feedback form.
I'll use this one too. Thanks!

I've been going through all my files to see if any have been added or changed on 11/13.
__________________
...steven
BMW CCA #146825
1996 BMW 328ti • 2003 MINI Cooper S • 2016 M235i
www.bmwcca.org
1996 328ti is offline   Reply With Quote
Old 11-20-2012, 04:44 PM   #14
anthony318ti
Senior Member
 
Join Date: Dec 2010
Location: Fiji
Posts: 169
Vehicles
iTrader: (0)
Default

Sounds like a standard database inject. Find the exploit and lock it up for future attacks. But i would say site admins are doing a wonderful job ad keeping this forum alive this long with all the bad people out there with itchy fingers.
__________________

"If the world turns it's back on you, grab it by the hips and pound the crap out of it"
anthony318ti is offline   Reply With Quote
Old 11-20-2012, 05:27 PM   #15
1996 328ti
Senior Member
 
1996 328ti's Avatar
 
Join Date: Jun 2003
Location: Greenville, SC
Posts: 9,356
Vehicles
iTrader: (1)
Default

Quote:
Originally Posted by anthony318ti View Post
Sounds like a standard database inject. Find the exploit and lock it up for future attacks. But i would say site admins are doing a wonderful job ad keeping this forum alive this long with all the bad people out there with itchy fingers.
Admins.
It's just me.
I have one mod that restricts registrations from spammers.
There are attempts every minute of the day. Literally.
__________________
...steven
BMW CCA #146825
1996 BMW 328ti • 2003 MINI Cooper S • 2016 M235i
www.bmwcca.org
1996 328ti is offline   Reply With Quote
Reply

Bookmarks


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Somebody Hacked My Youtube Account xxxJohnBoyxxx Lounge 14 09-23-2009 01:38 AM
myspace just got hacked ti95 Lounge 3 06-08-2008 06:58 PM


All times are GMT +1. The time now is 09:15 AM.


.
Powered by site supporters
vBulletin Version 3.8.8
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©1999 - 2024, 318ti.org
© vBadvanced CMPS v3.2.2
[page compression: 134.75 k/159.42 k (15.48%)]

318ti.org does not warrant or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information or products discussed.