Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
User uploaded attachment and got in Admin CP. I have some questions
#1
I can see the logged Admin activity of the hacker while they were in the system. I managed to login and ban them right in the middle of them clicking delete on user accounts.

Anyway, in the logs you can clearly see a "shell" of some kind was uploaded as an attachment. I'd like to know where this went and how I can make sure to get rid of it.

Next, I'd like to know how to completely eliminate the uploading of attachments. I run a forum that in no way, ever, is going to have a need for users or myself to upload attachments. I realize it won't be a 100% fix to a future attack but I just have no reason to even keep attachments as an option.

I'm pretty good with going in and finding/modifying code so please let me know what to remove, etc...

Also, is there a way to track who was behind the hack? I'm told by some that they might have needed to buy space on the same server as me? How can I look further into this and what are the steps to take if I would like like to trace this hack attempt back to the source? I'd like to be able to trace steps and figure out what exact method was used, so that something can be done to make sure it won't repeat.
#2
They wouldn't have been able to execute the shell. The browser would simply force them to download it instead, as a security measure.

Attachments can be disabled on a per usergroup basis. You can disable it via editing the usergroups.

You should review your server access logs and match who accessed /admin/ (or whatever you renamed your ACP directory to.

I advise you read this for more information and guidance: http://mattrogowski.co.uk/post/2009/06/2...hen-hacked
No longer involved in the MyBB project.
#3
I will check out that link. Thanks.

Regarding the issue though... I may have been misinformed elsewhere. My impression was that, the shell being present, WAS their way into the Admin CP.

If that's not the case, then what was the Shell's purpose? And what is likely the way they physically got into the Admin CP as an Administrator?

Seemed like they created a new account, then somehow either turned it into some kind of Mod or something, and then added themselves to the Administrator usergroup. Does this sound like a specific type of attack that there's a known way to fight? I know for a fact this user is a person who "trolls" my kinds of forums and it NOT just random. He is probably not the best hacker, and whatever his method was, I'm thinking is probably the only method he knows. Thoughts?


Forum Jump:


Users browsing this thread: 1 Guest(s)