Topic: SMF/Joomla site possibly hacked

[rsmini]

Split from Forum got Hacked Need some advice please.

I am thinking along the same lines as my forum has just gone down. Perhaps a fresh install might be a way around it. this is showing at the moment

Warning: main(/content/BusinessHostPlus/b/r/mydomain/web/smf/Settings.php) [function.main]: failed to open stream: No such file or directory in /content/BusinessHostPlus/b/r/mydomain/web/smf/index.php  on line 51

Fatal error: main() [function.require]: Failed opening required '/content/BusinessHostPlus/b/r/mydomain/web/smf/Settings.php' (include_path='.:/usr/local/lib/php') in /content/BusinessHostPlus/b/r/mydomain/web/smf/index.php on line 51

Strangly my joomla site is showing a 403 access denied message. The two are link by a 'bridge' My host is struggling to find the problem.

Would a fresh install of the forum and deleting the bridge be worth doing. If so what would be the best way to do this so I can use the current db. I presume this would install my boards and threads plus members. So members would not really notice the change.

[xenovanis]

Before you do that, check your Settings.php file. It might be corrupted. If it is, make a copy of the file Settings_bak.php and rename that copy Settings.php.

[rsmini]

Will do as soon as I can thank you.. And sorry for hijacking the thread, but I thought it sounded a similar problem. If I have been hacked and they managed to change the theme therefore installing a roque .png image. Would this enable them to get to the joomla site via the bridge we have installed?

[xenovanis]

What versions were you using then?

[rsmini]

The forum is 1.1.11 and joomla is 1.0.x (if I remember right) I am in the process of migrating to joomla 1. 5 then this happens

[rsmini]

Just noticed I dont have a settings.php or settings_bak.php installed. I will just reinstall them and see what happens

Reinstalled via a clean download of 1.1.11 the index page now shows this

Connection Problems
Sorry, SMF was unable to connect to the database. This may be caused by the server being busy. Please try again later

[xenovanis]

Was your Jooma site up to date? Are you sure it's SMF they hacked? Make sure no scripts were placed on your server to create an entrance!

The errormessage either means the databaseinformation stored in Settings.php is incorrect or there is a problem with your server.

[rsmini]

Thats where it gets confusing, we have no idea if we have been hacked or not. We are working on moving the joomla site to the latest 1.5 version. The host is also totally confused. We have asked them to restore the site back to 3 days previous to the problem. They are having problems with that as they say a big chunk of the site is missing and something is blocking the site from showing in browsers. The site and forum both stopped working at the same time. As far as I can tell looking at the site through ftp everything is in place

Hopefully we will be back soon as we get a million visits a month. would this be better in a thread of its own?

[xenovanis]

Thats where it gets confusing, we have no idea if we have been hacked or not. We are working on moving the joomla site to the latest 1.5 version. The host is also totally confused. We have asked them to restore the site back to 3 days previous to the problem. They are having problems with that as they say a big chunk of the site is missing and something is blocking the site from showing in browsers. The site and forum both stopped working at the same time. As far as I can tell looking at the site through ftp everything is in place

What bridge were you using? Did you check your database info for SMF?

For the 403 error, check the filepermissions for index.php in your root. It should probably be set to 644.

..would this be better in a thread of its own?

Nah, took care of that  I'm even tempted to move this to the Joomla board, but I'll see where this goes first.

[rsmini]

I don't want to too much today other than check things as I have a guy at the host working today (Sunday) and he is going to have a good look for me and see if he can sort it. Also I will post what I have done recently to the forum to see if anyone has any clues

Thanks for your time with this I do appreciate your help

[xenovanis]

Goodluck, please post back your progress on this 

[rsmini]

I will defo keep you upto date. My host has just replied, bearing in mind they only have skeleton staff on a sunday, that they can't do a full restore today. Monday would be the best time and they can probably restore the whole thing back 3 days previous to the problem.

Would you like me to list the order the problems occured, would that help.

My host along the same lines as myself that I do a fresh install of SMF and point it to the same db. I am going to try that now. I'm struggling to find the bridge. I know it is a joomla-smf bridge. I have found in joomla components a com_smf folder I presume that is it. Might be worth just deleting via ftp. would that be the right thing to do?

[xenovanis]

Do you remember how long you are using this bridge? I've got to tell you that my site was hacked due to an obsolete version of Joomla, which I couldn't update because of the bridge losing functionality then. Maybe that could be your problem as well?

For as far as I remember, all files related to the bridge are in both components and modules folder of Joomla, having the prefix mod_smf_.. or com_smf_...

Now moving this to the Joomla Bridge board. 

[rsmini]

We are getting moved a lot I have been using the bridge for a good 3 years. to be fair we have not made the best use of it so we could manage without.

I will delete the mod_smf and com_smf via ftp.


I am also just extracting a fresh download of smf 1.1.11

[rsmini]

I'm just  working on a holding page but my host has just replied with this

You can upload a page if you like, but I don't think it will work, as you have a script in place that is rewriting your URL's

[xenovanis]

Honestly, I can't help you with that. There must be hundreds of files on your server that *could* have been infected. There were multiple exploits in older modules and components for Joomla. You'll have to compare each and everyone with the default ones or open them to see if they're infected.

If I were you (and believe me, I've been there and I know how hard it is to throw your work away), I'd remove all files from my server and start with clean installs with the most recent versions.

Make a sitebackup first, though, maybe your host is able to determine whcih files are infected.

[rsmini]

I quite agree with that one. I have managed to get a holding page up and running with links to our pages on facebook and our blog. he next step is the forum. I can add extra pages to the blog which may help.

I am working an upgrade on the joomla site. I need to work out how to move the content across. The old joomla version and new one are very different in the back end!!

if anyone is interested the URL is www.britishminiclub.co.uk and the forum is www.britishminiclub.co.uk/smf

Hopefully removing the bridge between the two might help remove the problem. Trouble is I need to get the old site back up running as it has so much on it.

I was thinking of moving to word press as joomla can prove to be a pain in the back side 

[rsmini]

Might be getting somewhere.. then again might not We have a zencart shop installed but has never been set live. The host seems to think the shops .htaccess and .rewrite might be causing problems. Wont find out till monday though

[xenovanis]

Well, as long as you're up and safe. Good luck 

[rsmini]

nope  those files have been checked and changed to be correct and still no luck !!