Username:
Password:
Search for Plugins: Advanced
Please Sign in, Register or Resend Activation Email

Forums

  e107 Coders.org :: Forums :: E107 Plugins :: Q & A
 
<< Previous thread | Next thread >>  
E107.org blocked     Go to page       >>        
Author Post
GunMuse
Mon Mar 15 2004, 10:42PM

Registered Member #400
Joined: Thu Jun 26 2003, 12:25AM
Location:
Posts: 69
I hated to do it. But Steve just has some pissant messing with him. His code was not being hacked. Someone setup a loop on the search box and drilled requests over and over again sending the server to over a 400 load before it choked. For anyone who knows servers That is a hell of a load. So whoever is pissed off at steve has access to very large pipes.

We pulled an ip address from this mornings attack and are doing our best to track it down.

For now Steve is going to have to put some "Safety" measures on for throttling on his site. Once we do that and implement them on all of our other sites as well we will unlock the e107.org site again.

I don't know exactly when it happened this weekend as I teach a weekend class to law enforcement two weekends a month. So I am on it and most likely I will have it trace back to who did it and be setting up our future traps for sucker. I have two FBI agents who are wanting to try some tracking software out we are going to let them install this week.

For you would be hackers or future wannabes just remember someone is always smarter than you. And the Federal jail doesn't have free internet or cable like they say on TV.
streaky
Mon Mar 15 2004, 10:56PM
Registered Member #1776
Joined: Sat Jan 31 2004, 03:26PM
Location: Lincoln, UK
Posts: 533
Dude, just sort em out the propper way. I can point you in the direction of some propper forensic software if you like... :P
Back to top
Website
JuhaH
Tue Mar 16 2004, 09:18PM
Registered Member #925
Joined: Sun Sep 28 2003, 09:41AM
Location:
Posts: 18
How to protect site from such attacks? Prevent anonymous to use features which performs complex sql-queries? Is flood database table itself too slow to protect site against flood? Am I right that there isn't any mechanism to temporary block certain IP?
Back to top
streaky
Tue Mar 16 2004, 09:53PM
Registered Member #1776
Joined: Sat Jan 31 2004, 03:26PM
Location: Lincoln, UK
Posts: 533
no, what happens (or has been happening, this time is different I believe), is that the security feature of e107 to prevent floods jumps into cation (rightly, because somebody is flooding the site), however, it takes the site offline, creating a sort of DoS attack, that is created mainly by the flood protection itself, or at least thats the way it comes accross to me... :)
Back to top
Website
streaky
Tue Mar 16 2004, 10:05PM
Registered Member #1776
Joined: Sat Jan 31 2004, 03:26PM
Location: Lincoln, UK
Posts: 533
how to prevent it? don't annoy people that are likely to respond in this way and you should be fine. However some people are always going to try to take your site down if they have an axe to grind, wether it's through the site, or other ways in, disabling annon posting sytems will make it take bout 3 mins longer thats all - about the time it takes to sign up at your site.

Apparently there will be new security features in the next version, which (i'm told, hehe) should help. AT the end of the day a good host and not annoying people should be enough to protect you.
Back to top
Website
kursplat
Tue Mar 16 2004, 10:06PM
Registered Member #357
Joined: Sun Jun 15 2003, 03:32AM
Location:
Posts: 42
So, this confirms that the problem is as sanctify/archon reported? e107 isn't being "hacked". The attacker isn't exploiting a security hole in e107 (like SQL injection). But he is exploiting the fact that he can flood the e107 site with requests that tax the server (effectively creating a DOS attack). According to Archon's site (and discussion threads on e107.org - or was it here?), his script helps sites combat this type of attack.

Everything I've seen points to "sanctify" being the jerk launching the attacks. And at this point, I think he passed "proving his point" and is now just a bully who needs to get a life.

While this is not a security flaw in e107 that would allow someone to change the site or gain access to the site's data, it is a vulnerability in the code that can be used for DOS attacks on that site.

Ironically, according to a post on Archon's site, fixing this vulnerability was the whole point of contacting jalist and the initial DOS attack as proof of the vulnerability. Unfortunately, he has now gone way past "good intentions."

In the end, we all win - a more secure/robust e107, and the attacker behind bars "getting it from his new boyfriend."
Back to top
Zaphod
Tue Mar 16 2004, 10:38PM
Registered Member #820
Joined: Wed Sep 10 2003, 10:33PM
Location: Sydney, Australia
Posts: 487
you and i all know realistically this guy or group wont be caught and they wont end up behind bars. In all likely hood they are not even in the same country and not even in under jurisdiction that will enable them to be prosocuted for what they have done.

You just have to get on with the job. I have had my sites and old sites hacked numerous times, shit happens basically.

Zaphod
Back to top
Website
streaky
Tue Mar 16 2004, 11:16PM
Registered Member #1776
Joined: Sat Jan 31 2004, 03:26PM
Location: Lincoln, UK
Posts: 533
exactly, but when it's sustained like this, there is always bad data comming in and you have acces to the routers, it's simple to find their _real_ IP's iven if they thing they are protected
Back to top
Website
DangerousBeans
Wed Mar 17 2004, 12:16AM

Registered Member #1497
Joined: Fri Jan 02 2004, 07:36PM
Location: Island of Jersey, United Kingdom
Posts: 6
well its these guys below doing root hacks, my server got hit on monday 23.30'ish (GMT) - removed any index.html and template header/footer files and CSS files (replaced with same hack page contents). Some spanish crap about bringing down the Dominican Republics government? rofl whatever , im in UK.

I did some checks and honed in on this bunch of rabble. I believe these 'kids' have got hold of a few old hat hacks from dodgy hacking sites and getting some results, unfortunately.

Bizarrely they havent covered their tracks rather well and i've traced the users IP to New York and have details of their ISP. I've contacted (on behalf of other e107 users) my local police and a specific American FBI department on this subject.
The basic lack of covering their tracks confirmed my theory on kiddy hackers. They will learn, but it will take a while to justice to take its course.

If your sits hacked with a black background with a rather badly positioned (and crap looking image) at top, with a bit of dribble about the overthrow of governments, and your stuck fixing your site, i will help, it doesnt take long when you know which files to over write.

(a slice of one of the official reports sent out after i'd fixed the mess)

"Please List the easiest way and most convenient time to contact you:
mobile phone or email +44xxxxxxxxx / graeme.moignard@xxxxxx

Information about Individual that victimized you. Web Site: [link]
Name: xxxxxxx
Gender: xxxxxxxx
Phone #: xxxxxx
Current Email: [email]
Street Address:xxxxxxx
Suite/Apt/Mail Stop:
City:
County: State: NY Zip:
Country: USA

Contact between you and the Person/company that victimized you. Type of Contact: Web Page
Date of Contact: 03/14/2004

Contact Information:
root hack replaced any index.html files found - specifically attacking the
E107 [link] free web CMS system.
They seem to have found a vulnerability in way the scripts work using
javascript.

The hacked pages were black background, with bad sized graphic/ distorted,
the text was in Spanish, I used an online translator and apparently it was
going on about throwing out the government in the Dominican Republic and
mentioned Hipolito (I dunno who that is sorry!)
The hack occured on the 14th March 2004 at 23.54pm (GMT time)

Easiest way to deal with the problem was delete any html and javascript
files created at that time and reinstall a few header and footer html
pages the hack also replaced.

Why, if the hackers websites based in New York (I did a WHOIS on domain)
they are hacking E107 users sites with cheap html pages in Spanish, I cant
imagine.

Considering im actually in the UK, with a UK hosting company, they had a
go at my website (www.jerseygaming.com) - I just cant see the point. "


Im just a bit worried HOW they actually did it.. Im a programmer but not into this getting behind the security stuff ;)
Back to top
Website
streaky
Wed Mar 17 2004, 12:46AM
Registered Member #1776
Joined: Sat Jan 31 2004, 03:26PM
Location: Lincoln, UK
Posts: 533
LOL, sounds like you had a fun time... :P

Of course you know that deleting stuff is the wrong way to go about it.. But of course its a balance between that and needing your site up as always....

Hope you catch the little freaks...
Back to top
Website
Go to page       >>   

Jump:     Back to top

Syndicate this thread: rss 0.92 Syndicate this thread: rss 2.0 Syndicate this thread: RDF
Powered by e107 Forum System
Render time: 0.2093 sec, 0.1158 of that for queries. DB queries: 49.