This is quite worrying, I've had an individual, who has gained access to the super moderators accounts, the DB is held outside of the HTML area, and we bounce all ports bar the 80,21,23.

so I'm thinking that they must have got the db somehow??? and decrypted it, he seem to have a problem decrypting password with numbers in them, so have advised all moderators to change their password.

Has anyone any ideas how they have managed to do this.

I've currently got a dialogue running with the indiviual in question (imation) and have his source IP's as he seem to know how to spoof his IP after he found out I had his source one, and has said he gonna let me know how he did it, but....

He' has openly appologised for any disruption he's cause and assured us that he hasn't used or changed any info he's found, which is a good thing....

Thanks in Advance

At first he just registered as a normal user, started sl*gging everyone off, so we deleted his account and banned his IP.

He then spoofed his IP and re-registered and started sl*gging again, again we deleted his account and banned that IP, and went to GoStats (hit/stats counter) and got his source IP and set a mail to his ISP(s).

He then somehow got and logged in as myself and deleted my account, which I restored the DB to the night befores backup

Changed my password to something else (all letters) and he logged in again as myself and posted abusive content, another email was sent to his ISP's and a post was put on my site informing that if he persisted I'd inform internic.

Changed my password again (leters and numbers, which he must have a prob with), he logged in as someone else and posted an apologie and that when I opened a dialogue with him/her to find out how he did it, also advised all members to change their passwords.

It's abit worrying isn't it, we did everything bar bounce his IP at the firewall(s), but chance are he/she'd have spoofed their way around it.

I'm using 7.01, I agree with the brute force thing, most probably Lopthcrack or something similar.

also our firewall are set to reject ping requests, and buonce any port bar 80,21,23, it'll be interesting to find out how they're doing it...

we use Go.stats as it's a totally seperate site, which logs IP's/Country/Browser, etc, plus our hardware and software firewall logs

Access, and it's outside of the webroot area...

-boRgThe problem being if it is the admin account that the person is trying to guess if the account is suspended after 3 attempts the admin can't login to re-activate their own account. But I shall look into other solutions. [/QUOTE wrote: Maybe not a suspension but an hour time out??

Maybe not a suspension but an hour time out??

the sollution could be a newly generated long password after first three attempts. It will be mailed to the admin who obviously only has access to his mail account.

Only problem is not all folks have the email function enabled.

Another fix could be a simple database table with yes/no since the hacker probably wasn't able to download the database. Yes for suspended (lockdown of admin acount after three false logins). Then u could simply change yes to no it in the database and quickly change your password.

Sounds like the dail-back on a RAS server, sounds good the adding the IP to a banned list after three attempts, and to add maybe send out an alert to a certain group, like in mine,

We have the admin group, but I did'nt want to risk having more than one user with admin rights, so I created a super moderator group, they can do everything in every forum, bar administer the back end settings, so if someone does hack their password, the most they can do is deleted/edit some posts and delted the SM account (which is no biggy).

The three main owners all know the admin password and if they want to make changes we consult each other first.

This is turning into quite a good brain storming session... :)

I'm using 7.01, I agree with the brute force thing, most probably Lopthcrack or something similar.

QUOTE]

 Lopthcrack remotely ??

He02 wrote:   Lopthcrack remotely ??

or something similar like xscan

Perhaps i am verry lucky person, because not victom of hacking.
Is it always needed to login with the security code or is there a possibilty that users don't have to add the code when loggin in?

this is getting annoying now, I've even stopped the virtual share and point the forum at the db by the pyhsical path, changed my password to something REALLY obscure and he's still getting in..????,

had a look at 7.5 on my local dev site, and what changes nee to be made to 7.1's db to import it into 7.5???

These are the changes I've done:

Disabled all local accounts on the server (bar mine) and changed my password.

Bounce all ports bar 80,21,23

stopped the virtual dir with the db's in and use the physical path

updated to WWG 7.5 beta1

changed the admin password and mine.

removed or changed any passwords in other db's

used gostats, ZA pro and linksys to log attacks,

updated server so it is up-to-date (critical updates, etc)

ran IIS lockdown tool

disabled the use of flash file

AND they're still getting in..???, anyone got any ideas?

ftp's restricted access and people can only upload to certain areas, the DB's outside of the FTP and html areas, and c$ is unshared, it's most likely packet sniffing software now you come to mention it

Since I am one of the other founders/admins of DT I think I should be part of this convo too, so here I am.

Dont know how they've done it, but it seems that Imation has upgraded his account to be in the Admin group...

Also I think that the main admin password has been changed yet again...

Im really starting to get annoyed with this guy

it looks like I've abaited the stem for now, by doing something I  didn't want to do, but they've force my hand...

I've banned an IP range from the forum, and if neccessary from the whole site.

I've got one static that he uses and the other address is dynamic so that why the range was blocked, thanks for all your input, I keep you posted about the out come.

BTW we do own our server which does come in handy for dev work, and stuff

He's still getting in...

Still as annoying as ever and ge still wont tell us how he's doing it...

You said it's your own server right -- it's local and you have total access to it?  If you already don't have it turned on, go into your extended logging options and turn on URI Stem, URI Query and Cookie.

Change the passwords on the account he's using.  When he strikes again, note down the IP and start scanning your logfiles going backwards to find out what he's doing.  The page and querystring are important.

If you haven't already done so, you should see if you can get them over to Borg.  Out of anyone he'd be the best to figure out if it's a web based attack via the forum.

With an application like TextPad you can "bookmark" all lines when you do a find.  You can then copy all bookmarked lines and save in a new file (or delete all nonbookmarked lines) and that will make your logfile smaller.  You could even remove requests for plain 'ol images.  What's left should be a small zip file.

Some other questions...

Have you disabled or changed all the other accounts which could change admin passwords?  It might have been possible he had compromised some other account and used that account to make changes.  Maybe you could look up other accounts that had the same IP?

Have you scanned your own personal computers for malicious programs?  If one of you had a key logger application on your machines, than no matter what you do, he'll have your password.

l15aRd wrote: we know how he's getting in, but a certificate option is Too exspensive for the size of the site.

If you know how he's getting in, have you sent that information to borg?  There must be some fix which can be made.

he's using a packet sniffer and retrieving info from the intercepted packets so it's not a problem with the forum software and generally not a problem (as such) with the security on the server as he can only alter the forum with the passwords he gets, we have blocked a range of addresses that the individual used most frequently, and we have reported him to easynet and blueyonder, who have assured us that they sort it, but he must have access to another computer that uses BT internet, so we have the address of that and if the individual keep gaining access we'll report the ip he's using to them....

unbeknown to the individual we have friends who does that sort of thing of fun as well, he obviously has a very blinkered view on the WWW

That explains it. Thanks for taking the time to explain how we was getting in.

I'm glad you were able to figure out how we was getting access.  Hopefully he'll be taken care of and won't hassle you guys anymore.

As you have your own server you can install certificate server, the only problem is that, as it is not a trusted source to your clients they will get a security warning till they add it to their trusted pool. As you said a "normal" certificate is out of your budget I don't think there is any cheaper solution for windows.

They've finally told us how they were getting in, which has been plugged, and lets just say it wasn't with the server or the software.

Someone gave me an idea as well, if a user doesn't login to the forums for say a month, would there be anyway that the next time they login it expires their password and they have to change it, abit like the password expirey policies on NT based O/s's???

How about it just logs the times and dates and sends out a digest post once a week?