HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Hacked: Admin intrusion by E-Mail: hackzorz@***

phreakphreak Vanilla*APP (White Label) & Vanilla*Skins Shop MVP
edited December 2013 in Feedback

Hi all,

Today my Admin user was captured by a hack(er) who changed password and left his E-Mail in the admin users account:
E-Mail was hackzorz@***.com

I'm not sure where the weakness lies (Password was strong).
Running Vanilla under 2.0.18.9.

It seems there has no damage been done yet.

Please report and check if you have something similar. So we can find the problem. Steps to help me report the issues are welcome also any ideas regarding this. System vulnerable at some place.

Thank you,
phreak

  • VanillaAPP | iOS & Android App for Vanilla - White label app for Vanilla Forums OS
  • VanillaSkins | Plugins, Themes, Graphics and Custom Development for Vanilla
Tagged:

Comments

  • peregrineperegrine MVP
    edited December 2013

    look in your access logs and see how many times the person hit your site. did they attempt to crack your password by brute force. Admin user password? weak?

    send him an e-mail - maybe he'll tell you how he got in.

    The one thing you don't know. Perhaps your site was hacked and admin password was retrieved when prior to the upgrade to 2.0.18.9 which closed security holes. But the password was still the same as when you had 2.0.18.8.

    So it might be worth changing admin passwords AFTER you make security upgrades.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Do you use the same login credentials elsewhere? Server access logs can be difficult to gauge if the attacker is using multiple machines, so you would have to look at which visitors were trying to log into your admin account.

  • peregrineperegrine MVP
    edited December 2013

    what could be handy is a setting that only allows admin login from specified ip addresses tied to each admin. plugin? :) pledge? :) I'd consider doing it.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • @peregrine One issue with that is people who log in from different IP addresses, have dynamic IP addresses, or travel often. There was this one month one time where my ISP was changing my IP address at least twice a week, if not daily, and I sometimes get a new IP address if my modem reboots.

    Another solution might be a persistent cookie that identifies the computer (or device) as one authorized to log in as an admin. Piwik has a similar cookie option to opt-out of traffic stats, so when I'm traveling and logging in from various different IP addresses I don't affect traffic reports.

  • peregrineperegrine MVP
    edited December 2013

    @openletter said:
    peregrine One issue with that is people who log in from different IP addresses, have dynamic IP addresses, or travel often. There was this one month one time where my ISP was changing my IP address at least twice a week, if not daily, and I sometimes get a new IP address if my modem reboots.

    Another solution might be a persistent cookie that identifies the computer (or device) as one authorized to log in as an admin. Piwik has a similar cookie option to opt-out of traffic stats, so when I'm traveling and logging in from various different IP addresses I don't affect traffic reports.

    true. my thought was a series of cidr blocks. and you could ssh to a file if you needed to update them when traveling or emergency.

    edited: and perhaps a logger for signins by Admins. and perhaps an additional question or captcha when signing as an admin.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • @peregrine I would not know the best method to use from a development perspective, by my preference for a solution would be to identify my browser/device rather than my location.

  • @openletter said:
    peregrine I would not know the best method to use from a development perspective, by my preference for a solution would be to identify my browser/device rather than my location.

    then what happens when your browser goes bad or you use lose your device and need to login from a different device or browser. each has its downsides.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • @peregrine said:
    then what happens when your browser goes bad or you use lose your device and need to login from a different device or browser. each has its downsides.

    I might add the additional issue of what happens if the admin clears their cookies.

    Yes, it may depend on the situation of the admin. For example, I could use one of my cloud servers as a proxy to have a static IP address, but not as many have such options or know how to use them.

    One solution to the specific issue you mention would be to create a unique and essentially unguessable web address that would release the cookie requirement when accessed. Then it would be up to the admin to find a secure and reliable place to store that address, which may be easier for most admins than using a static IP proxy.

    Also, perhaps create an expiration for the cookie, ideally the duration would be set by the admin. Some admins log in frequently to their dashboard, so maybe only a 12 hour or 72 hour cookie is fine, while others might prefer weeks or even months, but the expiration could renew with each access of the dashboard.

Sign In or Register to comment.