UBB.Developers Forums UBB.threads 7 Development How Do I? Problem with a hacker

Hi everyone, sorry to have to post this - but I'm hoping someone here will be able to help me out of a slight problem I have.

I run a message board (UBB 6.2) and it's pretty busy - 5000+ members.

Up until now I've suffered just the usual postings here and there from spammers or general trouble makers. But over the past few months it's got a bit more intense than that - I've had a constant problem with one user who keeps coming back time and time again and registering new user names and then posting as many times as they can in as many different topics / forums etc. as possible.

I turned flooding on which helped. I also turned off automatic validation of users and now have to go through the list every few days and this did stop the problem dead for a month or so. However today when I logged on it seems this user has managed to either guess, or as they say 'hack' one of my moderator's passwords and have posted all over the board with their username.

I doubt very much if they have hacked into the board as they say, but I know absolutely nothing about the whys and wherefores and even if it's possible. OK I realise anythign is possible - but is it probable?

I figured if they could do it then they would have done it before and would have caused a whole lot more destruction and problems.

I've reported them to the owner of the IP, bellsouth, but haven't heard anything back from them.

Sorry this has gone on so long - I was really hoping for some sort of ideas or guidance as to what I should do, if I should do anything at all, or how to get rid of this pest once and for all.

Many thanks and apologies again

Sally

There have been a good amount of Security upgrades as well as feature additions since 6.2; plus InfoPop is having a price reduction on member area access, I think you should consider upgrading... ChangeLog

Change the FTP's password. Ask all your moderators to change their password, in case he has already taken their passwords. Try with your browser to surf to your Members path and load 00000001.cgi, if you don't receive a permission error you should consult with your host in order to fix this.

Note that I found an exploit in UBB's up to 6.2.1.1, which can steal the topic's visitors' passwords. I suggest you to upgrade to the latest version for better protection.

Edit: Gizzy's always a minute ahead of me

Yes, I is... Lol... Great advice as always LK ; and I know the same bug ...

Cool changelog, I'll add it to our features thread

I've had similar problems on my site with accounts getting hijacked, passwords being cracked, moderactor accounts getting compromised and topics getting deleted, crap being spread across the board and other dirty tricks

Here's the things I've either learned the hard way, been able to track down, or done to my board to make it harder for the no-gooders. Each of these things helped in a small way for a small while, but the net effect of all of 'em has seems to make a huge improvement.

- Key Members and Moderators who were active on a competitive site before we launched, and used the same login name and password on our site that were used over there where the first accounts hijaacked. So we changed passwords of course, but the same accounts we're compromised again

- Other Accounts were compromised (and often 3 or 4 at a time) where the publicly displayed name was the same as login name. I setup Web Trends to track hits to the login url, and sure enough we were getting slammed with 50-60 login attempts per minute, for short stretches of time at a frequency of 20-30 times a day.

Fixes:

• I Put lots of work into the wordlets used on the registration form to explain to folks the diff between login name and public name, and stress the need for unique login name not used elsewhere.
• I got help here on ubbdev to apply the standard floodcheck to login, and I set my floodcheck value really high at times of unrest.

- Older Accounts still got hijacked, and one moderator account hit most often. They even got in the control panel under that moderator account and had a real long look around at everything then deleted other moderator accounts.

Fixes:

• I kicked all my moderators out of the control panel and made it Admin access only with a fix I found here on ubbdev. Plus turned Window Integrated Authentication on for cp.cgi file (Windows equivalent of .htaccess trick on NIX). This was double effective - many ISPS require users to make certain proxy settings that dont allow them to even get authentication login prompt, and we had to laugh because suspected culprits suddenly began fishing the grapevine to find out what ISPs me and the moderators were on.
• I ran Windows Baseline Security Analyzer and found a OS level weakness (undocumented M$ hole only disclosed in this dang tool!!). They could of been abusing this to get partial info out of members directory so I shut that backdoor down.
• I tied my Windows Authentication on cp.cgi to my subnet firewall, and a few failed network logins up in there now results in total shutout from my site for several days + my server/subnet maintenance guy gets a report sent to his cell phone via text message. FWIW This trapped was sprung once early on, then they never bothered again.
• I made another little fix I got help with here on ubbdev for moderators to be able to get into Recent Visitors Admin View for help 'patrolling'
• It still kept happening way too often. So in desperation, I closed my board and munged all the text files one night to replace login names. And we finally got a short break from the insanity.. about 4 or 5 weeks worth. NOTE - my situation is/was extreme, so I dont recommend this unless absolutely necessary. With us - there's nasty vengence behind our attacks from 10+ years of dirty laundry and bad attitudes between the moderator account always getting hit (who happens to be one of my sponsors/advertisers as well) and the idiot who runs competitive site.

- It still kept happening including the prime target moderator account, albeit in smaller doses along the lines of stealth deletes. And password spinner attacks on login had died out while excessive hits to the Community Directory kicked in. And another pattern emerged - all the compromised accounts had aol email addresses.

Fixes:

• We got key members who had another email address to change their profile. And those who didnt, now change their aol password frequently.
• I got help here on ubbdev to keep junior members out of the member directory to cut down on "trolling" for login names.
• We got the prime target moderator on a non aol email address and we finally had several months of peace until last weekend.

- So now we got a once-in-blue-moon problem with accounts other than the prime target moderator. And last time the blue moon rose yet another pattern emerged... the last few compromised accounts, along with a couple from early on, were all approved within a 4-5 day timeframe back in March and were dormant - never returned to my site and logged in after registration. Also, we always get 'hit' when my name and the other key members who help patrol are not showing on Recent Visitors list. And low-and-behold, hits to Recent Visitors url has spiked while hits to Community Directory are now rare.

So I'm certain now the main cause of my long term problems was that the prime target moderator's aol account was compromised atleast twice, his login name and password for my site was retrieved from the "forgot your password" link while they had access to his mailbox, AND worst of all - that moderator was also cc'd on the registration mailbox so they snooped out login names and password from registration confirmation emails in his aol mailbox for a certain time period.

Fixes:

• I'm going in the backdoor and changing passwords on all other dormant accounts approved at the same time period extended to 2-3 weeks before and after. We figure If those accounts havent been back to my site in 3 or 4 months (not unusual in my community since we're a seasonal sport), when and if they do come back they wont remember their password anyway and just retrieve it.
• Other active accounts from same time period will get a friendly but non-informative note in near future asking them to change their password.
• I got help here on UBB to make Recent Visitors require login

Other mildly useful tricks we found for patrolling include IP address lookups and monitoring (the Last Login IP is way different than registration IP and we have patterns with last login IP on hijaacked accounts pointing to wireless/cellular service in one particular region).

Plus we were keeping some of our moderators hidden from Recent Visitors so that they couldnt tell when we were lurking. And when an account first gets hijaacked, we suspend posting priviledges only at first (so they cant tell they've been caught until their next post is denied). Then we sit back and wait for their return in order to get more IP Adddresses and/or determine if it's more than one person playing tricks.

Sorry for long post... if it's not obvious, I've been thru he!! I have no doubt I have a personal vendetta behind my trouble who has declared war on my site. The upside being when I get hit it's actually a good thing in a sick twisted way: community loyalty grows, the clans rally and more new registrations pour in, and more and more people come to their own conclusion who's behind it without the need for public accusations.

So here's hoping more good comes of it and hopefully some of this helps you (salblack) to keep that one-step-ahead thing going thats needed in situations like this :rolleyes:

Thankyou everyone for replying - I've got a friend who is far more clued up on scripts and permissions than I am to take a look, using your suggestions. So thankyou for them.

And Rox - I really hope your troubles are sorted very soon, thankyou for taking the time to post your experiences on here - it certainly makes my little troll look very tame indeed (thankfully!).

Fingers crossed for you that they'll eventually find somewhere else to go and play.

Cheers, Sal