Given what's happened already, if a paper trail of some form has been left by whomever's responsible at the host's end, its time to get the police involved.

Check closer to home, and be prepared, as is regrettable in such cases, to find someone you know has screwed you.

DerekH

mod_security is what I probably need to install.

# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

Manual describes exactly what there doing and that's the code that stops it.

First, file a complaint with the IC3: [ic3.gov...]
Second, call your local FBI office: [fbi.gov...]

No matter how painful it may be, I recommend doing __nothing__ until you receive instructions from the FBI. Except check your stickymail, I've sent you some additional info. :)

Couple of points from a human nature perspective, since you did call the FBI, I'm assuming you're complete surely it's not an inside job. Another point is that it seems you run many many bullitin board services.

We all know that the internet society is full of anti-social people who get punched in the nose alot in real life.

So....

There's just one person doing all this, and it's not just a random attack. They're out to get you for some imagined offense.

Soory good friend, you may have to shut down for a couple years, just until the MORON finds someone else to pick on.

[phpbb.com...]
[phpbb.com...]

phpBB 2.0.11 contains fixes for at least three things that can lead to the kind of things you and your associates have been subjected to:

- Fixed unsetting global vars
- Fixed XSS vulnerability in username handling
- Fixed not confirmed sql injection in username handling

Does vBulletin have those bugs?

- Unsetting global vars
- XSS vulnerability in username handling
- Not confirmed sql injection in username handling

The major board geting hacked is vBulletin, and the hackers have been much better at hacking the vBulletin boards than phpbb. I got three different message board sites. There mostly attacking the most populer one, the vBulletin one that's been around since 1997.

A Mac-using friend of mine told me today that she's had problems because her computer was "acting as a server" and that people could access her hard drive or something.

Then she must explicitly have switched something on. A Mac OS X system straight out of the box has no - absolutely no - services/daemons that are exploitable from the outside switched on by default. However, it's very easy to switch something on in an insecure way.

Now, you are just stating that she's had problems. But what kind of problems? More facts, please, otherwise your statement is of no value at all.

[edited by: BjarneDM at 11:10 am (utc) on Dec. 6, 2004]

As far as I can see his problems are not at all with his iMac but with his Web Hosting Company that seems to have gotten themselves hacked and a root kit installed.

His web host simply isn't up-to-date on security patches. They are apparently using:
Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b mod_fastcgi/2.2.10
1) Apache is at 1.3.33
2) OpenSSL is at 0.9.7e
3) mod_ssl is at 2.8.22
4) mod_fastcgi is at 2.4.0

vBulletin is at 3.0.3 - Jesse_Smiths board is using 3.01
[vbulletin.com...]

I'ld switch web hosting firm very fast if I discovered that they didn't keep up with their security patches. As to which security issues that have been patched you'll have to do your own research.

As to me posting about phpBB that was an error on my side - I had somehow gotten it into my head that the boards were served using phpBB.

I've been taking a further look at the problems Jesse_Smith has.

I've looked into this specific situation as well and would add that the sites are all virtually hosted on the same box with a single IP address. So the hacker would have been able to gain access to all the sites after a single successful attack that compromised the box. Plus, the hacker might have realized the widespread damage they could do to Jesse_Smith by doing a reverse IP whois on any of the domains. :(

You need to switch hosts or at least have your host wipe your current server and start new.

The 'web host' is me! I'm on a dedicated server!

I think I got it so the hackers can't do anything now. I shut off SSH. It's been over 24 hours now since I did that and they havn't done any hacking. They got root access some how.

(well, as far as I can tell - I don't know a whole lot about this stuff)

If your hacker had done the same a while ago, you could have inadvertedly backed up the php file - so each time you replace the hacked files you also replaced his file.

Probably not the same problem though, but I'll PM you some specific details all the same.

Scott

And if the central adminstrative server of your web hosting firm has been root kitted you are out of luck, no matter what you do to your own machine: your password has to be stored there somewhere, and they have to have root-access to all of their accounts in order to administer them.

1) Apache is at 1.3.33
2) OpenSSL is at 0.9.7e
3) mod_ssl is at 2.8.22
4) mod_fastcgi is at 2.4.0

Check them now. I know Apache is now 2.0.46. Though with the server restored two days ago, they allready changed the index page! It probably won't be long before I find out if they got root access again and can still delete stuff.