Been hacked, please help!!!

Prone · November 14, 2004, 02:00:20 PM

Hey ppl,

I really need your help, someone has hacked into my account somehow (and a few other accounts) and has posted SPAM and PORN with it. How can this be done? The password is secure, must be something different!

Thank you for your help!

P

Grudge · November 14, 2004, 02:16:55 PM

What else do you have on your server? Are you running any mods? Are you sure you haven't accidently given anyone permission to admin that you didn't mean to?

SMF has no known security expolits at all at the moment, it's *very* unlikely that it's the software itself - especially as if anyone were to find an exploit you'd expect them to report it or use it against our main site.

What other scripts do you have on your server? You definetly deleted install.php I assume? You don't have a backup of Settings.php sitting on your server?

Did you enable "encrypt attachment filenames", or otherwise ensure extensions such as php are banned?

Is your server secure? By which I mean it's either dedicated or at the very least shared with a reputible company who would know how to configure it correctly, just incase the server itself wasn't secure.

Are you sure someone hasn't found out your password? Particularly possible if you use the same password for all sites. If they "hacked" other accounts by changing their passwords then they almost certainly got in originally by knowing your password.

Do you *always* log off from everywhere you go? It's essential to log off when leaving a terminal.

Just some ideas. In the mean time obviously ensure you ban their IP address from your forum.

[Unknown] · November 14, 2004, 06:01:27 PM

Was your password secure? Was your email account's password secure? Do you have an Apache access log for the time of posting?

-[Unknown]

Prone · November 15, 2004, 03:13:28 AM

Hey, here I am again...

Why any exploit would not be used against this main site? Simple: those ppl wanted to hurt me, not you and they know you would find them when I can'T

The answers: the website and the forum are running on the server, no mods are installed, I'm running SMF RC2 on it (gameradar.de/forum). I did delete the install.php of course, being a user of Yabb and SMF from YaBB SE Gold (CGI based).

Encrypt Attachments is activated, there is only one attachment up at the moment.

The server is hosted at hosteurope which is safe imo.

I changed the passwords now, looking for trouble they may have caused. I use only a few different passwords for different sites. The passwords I use are not easily found out by guessing or brute force, consisting of a combination of a lot of factors (thanks to my Linux teacher in college

).

I can't ban the IP b/c it's an AOL IP and many ppl would be banned then...

What backup of the settings.php? There are the two settings.php* files that came with the install...

[Unknown] · November 15, 2004, 03:59:03 AM

Settings_bak.php is a backup of Settings.php without the last change.

Do you have an access log, from Apache, for the time in question?

-[Unknown]

Prone · November 15, 2004, 05:06:21 AM

I'm gonna get the access log later.

Can I delete the settings_bak.php?

Grudge · November 15, 2004, 05:22:14 AM

Quote from: Prone on November 15, 2004, 05:06:21 AM
I'm gonna get the access log later.

Can I delete the settings_bak.php?

settings_bak.php is fine. It was only if you had manually named it something like settings.bak that it would be a problem.

News:

Been hacked, please help!!!

Prone

Grudge

[Unknown]

Prone

[Unknown]

Prone

Grudge