Got hacked from someone in Brazil

[Red Squirrel]

One of my sites got hacked, it is a VERY old forum software so he must have used an SQL injection exploit to get into the admin interface, at least it's what I suspect. The forum is IPB 1.3. I put a deny from all and left everything as is so I can investigate without people getting rootkitted when they go to my site.

I will delete everything, reupload, restore a backup of the database, and move on.

However, is there something I could do as a payback? Legally? Does Brazil even have any kind of internet laws or are they like China where it's a free for all? I guess without a lawyer and hard proof I'm pretty much out of luck right?

I really need to update that forum... 3rd time this happens. Just don't have time these days.

 

[Red Squirrel]

Upon further investigation it's a proxy, so yeah I'm out of luck as far as pay back. Just need to tighten up security and move on I guess.

 

[techtips]

That sucks, so there is no way to track who hacked the forum?

 

[Red Squirrel]

It's a proxy so I doubt it. This is what I hate about internet "law": I'm sure if a big corporation gets hacked, they'd be able to get the FBI involved and whole nine yards, but as an individual... the FBI or other similar agencies would probably laugh at me.

 

[Thuleman]

And why wouldn't they? As taxpayer I don't want them to waste resources just because you couldn't be bothered to update/secure your site.

 

[Red Squirrel]

True but why is it that if a corporation does not bother to update something and gets hacked, they have full legal coverage? It's yet another instance where the goverment treats the rich better.

To me there should be set rules on this stuff and it should be the same no matter who the source or target is.

These people don't just hack one individual, they usually go around and hacking thousands of sites. The law should stop this. I googled "hacked by O" (which is what was on my site) and lot of sites have been hacked by this same group. A lot of them never got fixed for some reason. People who go to these sites get infected so the damage is spread more then just internet sites. These infected PCs are then sending out mass spam or perhaps part of botnets, who knows what kind of infection they can get.

But yeah, in the end, my fault for not keeping up to date. I will have to make some time to convert over to another forum software. Shows how important it is to stay on top of these things.

 

[LZ1]

Its probably all automated if it was some well known SQL injection

 

[timberdoodle]

Pretty sure the government only gets involved if information gets leaked. SS numbers, credit card information, national secrets, etc.

 

[FoxFlame]

The government should always be involved to some extent, provided the company is ethical. Some of the first response steps with any ethical corporation is to report the incident. The extent to which the officials get involved past that is up for discussion though. That's usually up to the CERT.

If no private information was obtained during the attack some corporations may opt to save face and not report they were r--er, taken advantage of. But otherwise they're expected to report the incident.

True but why is it that if a corporation does not bother to update something and gets hacked, they have full legal coverage? It's yet another instance where the goverment treats the rich better.

It has less to do with the impact to the victim, and more to do with the impact to society. Someone who robs your house doesn't influence the economy as much as someone who robs a bank. That person is therefore a bigger fish. Same reason the cops don't pursue cat burglars as much as someone who murders someone as they rob them.

The government has only a finite amount of resources to spend on policing our society, they have to prioritize appropriately. Quite frankly if a corporation is targeted, there is a better chance the criminal will benefit and continue to attack other high-value targets. Additionally, given what you've described, if they were farming for botnets, more people are likely to visit a large corporation's website (and get infected) than a private individual's site. It's in the government's best interests to prevent attacks large corporations to protect as many individuals as possible.

Of course I'm a misanthrope who has come to hate the individual expecting society to protect them and giving up all attempts to protect themselves in any manner, so take my opinion with a grain of salt. (From a personal defense as well as cyber defense point of view)

There are, of course, exceptions to the rule. If a crime spree starts in a high-profile neighborhood, you can bet the cops are going to respond faster than if the ghetto is getting robbed. Now that's just politics and power.

 

[Red Squirrel]

I think I found how the hacker came through.

There is an exploit in the IPB calendar url handling. It is actually something very stupid that a 3 year old could have figured out. They arn't even checking if the specified view year is valid. So the hacker put a HUGE query at the end of the year which actually displays my password hash right in the calendar. From there the hash was probably reversed using a dictionary and he just logged in and modified the template through the admin cp.

Now I just need to sift through the code to see where this is handled so I can add the appropriate escapes, and pretty much do a full audit of the rest of the code as there is probably lot of crap like this.