Comments on: My web site is being hacked, what can I do?

Question: My web site is being hacked, what can I do?

semidivine — Sat, 27 Oct 2007 19:18:05 -0800

What do I do if a web site I maintain has been hacked? I've inherited maintenance of a web site, but I am mostly a front-end person, design and front end coding, so I am completely out of my depth here. Someone is using a user's identity to post hundreds of spam posts on the message board... really disgusting ones. The user has changed her password multiple times so I'm guessing they have another in. When I look at the database since they are both posting often (the real user and the spammers) I can't tell what IP address the spammers are posting from to block it. After that I'm lost... any suggestions?

By: misterbrandt

misterbrandt — Sat, 27 Oct 2007 19:41:20 -0800

What is the software and version of the message board? there have been a couple of security holes in popular forum apps -- since patched, but maybe your install isn't up-to-date?

By: jesirose

jesirose — Sat, 27 Oct 2007 19:45:11 -0800

There are literally thousands of explanations for the problem...without knowing any more it's hard to tell what the problem is.

My first suspicion is the user is really posting the messages and lying about being hacked.

Other than that, it depends on the forum. If it was custom made it probably has some security holes such as only using cookies as a method of determining the user's identity. If it's pre-made, make sure it's up to date.

By: Dillonlikescookies

Dillonlikescookies — Sat, 27 Oct 2007 20:13:50 -0800

install a captcha on post forms, maybe you can hack something together so that only that particular user has to fill it in.. in the mean time, tell the user to run a virus scan and consider suspending their account.

By: mathowie

mathowie — Sat, 27 Oct 2007 20:50:30 -0800

There are a lot of automated forum hacks, esp. for popular packages like phpBB and its variants. Basically someone has programmed a bot to sign up and post garbage spam links to their scams and you need to do something like a captcha to block that automated behavior.

By: sophist

sophist — Sat, 27 Oct 2007 20:55:31 -0800

I'm not sure why you say you can't track the IP of the spammer. It doesn't seem difficult to ask the legitimate poster what their IP is, or tell the user to stop posting for a few days, or to just create a new account and ban the old one.

By: davejay

davejay — Sat, 27 Oct 2007 23:12:16 -0800

Talk with that user, and then disable their account for a few days. If these spamming posts continue (or happen under a different user), then they have another way in; if they don't continue, then set this user up with a brand new account. After that, if the spamming posts return, then it's either the person with the account lying to you, or someone else who has access to their computer (perhaps s/he saves their password to auto-login and a roommate or coworker leverages that.)

If it turns out to be something specific to that person, you can always just cut that person off. If it turns out not to be specific to that person, you can pursue security fixes knowing that you aren't wasting your time going in that direction.

By: AmbroseChapel

AmbroseChapel — Sun, 28 Oct 2007 00:20:49 -0800

One other possibility you might consider is that the user has some kind of keystroke logger or other spyware on their computer.

That would explain why they change their password but the problem continues.

By: Tuwa

Tuwa — Sun, 28 Oct 2007 04:39:21 -0800

If your system allows HTML, Unicode, or spaces in usernames it's possible that those are actually two separate accounts: the original and a spoof account (either by chance or to discredit the original person). Are accounts uniquely identified by number or by text?

I'm not sure how likely this is, really, but it's a possibility.

By: JJ86

JJ86 — Sun, 28 Oct 2007 06:26:53 -0800

If the site uses PHPBB it may be relatively easy to find out the IP address or use a mod to find out the IP. Unfortunately if the user is using a dynamic IP you are SOL unless you want to take the chance and ban a whole block of IPs.

The problem is most likely on the user's end. Someone has access to their email or is using a keylogger on their computer. I'd say ban the user for a month until you get it straightened out.

By: semidivine

semidivine — Sun, 28 Oct 2007 15:33:09 -0800

Wow, thanks for all the replies... to answer a few of the points: the message board is a custom job, built about 7 years ago and then renovated by my developer in 2003; the message board is pretty close-knit, and the poster who's account was hijacked been posting for years so I'm almost 100% sure it's not her posting the spam.

I'm going to email her and suggest she run an anti-spywear program on her computer. But here's the final thing, I disabled the user from posting yesterday and we're still getting posts on her account. At least this might tell me the IP of the spammer! Also, I'm going to install a captcha asap. Thanks all.

By: jesirose

jesirose — Sun, 28 Oct 2007 19:05:51 -0800

If you disabled the user and they can still post, there is a HUGE security flaw there. If they can get around password changes and being disabled, I'm sure it won't take long to get around a Captcha :)

Sorry

By: flabdablet

flabdablet — Mon, 29 Oct 2007 00:54:22 -0800

If you disabled the user and they can still post, it sounds to me like somebody has admin-level access to your message board's underlying database. If you haven't changed your admin password lately, that would be a good start.

By: vitrum

vitrum — Mon, 29 Oct 2007 10:38:00 -0800

Sounds like their is exploitable code on a page somewhere on site... could be anything though... one of the more common issues is SQL injection so that could be a place to start...

By: drstein

drstein — Mon, 29 Oct 2007 11:58:09 -0800

" the message board is a custom job, built about 7 years ago and then renovated by my developer in 2003;"

Start there. Sounds like there are gaping security holes in your software package.