BadMash3 Exploit

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
MikeP1974
Registered User
Posts: 1
Joined: Tue Apr 17, 2018 11:59 am

BadMash3 Exploit

Post by MikeP1974 » Tue Apr 17, 2018 12:08 pm

Does anyone know anything about this so called "BadMash3 Exploit"?

I couldn't find anything about it anywhere.

I received an email from someone claiming ot be a website penetration tester.

This person said, I had the "BadMash3 Exploit" and that hackers could use SQL Injection to hack my website data base.

I would have ignored the email but he sent me a copy of my data base. Yikes.

He also wanted a donation to fix it or to tell me how to fix it.
Payment were to be made to a Bit Coin account.

Not sure what to do.

It seemed like a thinly veiled threat that if I didn't pay him, he would release my data.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 19104
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: BadMash3 Exploit

Post by Mick » Tue Apr 17, 2018 1:21 pm

I haven't and I can't find much searching. It sounds like your server not phpBB has been compromised, you need to speak to your host. Make sure you have up to date copies of your files and the database then at least you have back up in case something goes wrong.

If you believe it may have come via phpBB follow this:

If your board has been hacked, please do the following before making any modifications to your board (this includes changing passwords, editing files, running the Support Toolkit, etc.):
  1. Save an archive file comprising copies of all the files (this can be done by creating a zip or tarball of the files).
  2. Save a copy of the database.
  3. Save the server access logs for the time of the hack (they may be available in the ???logs??? directory on the server, in your host???s control panel or only by request directly from your host).
  4. File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.
Forza Garibaldi

ragnew
Registered User
Posts: 1
Joined: Tue Apr 17, 2018 10:59 am
Location: Toronto, Canada
Name: Richard Agnew
Contact:

Re: BadMash3 Exploit

Post by ragnew » Tue Apr 17, 2018 1:39 pm

Hey Mike.

Be very careful with these guys.
They are called Bug Poachers.

I wrote an article about them.

See a copy here:

------

Beware of Bug Poachers. There are criminal hackers out there working hard all day long to separate you from your hard earned money.

These hackers are known by several names such as Bug Poachers, Cyber Extortionists, Website Hackers or Grey Hats.

One of the recent hacker scams is that the hacker will hack into your website using SQL injection vulnerabilities. They will make a copy of your database. The hacker will then send you an email telling you that they are a website penetration tester and they are just good guys trying to help you out. They will then either tell you the nature of the problem and ask for a bounty / finder's fee or they will say if you send them money that they will tell you how to secure your website.

In the industry this is known as bug poaching. Bug poaching is a cyber extortion tactic in which a hacker breaks into a corporate network or website and creates an analysis of the network's private information and vulnerabilities.

Here are the problems with what has happened:
- These guys have committed a crime by hacking into your website in the first place and stealing your data. They are criminals trying to extort you.
- Even if you pay them, there is no guarantee that they will not release your data.
- You should never pay off extortionists as they will keep coming back for more.
- You cannot just ignore the problem though. You do actually have a problem that needs to be taken care of. Securing your website against future attacks.

If you receive one of these emails, you should do the following:
- Do not reply back to the hacker under any circumstances. Once he knows you are on the hook, its more likely that something bad will happen.
- Contact your webmaster / website developer or find someone who knows how to fix the security holes on your website. A website security specialist.
- Have a battle plan ready in case the hacker does release your data.

-------

Rich Agnew

User avatar
Mick
Support Team Member
Support Team Member
Posts: 19104
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: BadMash3 Exploit

Post by Mick » Wed Apr 18, 2018 10:39 am

Good info Rich.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.
Forza Garibaldi

User avatar
AmigoJack
Registered User
Posts: 5177
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: BadMash3 Exploit

Post by AmigoJack » Thu Apr 19, 2018 7:27 am

MikeP1974 wrote:
Tue Apr 17, 2018 12:08 pm
a copy of my data base
A full one? How old is it?
The worst thing about censorship is ███████████

User avatar
John connor
Registered User
Posts: 1525
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: BadMash3 Exploit

Post by John connor » Thu Apr 19, 2018 6:16 pm

If it's a server vulnerability then your host will have to look into it and fix that. Your host should offer you a backup once every 24 hours. If your site is altered in anyway then the backup can be restored, providing that backup doesn't have the altered content. This is why you should make periodic backups yourself. I store mine in an encrypted SFX archive and upload to my personal FTP, Box and burn to DVD every once in a while.

To help mitigate this in the future you can use the following: CloudFlare which will hide your real IP, CIDRAM, which will prevent certain forms of SQL injection, and block cloud-based/host-based connections to your site among other things and Ninjafirewall which offers a free version which I use myself. It has stopped a few hackers already. I wrote about it on my forum and the link is in my Sig. Once again, they offer a free solution. It's the Pro version. The Pro+ version is not free. It would be foolish not to use it for something that's free, especially CIDRAM which you can find at Github. I know the author.

About CloudFlare. The idea behind a reverse proxy is to thwart anyone from seeing your origin IP to mostly block a DDoS attack. Also, without your real IP a hacker can't Nmap your IP and discover the SSH port, etc and try to brute force in. The thing is, you need to first setup CloudFlare and then have your host change IPs, then add the new IP to CloudFlare. If this isn't done correctly websites like Crimeflare or domain history websites can't see your origin IP. Also, you need to use a third-party E-mail service and delete the MX record. The MX record will expose your origin IP if you use your host's E-mail. I use Gmail with the SMTP options in phpBB myself, if your site is rather large you might want to use a paid-for solution from Namecheap which is about $10/year. If you use a shared account your IP may still be hidden, but if you use a VPS you'll need to block all IPs except CloudFlare's since there is a tool and a website that uses this tool to scan the entire IPv4 space in about 45 minutes and that website will resolve your domain and IP and expose it.

Most of all, make sure your host has mod_security on. If your host does not even have that then ditch that host. They should also have Suhosin installed.

Note that I'm not affiliated in anyway with Google, CloudFlare, Ninjafirewall or Namecheap. I just use these services and I'm passing on the Info. I have helped with bug reports for CIDRAM which is an open source project at Github.

User avatar
VeganFanatic
Registered User
Posts: 180
Joined: Mon Sep 08, 2008 8:27 pm
Location: Victoria, BC Canada
Contact:

Re: BadMash3 Exploit

Post by VeganFanatic » Thu Apr 19, 2018 7:07 pm

I suggest using strong 128-bit or better passwords to be sure hacking is fruitless, that applies to the database as well as the administrator accounts etc

this way you are safe from most attempts to copy databases

mysql is only as secure as the server that hosts it

Post Reply

Return to “[3.2.x] Support Forum”

Who is online

Users browsing this forum: larkyv, lopoto and 16 guests