WaterWarfare.com Hacked Again!?

[isoaker_com]

Despite Ben's valiant efforts thusfar at removing malicious code some spam bot has been inserting into WWc's forums, it seems like the problem continues to return.

Sadly, WWc has been hacked again (same doiop.com link inserted). Not sure if anyone knows how the bot is managing to insert something into the scripts. That said, until that board is patched and security tightened, I do not presently recommend using that site unless you have Ad-Block up and running, verifying that no weird links or scripts are being loaded while browsing that board.

[Silence]

Hmm...we could:
1) Just update the forums frequently.
2) Research how the attacks are being made.
3) Experiment ourselves - suspends logins, etc. to see if that's how the crackers are entering.

But all of those sound tedious.

NoScript doesn't show any scripts on the site...I'm not sure how AdBlock Plus handles scripts though, since it's in the background much more than NoScript is. Both Firefox extensions do block spammy scripts and ads, though.

[isoaker_com]

Looks like DX's account on WWc has been compromised. Either that or DX is now calling himself an egyptian hacker on WWc. O_o Granted, might have been done through a funky SQL injection and not actually by accessing DX's account, but it's hard to tell.

[Silence]

Look at DX's profile. It says he was last active yesterday at 11:29 PM (EDT), the exact same time he made that post. Somebody definitely got his account.

[Ben]

I assume that this guy injected a new password into the database. The passwords are encrypted, so he couldn't have figured out the password easily.

I've shut the board down at least semi-permanently. I would make an SQL backup, but only the root admin (DX) can do that. I might inject a new password myself to do that...

By the way, the IP address of the offender was 41.235.177.119. I checked here and he didn't register. He had to register at WWC to do the attack however, as I suspected. His username was frankneshtayen.

[Silence]

Wow...his IP address really does point to Egypt. You may as well ban any new members with Egypt IPs until we get the matter resolved. Since WWc is so inactive, I doubt we'll get any legit new users until then.

Also, frankneshtayen obviously didn't do the earlier hacks. He just joined, plus his message was neither malicious nor opportunistic.

[CROC]

The forums are down again. I'm guessing this is due to the recent discovery, right?

Off topic:
Is Extrawater vulnerable to SQL, or is it the old isoaker forum and WWC?

[Ben]

SQL is a database language. If your website does not use SQL, there is no reason to be alarmed.

At first I thought the old iSoaker.com forum was prone to SQL injection attacks, but after trying to set my post count to one more to see if I knew how to, I found out that they later updated it to fix the problem. You can break the query on Ikonboard, but you can't put any new query in.

WWC is prone to them in a few spots and I could fix them, but I don't have FTP access. Until then, I will keep the board offline. I might reopen it but with no registrations, but it's not being used by anyone except for hackers, so I thought it would be best to shut it down.

[Silence]

Extrawater itself isn't vulnerable. IPB 1.3, which InvisionFree runs, does use databases, but it likely isn't vulnerable. I'm fairly sure IPS must have plugged in the holes by the time they were done with v1.

[CROC]

What I meant was:

Is the forum vulnerable to an SQL injection like at WWC?

[Silence]

Your forums are hosted by InvisionFree, which uses IPB 1.3. As I said, I don't know for sure, but I'm guessing there aren't any big holes where they forgot to filter out malicious code from input. If you want a solid answer, then no, your forums aren't vulnerable.

[Ben]

Here's another weird twist: someone tried to recover my password. I'd post the IP address, but the person was using a proxy and it wouldn't help. I'm trying to log into the admin CP, but it appears they did something to change my password now. I will have to use the security flaws in IPB to continue now. If anyone (Adrian) has access, please check this out.

Edit: Okay, I've reset my password and I'm back now. I do not know what else happened at WWC while I was gone. I've disabled registration now as another precaution.

[Silence]

Check poly's profile...I can't get the IP address (or anything else, for that matter) unless it's from a post. Funny...3 registrations in as many days for a very inactive site.

[Ben]

I already did. He seems legit. At this point, there's nothing else we can do to prevent hack attacks. You can only log in if you're an administrator. You can register, but I have to check it over. Hopefully this will deter the hack attacks.

The entire thing is weird. I'm wondering if WWC was posted on some hacker board and they wanted to deface it or something. Luckily we had some protections in place at that time.

[CROC]

I found an SQL injection prevention thing. If you understand it, it might help the forums at WWC
http://www.tizag.com/mysqlTutorial/m...-injection.php