Icy Phoenix

Using version 1.1.10.25

My Icy Phoenix board was hacked this morning from the jerks at turkhackgrup.com. Is there a security problem with this version that allows these pieces of sh** to get in and replace files at will? Is there something I am missing in a configuration somewhere? Any help to eliminate this from happening again would be appreciated. Thanks!

CTracker saw nothing but there was an entry from their web site recorded in the http referrers list.

I was left with a 0 byte file in the root of the forum called zehir4.asp as well as the entire index.php file that was replaced with:

OMG :shock: ...
i m sorry :( that this happend

OMG. I hope you have your backup.

Did you apply all patches I have posted for that version?

Can you provide me a server log with all your HTTP requests in a time range around the time your site has been hacked please?

as the first lines of the HTML script shows, it appears to had defaced with the microsoft frompage. Ask your hosting prvider to disable he frontpage extensions.

I had a backup so things are back to normal there.

Frontpage extensions are not installed on my website host...

I'm in CA for a kite party and will send the logs when I get home...

On the patches, I thought I had them all... what's the latest patch for my version?

Thanks everyone..

babbman wrote: [View Post]

I had a backup so things are back to normal there.

Frontpage extensions are not installed on my website host...

I'm in CA for a kite party and will send the logs when I get home...

On the patches, I thought I had them all... what's the latest patch for my version?

Thanks everyone..

There should be a patch in the first post of the RC3 release.

I'll wait for the logs.

Enjoy your KITE. :wink:

Mighty Gorgon wrote: [View Post]

Enjoy your KITE. :wink:

Thanks... I'll get the patch in..

BTW...

here's the type of kite's we party with... :D


YouTube Link

Here's the referrers log from that point in time


140 www.google.com http://www.google.com/search?hl=en&q=back2thewind 1 20 Feb 2008 14:42 20 Feb 2008 14:42
--> 141 www.turkhackgrup.com http://www.turkhackgrup.com/index.php?PHPSESSID=62... 1 20 Feb 2008 10:05 20 Feb 2008 10:05
142 www.google.com http://www.google.com/search?q=grand+haven+images&... 1 20 Feb 2008 02:38 20 Feb 2008 02:38
143 www.google.com http://www.google.com/search?hl=en&q=Illinois+Kite... 1 20 Feb 2008 02:00 20 Feb 2008 02:00
144 www.google.com http://www.google.com/search?hl=en&q=straight+stit... 1 19 Feb 2008 22:39 19 Feb 2008 22:39



here's the most recent visit from these jerks:

17 www.turkhackgrup.com http://www.turkhackgrup.com/index.php?topic=8467.0 6 20 Feb 2008 11:45 Yesterday at 11:55


The link above takes you to a posting on their forum where I suppose they are bragging about the hack.

I was also informed today that there was a bunch of phishing code dumped into my Icy Phoenix installation. View the screen shot for the folder it was dumped into.

How in the hell did these idiots get into this section of the forum with enough access to put these files on my site?

Anything you can help me with is most appreciated..

Thanks,

C

I should need the HTTP REQUESTS LOGS, because the REFERRERS LOG doen't contain any useful information about the hacking technique used.

Do you have HTTP REQUESTS LOGS?

Mighty Gorgon wrote: [View Post]

I should need the HTTP REQUESTS LOGS, because the REFERRERS LOG doen't contain any useful information about the hacking technique used.

Do you have HTTP REQUESTS LOGS?

Unfortunately, it doesn't seem like I can get them from my provider... I can turn logs on but that's pretty useless unless I know when they are going to attempt to get in and screw with me.

Any other suggestions or ideas you can provide?

Here's one other piece of information that concerns me. If I go into CrackerTracker Maintenance and System Check, I am getting a few 'Caution' labels:

PHP Version (Visit Website) 4.3.11 4.4.8 CAUTION
» PHP SAFE MODE OFF ON CAUTION
» PHP GLOBALS OFF OFF SAFE
phpBB Version (Visit Website) 2.0.22 2.0.23 CAUTION
» Visual Confirmation ON ON SAFE
» Account Activation OFF ON CAUTION
CBACK CrackerTracker (Visit Website) 5.0.4 5.0.6 CAUTION

Any of this that could open a hole for these jerks to get into?

Thanks...

Try to make a backup of db and all files in case MG needs them...

novice programmer wrote: [View Post]

Try to make a backup of db and all files in case MG needs them...

I have backups of everything...

Please upload your site with new release as soon as possible.