Got hacked through the forum.

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
User avatar
John connor
Registered User
Posts: 2490
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Got hacked through the forum.

Post by John connor »

Let me know how you did it. My site is Removed
If it ends in 215, that ain't it. Send me a PM with the IP if you find it.
Last edited by John connor on Wed Jul 27, 2016 11:48 am, edited 1 time in total.

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51980
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: Got hacked through the forum.

Post by Brf »

Code: Select all

ping systechforum.net -4

Pinging systechforum.net [104.28.23.23] with 32 bytes of data:

User avatar
Lumpy Burgertushie
Registered User
Posts: 67379
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Got hacked through the forum.

Post by Lumpy Burgertushie »

same IP I got just running it in a "find my IP" type website .


robert

User avatar
John connor
Registered User
Posts: 2490
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Got hacked through the forum.

Post by John connor »

:lol: That's Cloudflare's IP! Not my real IP!

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Got hacked through the forum.

Post by Techie-Micheal »

John connor wrote:Yeah, it was PHPlist. https://blog.sucuri.net/2013/09/securit ... b-com.html

Could have sworn there was an early hack involving some leaked passwords. Maybe that was just a website/server issue or something. It was like last year when the site was down for like three weeks.

Edit-

Yeah, 2014 https://theadminzone.com/threads/phpbb- ... 392/page-2

Here's the announcement. viewtopic.php?f=14&t=2283426

Was a server attack. It's why I mask my IP with CloudFlare and delete the MX record and use Gmail as the E-mail service. The MX record gives away the real IP. I have yet to find my real IP with a CloudFlare resolver. It does show the old IP though. That's because I wasn't using CF and those CF resolver websites grabbed it in the plain.
The real IP, sometimes referred to as a RIP, is not needed to compromise a server. There are only two things that must be true for a technical breach (i.e. not social engineering):

- Accessibility of a service (HTTP, SMTP, FTP, SSH, ...)
- A vulnerability in that given service

Hiding behind a proxy does not prevent an attack. What a proxy like CloudFlare does give you is the ability to implement additional controls. However, if you are running out of date software or misconfigured software, and CloudFlare does not block through a WAF or other firewall, your real server will get owned. That does not require knowledge of the RIP.

Having compromised many a server, I usually don't find the RIP until I get in to the server behind the load balancers and proxies.
Proven Offensive Security Expertise. OSCP - GXPN

User avatar
John connor
Registered User
Posts: 2490
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Got hacked through the forum.

Post by John connor »

CloudFlare doesn't have any of those ports open....

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Got hacked through the forum.

Post by Techie-Micheal »

John connor wrote:CloudFlare doesn't have any of those ports open....
You don't have a website? I'm pretty sure you do, so you have at least a webserver running, which means you at least have HTTP exposed.
Proven Offensive Security Expertise. OSCP - GXPN

User avatar
John connor
Registered User
Posts: 2490
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Got hacked through the forum.

Post by John connor »

HTTP port 80 goes through CloudFlare.

I did an Nmap on my domain and CloudFlare shows their open ports, but this IP address that CloudFlare (the reverse proxy) uses several websites that fall under 104.28.23.23 which is the IP I have. I'm not understanding how just a port would allow a hack when you also need the real IP address. A port is just a port and means nothing without an IP associated to it. In my case the IP for my website goes to 104.28.23.23 which is CloudFlare. Any open port there would be CloudFlare's and only CloudFlare's. Which means hacking say, SSH or FTP on 104.28.23.23 would be for CloudFlare and not my website's true IP address.

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Got hacked through the forum.

Post by Techie-Micheal »

John connor wrote:HTTP port 80 goes through CloudFlare.

I did an Nmap on my domain and CloudFlare shows their open ports, but this IP address that CloudFlare (the reverse proxy) uses several websites that fall under 104.28.23.23 which is the IP I have. I'm not understanding how just a port would allow a hack when you also need the real IP address. A port is just a port and means nothing without an IP associated to it. In my case the IP for my website goes to 104.28.23.23 which is CloudFlare. Any open port there would be CloudFlare's and only CloudFlare's. Which means hacking say, SSH or FTP on 104.28.23.23 would be for CloudFlare and not my website's true IP address.
Okay, let's take a step back. Let's establish a few things:

- CloudFlare is a proxy to your website.
- Your real server IP is unknown to the internet at large.
- Your website runs phpBB, PHP, and a webserver at minimum.
- A website visitor (or attacker) does not need to know the real IP address to connect to your website.

Someone need only connect to your website through CloudFlare to initiate attacks. It is not required to know your real IP address.
Proven Offensive Security Expertise. OSCP - GXPN

User avatar
John connor
Registered User
Posts: 2490
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Got hacked through the forum.

Post by John connor »

Okay, yes, they would have to deal with CloudFlare that has safeguards like a WAF. But it won't be through SSH, FTP, etc. Since the real IP is not known and any port open on my IP that CloudFlare issues would be theirs and only theirs.

So to summarize. An attack would have to be at the application layer and not through SSH, HTTP, FTP, etc.
SQL injection, traversal attacks, etc.

It was just that you said that all you needed was a port and I was saying my real IP is hiding behind CloudFlare. I mentioned above I have yet to find my real IP using everything and anything thought of and read about. I did mention that if my IP shows up ending in 215 that was not it as that as that was old.

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Got hacked through the forum.

Post by Techie-Micheal »

John connor wrote:Okay, yes, they would have to deal with CloudFlare that has safeguards like a WAF. But it won't be through SSH, FTP, etc. Since the real IP is not known and any port open on my IP that CloudFlare issues would be theirs and only theirs.

So to summarize. An attack would have to be at the application layer and not through SSH, HTTP, FTP, etc.
SQL injection, traversal attacks, etc.

It was just that you said that all you needed was a port and I was saying my real IP is hiding behind CloudFlare. I mentioned above I have yet to find my real IP using everything and anything thought of and read about. I did mention that if my IP shows up ending in 215 that was not it as that as that was old.
HTTP, yes.
Proven Offensive Security Expertise. OSCP - GXPN

User avatar
John connor
Registered User
Posts: 2490
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Got hacked through the forum.

Post by John connor »

Funny that offensive-security.com uses the reverse proxy Securi. Looks like they use OVH though.

Question: Are there real jobs for Pen testers? Do they pay well? I have a Pen tester program that I have used to test my own website.

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Got hacked through the forum.

Post by Techie-Micheal »

John connor wrote:Funny that offensive-security.com uses the reverse proxy Securi. Looks like they use OVH though.
K?
John connor wrote:Question: Are there real jobs for Pen testers? Do they pay well? I have a Pen tester program that I have used to test my own website.
You asked if there are real jobs for pen testers, but then state that you used a pen tester program to test your own website. I think you know the answer.
Techie-Micheal wrote:The real IP, sometimes referred to as a RIP, is not needed to compromise a server. There are only two things that must be true for a technical breach (i.e. not social engineering):

- Accessibility of a service (HTTP, SMTP, FTP, SSH, ...)
- A vulnerability in that given service

Hiding behind a proxy does not prevent an attack. What a proxy like CloudFlare does give you is the ability to implement additional controls. However, if you are running out of date software or misconfigured software, and CloudFlare does not block through a WAF or other firewall, your real server will get owned. That does not require knowledge of the RIP.

Having compromised many a server, I usually don't find the RIP until I get in to the server behind the load balancers and proxies.
John connor wrote:HTTP port 80 goes through CloudFlare.
Let's go through this one more again. CloudFlare is a proxy. It sends traffic to your server. That traffic is application traffic as well as HTTP, because your webserver, which understands HTTP to process the request, has to provide a response. So, back to what I said:
Techie-Micheal wrote:However, if you are running out of date software or misconfigured software, and CloudFlare does not block through a WAF or other firewall, your real server will get owned.
If you have genuine questions, ask. Rude behavior, however, is not welcome.
Proven Offensive Security Expertise. OSCP - GXPN

User avatar
John connor
Registered User
Posts: 2490
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Got hacked through the forum.

Post by John connor »

Techie-Micheal wrote: However, if you are running out of date software or misconfigured software, and CloudFlare does not block through a WAF or other firewall, your real server will get owned.

https://www.cloudflare.com/waf/


Where did you get the idea I was being rude?

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: Got hacked through the forum.

Post by Techie-Micheal »

John connor wrote:
Techie-Micheal wrote: However, if you are running out of date software or misconfigured software, and CloudFlare does not block through a WAF or other firewall, your real server will get owned.

https://www.cloudflare.com/waf/
Yes, I know that CloudFlare has a WAF. But that doesn't mean everything will get caught by the WAF. And bypasses do exist.
Proven Offensive Security Expertise. OSCP - GXPN

Post Reply

Return to “General Discussion”