Thanks to some BP Onliners‘ messages, I was able to make sure I backed up our site’s database just in case.
Apparently, our sister site Hangad‘s discussion board has been hacked. From the look of it, either of two things happened. It’s a HTML/CSS hack, or the an administrative (or super moderator) account was compromised. I would have to go with the former based on the source code I saw.
Fortunately, it’s limited to the discussion board… because if the hosting/server account was compromised, then it would mean that the whole site would be in trouble.
Checking the source, everything else was intact, no themes were altered. So this strongly suggests that code has been injected (and not that the board was compromised), which is a common method for these types of hacks 1 Remember the news about the guy who hacked MySpace? Probably done the same way.
Here’s the offending injected code:
<span class="forumlink"> <a href="viewforum.php?f=48&sid=a57b4b316b6581a48011c0ecf9388692" class="forumlink">:: Hacked By Yusuf KARA :: -= Yusuf Ownz Your Security ! ! !=--</a><br />
</span> <span class="genmed"><body topmargin="0"><tr bgcolor="#F3F3F3">
<td valign=top align=right><font size="2">Pesan :<b> </b></font></td>
<td colspan="2"><font size="2">
</DIV><DIV align=left><BR><DIV id=Layer1 style="BORDER-RIGHT: #000000 1px; BORDER-TOP: #000000 1px; Z-INDEX: 1; LEFT: 0px; BORDER-LEFT: #000000 1px; WIDTH: 1250px; BORDER-BOTTOM: #000000 1px; POSITION: absolute; TOP: 0px; HEIGHT: 30000px; BACKGROUND-COLOR: #000000; layer-background-color: #000000">
</font>
<center><span style="font-weight: 400">
<img border="0" src="http://polat.sitemynet.com/owned.jpg" width="755" height="530"></font></span>
<script language="JavaScript">
<!--
var left="[";
var right="]";
var msg=" - - :: Hacked By Yusuf KARA :: -= Yusuf Ownz Your Security ! ! !=-- - - ";
var speed=200;
function scroll_title() {
document.title=left+msg+right;
msg=msg.substring(1,msg.length)+msg.charAt(0);
setTimeout("scroll_title()",speed);
}
scroll_title();
// End -->
</script>
<BGSOUND src="http://www.sempatim.com/yusuf.mp3"
loop=infinite>
</body>
</html>
Now you’d see that it’s kind of masquerading as a forum link. And when you navigate to the said said link you’ll see this page 2 the link by the way is: http://hangad.org/discussions/viewforum.php?f=48&sid=9b6545a56c94b40336bc37bff1e1a92e Which means that the rest of the board is working fine.
Truth be told, both guestbooks in nargalzius.com and bukaspalad.com can easily be hacked with simple HTML/CSS tricks if I only enable HTML tag support… which I obviously don’t… anymore at least. 3 YES, it’s because I’ve been victim of such attacks in the past
It is to be noted that while boards aren’t rock solid, pulling something like this also takes some creative thinking. Boards are aware of HTML/CSS/Javascript exploitability which is the reason why boards have the option to turn off HTML/Scripting support, and are updated all the time because of security patches. So normally, the code you see above can’t just be simply “posted.” To achieve such malice, you need to know the board engine you’re working on. In this case it’s PhpBB, which is a very popular board, so it’s not surprising why there are hacks similar to this hanging about. Knowing the engine you’re working with can do a lot of things… take the whole MySpace hack for instance.
I guess what it boils down to today is that it’s simply an unfortunate event. I’m sure the webmaster has secured the board (and site) as much as he/she can, and any security hole was in the software itself and not configuration (if it was configuration error, then at least I’m sure he/she’d learn from this experience). Only advice I guess is to update their PhpBB script and hope that the security hole has been patched on the newer version.
We’re lucky that BP uses a different board… so it would take a different approach to crack it. I just hope that the hackers don’t take notice and focus their energies on it. But just in case, I’m backing the site up 🙂 Maybe I should check out for updated versions of our board too while I’m at it.
Notes
| ⇡1 | Remember the news about the guy who hacked MySpace? Probably done the same way. |
|---|---|
| ⇡2 | the link by the way is: http://hangad.org/discussions/viewforum.php?f=48&sid=9b6545a56c94b40336bc37bff1e1a92e |
| ⇡3 | YES, it’s because I’ve been victim of such attacks in the past |