Great site hacked - help!

I belong to another forum called, "Responsible Single Fathers". When I logged on this morning, I saw the site had been hacked. It has been taken over by MorphueS and he posted a threat on the Forum. Essentially, he is going to delete the site. All contacts to the owner and moderator have been removed. My question is this: If/when the owner is able to work out the problem, is there someone/something that I can suggest to the owner to prevent this from happening again. The problem is there is such a lack of support for single fathers as it is, and I think the owner runs this forum "out of pocket". If he can't get a viable solution, I'm afraid the site will be shut down permanantly. Please help support the "supporters".

Thanks,

LAIGo

 

hey whats the site address?

 

www.singlefather.org

 

i cant beleave someone would do this why would someone do this who ever did this needs to go to jail how can i be of help to you all nice people?

 

Who got hacked?

Is it some guy who hosts it himself? (which it sounds like) Or maybe the owner of this domain uses a small hosting company? If the latter, I'd call them and see if they have a backup copy of the website files.

Sounds like AirWolf is ready to go to war for ya too

 

I believe it is something he does on his own. According to the front page and the "former" Announcements thread, he changed the site through lack of funding.

Thanks Airwolf - I'm coming to your site now.

 

Okay - maybe that's not your site after all .

Farbib - I can't get in contact with the owner, all references seemed to have been removed.

 

Responsible Single Fathers
Vince Regan, President
541 Knapp NE, Grand Rapids, MI 49505
Phone: (616) 447-0798
Fax: (877) 291-9130
E-mail: office@singlefather.org

 

You rock - I'm logging off and calling him now!

 

Alright, I called and left a message and I await an e-mail. In the mean time, if anyone has any suggestions as to what he can do to protect himself, I will pass them along. Also, this is a subject I feel VERY strongly about, so if anyone can suggest what I can do from my computer - I would appreciate it.

LAIGo

 

i wonder if we could track his e-mail i wonder what he has in mind for it any why he said he would tell how to fix it i think he is looking for money or something and thin try and distroy the site


yea sorry thats not my site its a friends lol thats just one of many i own 2 one for knight rider and one for viper if you would like to join my site i will give you address by the way i see you live in Athens,Ga i live south of you down in middle, GA near rabins airforce base

 

I am so ignorant about computers it isn't funny. I don't know how to even begin to track his e-mail.

I agree, even if this jerk fixes what he did, he will probably leave a "backdoor" for later, or as you said delete it on a whim.

I'm not sure how to adjust my UserCP, but I think I remember seeing an option to allow members to PM me. If so, I am going to add you. We can exchange e-mail address and discuss this further without BLOging this forum.

LAIGo

 

I would allow for some negotiation, and find out who he is that way.

Maybe a phone conversation, keep him on long enough to get a trace.

If it's about money, then I would "agree" to the terms and somehow trace where the payment occurs. Write a bad check, for example.

Or if the person lives nearby (bet this person knows the webmaster) arrange to meet him.

And then get the authorities to scout it out...Bad Boyz What Ya Gonna Do? You're under arrest...

That would be sweet for Vince I bet.

 

Halo, 1) How did you figure the above out about the email address? 2) Hypothetically speaking, if it was a local cracker, and through social engineering Vince was able to arrange a meeting the local cracker (say to pay money), do you think the local authorities would get involved? This hypothetical is unlikely, but I am just curious if you knew the answer. Thanks.

 

Thanks Halo.

I just noticed someone posted on their forum today. She is seeking advice for a soon to be father (her boyfriend). I really want to respond, but since the hacker is in control, I'm not sure if logging in will give him additional access to me. It would be great if we could go on "business as usual", but I know nothing of the inner workings of websites.

LAIGo

 

Maybe Halo's busy creating an account, and trying to get more information

 

Heres the million dollar question; wth does someone with poor English grammar, and using .ru email want with a website for ~50ppl?

 

Alright, I going to give it a shot.

I usually keep me e-mail address private. Unfortunately, like here - I allowed the administration access to my e-mail address, so he does have it. Also, I believe ZA firewall will keep him out????????? I have already had 2 "high" rating attempts blocked. I haven't got a clue where they came from........... x50c62926.albnxx9.adsl.dhcp.tele.dk

Back to back attempts.

Going to the other forum, check back later.

Thanks again everybody,

LAIGo

 

Good question Omegamerc,

I know use of profanity is not allowed, but................I think this guy is just an asshole.

LAIGo

 

1) Still trying to figure how you figured it was a .ru address to begin with? Laigo did not mention it. You did something. What?

2) I did a whois and it looked on November 23rd was the last domain registration change. Wasn't there recently that thing where companies like Network Solutions or GoDaddy could not transfer domain control without 5 days notice? I don't know why Vince was not contacted by Network Solutions, unless he made a mistake.

 

Forget that 2nd question Halo. Half watching the football. Still would like answer to the 1st question.

 

i have a anwser for number one look here go look for your self

 

Good news everyone!!!!!!!!!!!!!!!!

I just went back to respond to a post from someone, and while I was there I noticed the profanity had been removed. Not only that, but after I finished and (since I was logged in) I decided to investigate some member profiles. Anyway, after I finished - I went back to the forum to find a note to the site administrator. It said what the flaw was - how to fix it, and whoever sent it fixed the site. Bless them. I sent them a PM, but if anyone from here was responsible.......................................THANK YOU SO MUCH.

If indeed someone from here did it, you should be very proud. I was truly moved. Especially since I was there when it happened.

Thanks for the support everyone

LAIGo

 

Help! Am I missing something that obvious? I still do not know how it was figured that the cracker was using an account that was the Russian equivalent of Hotmail. I went to the website. I re-read this thread. What am I missing?

LAIGO glad it worked out for ya!

 

Farbib-

Well since the site has been partially restored (the first two sections are now missing - including the note from the mystery stranger to the site administrator), you won't be able to read the original hacker post. Essentially, he made the threat and then offered an e-mail address that had .ru at the end. Apparently, Halo recognized this because he has the same service. Also, he was able to find that person listed.



LAIGo

 

I strongly suspect that he cracked the Database. If its a standard LAMP setup or uses MySQL or SQL Server, the owner/host needs to make sure that the database cannot be accessed from the outside!! This is easily done using a firewall/stack filter. This would allow the forum to run fine, but it will prevent anyone from gaining access to the database illegitimatly. Make sure the user for accessing the database has a 16 charachter password (it is written in the script so you wouldn't need to remember it) and make sure the config.php file is forbidden for anonymous access (but open for script access)

And also make sure phpBB is always up to date, as with any software. I know of a guestbook program that would let you gain access simply by escaping a string in the password field and injecting some SQL (i.e. "' OR 1=1", so it added if the password is correct OR 1=1, so the result is always true and so you gain entry). An update fixed this.

The same for any hacks that have been installed.

I don't know how secure this site was to start with, but even with all those measures it is possible to negate them using other software running on the host machine, but it takes much less time!

 

The hack most probably did wipe the DB, seeing as what's restored is obviously an old backup. What the site owner needs to do immediately is go download and install phpBB 2.0.11, which addresses several security issues. At 2.0.4 he is woefully out-of-date and subject to the attack he just experienced.

 

Thanks guys,

If I get in contact with him, I will direct his attention to this thread. I am hesitant about posting it on their forum, because it might draw unwanted attention.

You guys have been great,

Thanks again for helping.

LAIGo

 

Thanks Halo,

Just a footnote to the original story.

I finally got a hold of the owner and sent an e-mail sending him to this thread.
I haven't heard back from him, but he is very busy - so hopefully he sees this and he takes everyone's advice. I will take this info and post it on their forum, so maybe he'll see it. Things have been busy there, alot people going through custody battles, visitation problems, etc. Everything is pretty much back to normal, we only lost a few of the more recent posts. But, all involved came back and re-posted so nothing was really lost.

Thanks for the interest, we appreciate you guys looking out for us.

LAIGo

 

Yes i want to thank everyone here for giving help with coming to a solution for that site. I am a member of the community at that site, and found my way here through Learning As I Go mostly because of what happened. This looks like a great community, and I look forward to becoming more acquainted with everyone possibly.

I will offer the little bit of help that i can, and will be more then happy to ask for help!