[NOTICE] How to secure your site against recent attacks

Started by jblazeofek, May 11, 2009, 08:05:23 AM

Previous topic - Next topic

JBlaze

SMF 1.0.17 / 1.1.9 / 2.0 RC1-1 Patch is out! Click here to download.

Considering the recent mass attack on SMF forums over the past week, and seeing as I, myself, have helped many users to get their sites back, I am posting this so you can prevent being attacked.

Following these simple instructions will make your forum invulnerable to the recent attack by uploadable avatar.



[EDIT]
Here are a few other things that you may find interesting. These were submitted by other members.


http://www.simplemachines.org/community/index.php?topic=307717.msg2057480#msg2057480
http://www.simplemachines.org/community/index.php?topic=307717.msg2053661#msg2053661
http://www.simplemachines.org/community/index.php?topic=307717.msg2046772#msg2046772
http://www.simplemachines.org/community/index.php?topic=307717.msg2060807#msg2060807




1) Disable attachment & avatar uploads
This includes uploads from URL's as well.
Disable from
Admin -> Attachments and avatars -> Avatar Settings

  • Uncheck "Download avatar at given URL
  • Uncheck all: "Membergroups allowed to upload an avatar to the server"

Admin -> Attachments and avatars -> Attachment settings

  • Attachments mode: Disable attachments




2) Ask your host if their servers/software are up to date

  • Most hacks are effective when the host has outdated software such as old versions of PHP, Apache and MySQL for example.
  • Don't be scared to ask your host if their side of security is up to date. It is their responsibility to help protect you as well.
  • Check your hosts versions of MySQL, PHP, Apache, etc. Make a file called phpinfo.php with the following content:
<?php
phpinfo
();
?>

Place that file into your root directory and execute it by navigating to it directly
Ex. http://www.mysite.com/phpinfo.php




3) Update SMF to the latest version
This is a big issue as pervious versions of SMF have well known secuity issues and leave you vulnerable. It is important to upgrade when newer versions are out.





4) Install Anti-Spam measures
This is important, as it will save your forum in the long run.

Install the Stop Spammer mod.

  • This mod will prevent spam signups as it cross-checks all registrations with the Spam Blacklist.
  • Any registrations that check positive will be sent to the Admin approval bin.

Install the reCAPTCHA for SMF mod.

  • This mod provides better captcha verification.
  • It will stop MOST spam and hackers from registering.




5) Don't Ignore Your Members or Forum
Most owners/Admins think that their forums will run themselves. Hacks and spam do the most damage when an admin/owner/moderator fail to do their job. Keep a constant eye on your forum at all times.




Following these simple steps will secure your forum. Should you have any questions, or feel that I have left something out, do not hesitate to ask them here. But please, Do Not PM me with questions :)

Regards, JBlaze
Jason Clemons
Former Team Member 2009 - 2012

chrishicks

Nice write up. I have been using Stop Spammer for a while now and added the Anti-Spam Verification Questions mod (http://custom.simplemachines.org/mods/index.php?mod=1516 ) a few months back. Would you say ReCaptcha would be a better measure as in comparison to the ASVQ mod as I can't add ReCaptcha without manual edits?

JBlaze

Quote from: chrishicks on May 11, 2009, 08:39:04 AM
Nice write up. I have been using Stop Spammer for a while now and added the Anti-Spam Verification Questions mod (http://custom.simplemachines.org/mods/index.php?mod=1516 ) a few months back. Would you say ReCaptcha would be a better measure as in comparison to the ASVQ mod as I can't add ReCaptcha without manual edits?

Thanks :)

ASVQ is nice, but doesnt stop manual spam registrations. Stop Spammer does.

reCAPTCHA is nice because spambot have a harder time with it.
Jason Clemons
Former Team Member 2009 - 2012

Edvard

Thanx JBlaze. I had big problems with my forum but think everything is back to normal now. I just added those two packages and I hope the spamviruses will keep out.

DirtRider

Very good thanks for taking the time to post this  :D
http://www.triumphtalk.com

"The real question is not whether machines think but whether men do. "

Granular

Great info, thanks.

Just wondered if you need to revoke these permissions for ALL membergroups, if any additional groups (over and above Regular Memebers) need to be administered by me?  Didn't realise there was a spate of attacks so glad I checked in!

Cheers

G

JBlaze

Quote from: Granular on May 11, 2009, 09:54:03 AM
Great info, thanks.

Just wondered if you need to revoke these permissions for ALL membergroups, if any additional groups (over and above Regular Memebers) need to be administered by me?  Didn't realise there was a spate of attacks so glad I checked in!

Cheers

G

Well, I believe it would be safe to allow attachments/avatars for select membergroups, except regular/registered users group (aka Default Membergroup), but to err on the side of caution, I would disable them outright and just link to attachments/avatars remotely.
Jason Clemons
Former Team Member 2009 - 2012

Dzonny


JBlaze

Jason Clemons
Former Team Member 2009 - 2012

busterone

Good post. I have always been wary of allowing avatar and attachment uploads by members because of this. I was not certain that an exploit was there, but always wondered and went to the cautious side of things. I am certainly glad I did. It seems this guy(or group) has wreaked much havoc.

I can't help but wonder how many more, maybe hundreds, that have not posted or searched here for answers.

JBlaze

Quote from: busterone on May 11, 2009, 11:24:53 AM
Good post. I have always been wary of allowing avatar and attachment uploads by members because of this. I was not certain that an exploit was there, but always wondered and went to the cautious side of things. I am certainly glad I did. It seems this guy(or group) has wreaked much havoc.

I can't help but wonder how many more, maybe hundreds, that have not posted or searched here for answers.

Hopefully, by following what I posted, anyone who reads this will not be affected by this attack.
Jason Clemons
Former Team Member 2009 - 2012

Relyana

Please make this topic sticky (at least for a few days). It will save up tears and nerves breaking.  :)

confusion

I highly recommend using the suhosin module with php.  It appears to have prevented the this attack on all of my forums (though I'm not certain how it helped).

nina-nina

I have not open my forum yet.  It is the first time for me with forums. Actually, I was just today setting permissions etc.  I am a little confused with "uploadable" avatars, "remote avatars" "attachment" spammers, etc.

So, I would really appreciate if you clarify where and what in the Admin panel I have to check/uncheck in order to make the forum safer.

Are you recommending not to allow members to have avatars and not to post attachemen ts?

JBlaze

Quote from: confusion on May 11, 2009, 07:19:45 PM
I highly recommend using the suhosin module with php.  It appears to have prevented the this attack on all of my forums (though I'm not certain how it helped).

Could you elaborat on what "suhosin" is? I'm not sure I've heard of it...


Quote from: nina-nina on May 11, 2009, 08:42:59 PM
I have not open my forum yet.  It is the first time for me with forums. Actually, I was just today setting permissions etc.  I am a little confused with "uploadable" avatars, "remote avatars" "attachment" spammers, etc.

So, I would really appreciate if you clarify where and what in the Admin panel I have to check/uncheck in order to make the forum safer.

Are you recommending not to allow members to have avatars and not to post attachemen ts?

This can explain better than I can :)
Attachments and Avatars Manager
How do I make the board safer against hacker attacks?
Jason Clemons
Former Team Member 2009 - 2012


JBlaze

Jason Clemons
Former Team Member 2009 - 2012

Agafonov

Quote from: confusion on May 11, 2009, 07:19:45 PM
I highly recommend using the suhosin module with php.  It appears to have prevented the this attack on all of my forums (though I'm not certain how it helped).

We was hacked: suhosin & 1.1.8.  :(

Dzonny

Does smf 1.1.8. have some avatar uploads security risk, or is there some known bugs or smth about this?

Agafonov

Quote from: Dzonny on May 12, 2009, 09:07:07 AM
Does smf 1.1.8. have some avatar uploads security risk, or is there some known bugs or smth about this?


Be sure it does. We are awaiting corresponding patch.

Advertisement: