Hey guys,
Just a question i am unsure about.About 3 days ago our forum hosted here on Powweb was hacked.The IP used was tracked back to a provider called Rogers.com i contacted them today and they told me they could do nothing without support of the host.So i wanted to ask what has to be done to get this guy taken care of.

Use the support console in OPS rather than e-mail. Include a copy of the reply back from the provider.

What forum script were you using that got hacked? Other people using that script may want to check their forums, too.

Depending on the tracking tools the ISP has, it may be dificult for them to track the hacker down. I also noticed they offer wireless access. So if the person who hacked your site hacked in to rogers.com through a wireless connection, it may not even be one of their customers that hacked you.

Hi:

I would be interested in knowing what forum script and the version you were using when it got hacked, just for reference.

Could you post that info so all can benefit from your experience?

Hey guys,thank you all for your replies.Ok im gonna try my best to answer all your replies.

@Yvette Kuhns
We are running Invision Power Board 1.3 with all the latest security fixes and bug patches.I know it's old but we dont like the 2.x version.

Also there is no reply by Rogers to send to Powweb as i talked to them via phone but i did save a log from our forum showing the ip of the hacker and also screen captures of a single obscene post he/she made after doing the damage via the admin account they broke into.So i hope that is significant proof.I will attempt to contact powweb and hope for the best.

@entrecon
yes thats 100% true and i really dont know if it's the hackers real isp or not thats one thing im hoping to find out.The fact is we had a recent hack attempt about a month ago which was not successful but this time they really did some damage.It's becoming a major pain so i want to see if this is indeed a real ip for this person.

@leenkz
ok well we are running IPB 1.3.1 with all latest updates on a linux based server which runs PHP4.4.7 and MySQL 4.1.22.The user did not get in through making an account or anything but somehow managed to break into one of our Admin accounts.We know they didnt just guess a password as we change our passwords on a regular bases.Other then that i really dont know.We had a similar hack about 4 years ago where the hacker did the same exact thing and we suspect it may even be the same person as there is this one guy who has held a grudge against us for around 4 years for banning him after he spammed and harassed our members.

Thanks again for your replies.

Wow:

That is quite interesting, as thru the years I have found Invision to be one of the better forum scripts.

Yep thats true but seeing how IPB 1.3 is so old it's not really supported any more and many have went to 2.1 versions.But i've been doing some reading and it seems most hacks on 1.3 are done via "SQL Injections" i believe was the term.I dont know much about it but i read where someone else had the same exact issue as us with a hacker using the same forum software.In the end it's just a major pain luckily i had a pretty recent backup of the database so we only lost about a week or so of posts.

I don't have to make the speech about updating your scripts. You have already been hacked twice. You should really use the most recent version of any script. The updates are created to fix the problems with earlier versions.

In your case, you think you know the person. Even if you didn't, you can still give any information to PowWeb, so PowWeb can act on it. Glad you had recent backups.

Hey YvetteKuhns,
Yep you can save the speech but you also have to remember something.IPB 1.3.1 with all the security fixes to this date is up to date.IPB2.x series is not really an update but more of a whole new forum software advancing what 1.3 was and adding much more to it.but i guess thats open to individuals points of view on what counts as an update.

In any case all i can say is im glad i got it up and running again and i will be contacting Powweb.I guess nothing is safe when you have a obsessed internet pshyco on your tail.But i wont begin to get into that story.

IPB 1.3.1 with all the security fixes to this date is up to date.

You don't have to explain to me. I also suggest Gallery 1 over Gallery 2, if you had to use THAT gallery. I agree that new versions aren't always the best versions. Even the latest versions of scripts can be hacked. If someone wants something bad enough, they do anything to get it.

I guess nothing is safe when you have a obsessed internet pshyco on your tail.But i wont begin to get into that story.

One of my clients has an obsessed fan who turned on him after a while. It is a strange story and the person is still harassing my client. Now he has to install surveillance cameras around his property, since neighbors reported seeing people driving by his place, looking in his windows and trying to look over his tall gate.

I hope you can stop your pest from bothering your forum. Good luck!

Just a quick comment/suggestion for the OP:

Can you perhaps, via htaccess, put a redirect on the ipadress, or even a range of IPs, so he can't even access your site anymore (at least through the channels he went through last time).

I wish it were that easy Fernard,The problem is our pest like many others doesnt always use a real ip address but also exploits proxies so in the end theres no real way to catch him although i have caught him on his real ISP ip address about 6 times but thats a rare occurance.

Use this script to detect whether a user is using a proxy server to connect to your website. (http://www.phpbuddy.com/article.php?id=22)

Thanks man i will check it out,i've actually been looking at mods for IPB forums that use the same basic idea but the one i saw isnt supported by our version.So still on the hunt for the moment.this looks like it will be handy.

person attacks IPB, how to prevent it (http://forums.invisionpower.com/lofiversion/index.php/t158727.html)

Ask Matt for help with IPB (http://blog.mattmecham.com/author/matt-mecham/)

FYI Rogers is a Canadian ISP. Ask any Canadian about dealing with their support and you'll get an idea of how much they'll care about your claim. Detecting proxies won't help since many companies use them as well. I'm in Ottawa and almost all government workers come through a proxy.

The only solution is just to make sure your scripts are secure. Writing them yourself is the only way to know for sure.

hey grahamj,
Yep i know rogers is a canadian company i tracked it from the ip that was in my forum logs.And you are right detecting proxies will not help but since i know this guys real ISP provider using a script like the one above can help me see if a proxy ip is really him or not by seeing his original ip.Proxies in general arent the issue just this one guy.

Ah ok. Well good luck with it then.

I'm surprised any hacker would have the patience to wait for a Powweb-hosted script to load ;)