[oatsy]

Had a 3.6.4 forum hacked (as in Turkish hackers, not as in a deliberate VB mod) a couple of days ago with a hack called cmdhack, and there are some signs that it came in through a previous version of Image Hosting - version 1.3.1. I was looking here to see what the most current version is. I see 1.3.1 is outdated but I'm not sure if the recent updates change anything about security (if indeed Image Hosting was the way they got in.

The reason I think Image Hosting may have been the route in is because there were 3 new files appeared in the 'imagehosting' directory at about the time the site was hacked. There should only be image files and an index.html (with nothing in it) in there, but we had a new index file plus 2 php files. Couldn't open any of them by ftp for editing - access denied. We were able to delete the folder and replace it with a backup and the forums are up and running again now once we fixed the problem in the db - see below.

I'm still puzzled about how those files got there though. The Image Hosting feature is set to a) only accept jpg, gif, png, and bmp files. I've tried txt files etc and it won't accept them. b) only trusted members of the forum are enabled on the Image Hosting system - general public don't have permissions. All forums have HTML disabled.

I've disabled the Image Hosting hack from all users for now. I'd appreciate any thoughts on how this might have happened. Can a script be disguised as an image file? Could one of the trusted members have innocently uploaded what he thought was a clean image file but was actually the hacker's script?

I'd like to keep Image Hosting on the site because it's a terrific hack.

What happens with this cmdhack is that as soon as the forums try to load you get redirected straight to a page on the hackers site ('Turkish Hackers blah blah' rubbish).

If you do get caught with it, it's easy to get rid off as long as you have access to phpmyadmin:

Long story short ... the hack changed a couple of fields in the top level publicly accessible forum (the Category in other words). The Title field text was replaced with a refresh command and the description field had the URL details to the hackers page. As soon as the forums load the refresh/redirect command kicks you to the hackers URL after a second or two.

No new pages were added to the site - the 'You've been hacked' page was on the hackers remote site. Easy enough to fix by going into phpmyadmin, listing the 'forum' table and look for the forum that has the wrong info in it. Replace the hackers text with the correct text and off you go. You can't edit it in the admin cp because as soon as you try to list the forums in Forum Manager the redirect kicks in again.

Thanks