I received a pm from one of the global moderators at 5:45pm today.
Quote from: V M on February 28, 2015, 05:45:36 PM
Hi Susan
Who is this? Just joined today and claiming to be an Admin? https://www.susans.org/forums/index.php?action=profile;u=40672
I checked the forums and the person was indeed flagged as a senior admin. After demoting and banning the account, I switched the forum to maintenance mode and then shut down the web server totally, until I could do a complete audit of the system to see what had occurred and to ensure that it could not happen again.
Here's what happened.
The hacker first accessed the server from the 178.150.145.4 ip at 4:45:48pm CST today. The IP resolves to
4.145.150.178.triolan.net.
Triolan.net is a Ukranian ISP. As an additional verification all accesses to the server were made in Russian.
The hacker first accessed the phpmyadmin which is a control panel which allows you to manage databases. Using an unknown exploit he gained access to the system.
Once in the hacker browsed the database system to verify the layout then took a closer look at a wordpress installation.
He installed two backdoors, one as a index.php in a directory called shop, and two others in various directories on the site, both were named lal.php. He then used his primary back door to install a redirector for a online pharmacy.
Once he got finished he created an account on the forums and stupidly proceeded to make it an admin account was was spotted right away by an a VM a forum moderator who contacted me.
I was notified of the intrusion. The first thing I did after shutting down the web server to check for recent accesses from that ip which showed requests to phpmyadmin which only I should be accessing. So I password protected the directory containing the phpmyadmin.
I then checked for operating system updates, but found that we are current with all upgrades and security updates. So this likely is a 0 day exploit of which there are limited defenses against. The directory password protection will make it impossible for him to get to the phpmyadmin software to exploit in the future.
I then checked the web server logs and copied all accesses from the hackers ip. Then I compiled a list of all file modifications that occurred from the time of the hackers first access. Using both of these I carefully checked every file access made by the hacker. These files were either restored to original unmodified versions or removed from the system totally.
I have manually reviewed every single access of the server by this person and at no point did he download any databases; so your user information is secure. That being said I have instructed the staff to change their passwords, as a standard security precaution. There is absolutely no financial information stored on the server, and even if it had been the hacker did not attempt to find any, much-less to download it.
He made changes to a newforums database which I simply deleted as it is not used anyway, and to one record controlling how many links are permissible on comments in the wp_options database on the wordpress.
I have removed the backdoors and all modified files.
We are secure once again, and I apologize that this occurred. We have not had a successful hacker penetration against the site since 2003-2005. That is an exceptional security record.
If you have any concerns the safest course of action is to preemptively change your password and account information anywhere that shares the same information as here.
You did a great job notifying me so quickly today V M! Everyone give her a round of applause!
