IP Chat Install files provided hacker access to IPB

[dNetAus]

This actually happened a few weeks back and only just noticed this 'feedback forum' here... so apologies for the tardy feedback!

IPS Technical Support installed IP chat for us on our main forums back in April.

On July 5th at around 5am AusEST our forums just 'disappeared'.

Thankfully we have wonderful hosting support (a small Aus company who have looked after us pretty well probono for 13 years) and they were able to fully restore from backup files taken nightly at 3am - so not tooo much permanent damage done.

My understanding is that basically the hacking was made possible by the chat installation files not being deleted after the chat was installed.

Am thinking it would be good to include this step as standard for IPS TechSupport?

Will paste relevant section of the report from our host here FYI (most of which I don't understand but am hoping might be helpful to someone ? :blush:

..., here is a breakdown of what’s happened to forum.xxx.com.au & forum.xxx.org.au which have a common file root and was hacked this morning around 3:40am and was total purged by the hackers from Kosovo / Albania in Eastern Europe about 2 hours later.

Initially the hackers were referred to the site from Google, indicating they were searching specifically for the chat software, which is the first entry in the attached log extract. This was around 3:40am today. Once they had found the chat application they went looking for installation files and found them after a couple of attempts. Next they re-installed the chat program, giving them admin privileges and control of the chat application, shortly after that we can see files were uploaded into the images folder [httpdocs/chat/images/] and a file called kuzina.php was accessed which is most likely the file manager / toolkit script. All of this happened in the first 5 minutes. Later on that morning another file called proshell2.php was loaded and used for a while and then around 5:40am they started deleting files and the entire site was gone in a few seconds.

Hope this is helpful

Warmest

Leanne

[Dmacleo]

and yet to actually install (reinstall/run upgrader) they would have HAD to have entered a valid existing admin username and password as first step before anything would happen.

[Aiwa]

httpdocs/chat/images/

Assuming you're forum root is httpdocs... /chat is not an IPS created, or used, directory...

Even if your forum root is /chat... /images is not an IPS created, or used, directory.

[Rhett]

The only time I have seen a /chat folder is very old left over files from many moons ago, if you are using our chat application and our current versions, you can safely delete any /chat folder and all contents.

Actually our chat application won't even run if you have another /chat folder in your forum structure, I would suggest that you have your host provide the access logs they used to determine these findings and submit a ticket and we can look to be safe though.

Thank you

[bfarber]

Yes, this does not sound to me like an exploit within our chat installation process on the surface. The URL/path structure is not what we utilize, which is odd. I would recommend submitting a ticket with the relevant access logs so we can look for you to be certain.

[tpq]

For what it's worth I had another non-IPB site hacked a few months ago and they had a very similar file structure setup. The server forum here is an incredible resource on how to prevent this from occurring again. Another thing which is completely awesome to catch bad files was maldet (google it). It's irreplacable in terms of cleanup missions.

FWIW I caught my hacker using a few fingerprints that he left behind. Turns out he was a 17 year old kid who, unfortauntely for him, lived a few towns away from me. Completely bad luck on his part, he found us by doing simple script kiddie drive-by vuln scans. To say that I didn't take mercy on him is an understatement, his high school was notified (their ip was in my logs, once I knew what to look for), I called his dad on the phone, alerted his parent's employers that malicious activity could have come from their locations, I freaking did everything.

[ᴡᴅツ]

and yet to actually install (reinstall/run upgrader) they would have HAD to have entered a valid existing admin username and password as first step before anything would happen.

So this attack cannot be done without brute forcing the pass or already having it (which would mean they can access the main admin panel already)?

[bfarber]

Running the upgrader would not harm a site (unless you had a pending upgrade available sitting there and it affected mods or skins or something, but it wouldn't actually hurt the data).

Re-running the installer would require

1) The person to know the SQL credentials on the server

2) The "unlocked installer" lock file not to be present (it is written automatically by the installer)