Host Suspended my SMF account because of phishing attack - need advise!

sepulchre · August 05, 2010, 11:57:04 AM

Hi,

I received an email from Google on Monday that a page on my site looked like a phishing site, I was out of the country but managed to look for the page but found that it didn't actually exist. I got back yesterday to find my host has suspended my account, the reason quoted was that my site had an install of PHPnuke version e107 which was 6 versions out of date and let in a hacker through a security hole. Now I haven't installed php, in fact the only install I've made is SMF. He is also threatening legal action and blaming me for this out dated software saying it nearly brought down all of his servers.

Can someone tell me if any of this makes sense? Or is the host talking utter rubbish?

Right now I just want access to my forum and SQL database and move to another host.

All help appreciated

vbgamer45 · August 05, 2010, 12:15:35 PM

Get a copy of your site and database then change hosts. Make sure you are using the latest version of SMF.

sepulchre · August 05, 2010, 12:27:48 PM

My forum was running 2.0rc3 so as up-to-date as it gets unless I missed a major update somewhere??

As my account is suspended I cant get access to my forum files or SQL database

This is a bit of a nightmare to be honest!

madman71 · August 05, 2010, 12:31:00 PM

Im sure they'll give you access via ftp or cpanel.

did you ask them for access? Might want to try that

sepulchre · August 05, 2010, 12:40:09 PM

yep asked them for cpanel and ftp access, they are saying they don't think they can by law

vbgamer45 · August 05, 2010, 12:41:50 PM

Quote from: sepulchre on August 05, 2010, 12:40:09 PM
yep asked them for cpanel and ftp access, they are saying they don't think they can by law

They are crazy then leave asap and demand a copy of your files. They have no right to hold on to them.

sepulchre · August 05, 2010, 12:50:00 PM

speaking to them now, all by email as they dont answer their phones.

this was his latest reply

"your website was hacked, most likely your forum, i cant enable it now, i will enable it at around midnight when less damage can be done, you see its a phishing site meaning it harvests victims bank login details. So if i was to unsuspend the person that has hacked it could get access to his files and therefore peoples bank account information, hence im not supposed to unsuspend. But i will do it so you can get your DB. "

I don't see how midnight is any safer??

Anyway, I need a crash course in grabbing everythin from my site, I can FTP the fiels down and use cpanel to make a full SQL backup. will that be sufficient?

Also am I correct in thinking SMF doesn't actually install php and this is the responsibility of the web host?

flapjack · August 05, 2010, 12:58:06 PM

Quote"your website was hacked, most likely your forum, i cant enable it now, i will enable it at around midnight when less damage can be done, you see its a phishing site meaning it harvests victims bank login details. So if i was to unsuspend the person that has hacked it could get access to his files and therefore peoples bank account information, hence im not supposed to unsuspend. But i will do it so you can get your DB. "

I smell an idiot or complete lack of understanding the principles behind webhosting

~DS~ · August 05, 2010, 01:00:16 PM

Quote from: flapjack on August 05, 2010, 12:58:06 PM
Quote"your website was hacked, most likely your forum, i cant enable it now, i will enable it at around midnight when less damage can be done, you see its a phishing site meaning it harvests victims bank login details. So if i was to unsuspend the person that has hacked it could get access to his files and therefore peoples bank account information, hence im not supposed to unsuspend. But i will do it so you can get your DB. "
I smell an idiot or complete lack of understanding the principles behind webhosting

Or overseller?

kateydrop · August 05, 2010, 01:01:16 PM

SMF is written in PHP as in this example:

index.template.php

Get your files, get your database then go to a decent host like mine. Jason is excellent and will help you.

http://www.charlottezweb.com/<sniped off the affiliate link by F.L.A.M.E.R>

tumbleweed · August 05, 2010, 01:02:31 PM

just grtab your database. You will need to wipe everything clean in your webspace. Save nothing from that area. chances are you were rooted and have a shell script installed if that was the case the suckers are all over the place.

sepulchre · August 05, 2010, 02:57:41 PM

well the good news is I have all the site files from my last mod update in March so I will use that with the new host and avoid any hacked files.

What concerns me is how was the site hacked in the first place, the host is saying through a security hole in an old version of phpnuke, but this isn't something I would have installed or know how to use. So am I correct in thinking that php is their responsibility to administer?

Still waiting to get access to the site to grab a copy of the database

xenovanis · August 05, 2010, 03:01:49 PM

Since your host seems to be lacking proper knowledge about how hacks are done, the securityhole might as well been an issue in the server configuration itself.

Around midnight? Bots don't sleep

sepulchre · August 05, 2010, 03:36:53 PM

Quote from: xenovanis on August 05, 2010, 03:01:49 PM
Around midnight? Bots don't sleep

I know I think he's just being difficult.

xenovanis · August 05, 2010, 03:44:10 PM

Feeling sorry for you. Being hacked is sad, but loosing everything because of a ignorant host is even more sad.

Quote from: sepulchre on August 05, 2010, 02:57:41 PM
What concerns me is how was the site hacked in the first place, the host is saying through a security hole in an old version of phpnuke, but this isn't something I would have installed or know how to use. So am I correct in thinking that php is their responsibility to administer?

phpNuke is a Content Management System, actually. It has nothing do do with the phpconfiguration on the server. I would like to provide you a link, but McAfee is showing a bad reputation. For what I know, it used to be one of the first easy to install CMS'es, but it has always been vulnerable to hacking attempts. I believe the project quit a while ago.

Maybe you have tried to install it sometimes, maybe with Fantastico?

tumbleweed · August 05, 2010, 03:44:38 PM

Quote from: sepulchre on August 05, 2010, 02:57:41 PM
well the good news is I have all the site files from my last mod update in March so I will use that with the new host and avoid any hacked files.

What concerns me is how was the site hacked in the first place, the host is saying through a security hole in an old version of phpnuke, but this isn't something I would have installed or know how to use. So am I correct in thinking that php is their responsibility to administer?

Still waiting to get access to the site to grab a copy of the database

If you are worried about being attack again and you feel its your host. Maybe you should start looking for another one.

sepulchre · August 05, 2010, 03:52:22 PM

Quote from: xenovanis on August 05, 2010, 03:44:10 PM
Feeling sorry for you. Being hacked is sad, but loosing everything because of a ignorant host is even more sad.

phpNuke is a Content Management System, actually. It has nothing do do with the phpconfiguration on the server. I would like to provide you a link, but McAfee is showing a bad reputation. For what I know, it used to be one of the first easy to install CMS'es, but it has always been vulnerable to hacking attempts. I believe the project quit a while ago.

Maybe you have tried to install it sometimes, maybe with Fantastico?

Thanks for the info, and yes this does suck big time!

I'm happy to say I had a blank canvas with this host and went straight for SMF and that's all I have ever installed on it, never needed anything else

Quote from: tumbleweed on August 05, 2010, 03:44:38 PM

If you are worried about being attack again and you feel its your host. Maybe you should start looking for another one.

Already on it

sepulchre · August 05, 2010, 06:20:16 PM

My host has sent me a backup of all the files and the sql database.

The sql database is a .gz archive with a single file inside called smf.sql.

- Is that correct, or do I need a separate data and structure file?
- How do I find the name of the database originally?

flapjack · August 05, 2010, 06:22:59 PM

that's correct. the name of the database is in settings.php

xenovanis · August 05, 2010, 06:25:02 PM

Quote from: sepulchre on August 05, 2010, 06:20:16 PM
My host has sent me a backup of all the files and the sql database.

The sql database is a .gz archive with a single file inside called smf.sql.

- Is that correct, or do I need a separate data and structure file?

Yes, that is correct. You should be able to import it in a new database.

Quote
- How do I find the name of the database originally?

I'm not sure why you want to know, Check your files for the file Settings.php, the databasename should be in there.

If you want to move servers, here's a tutorial:
Restoring a Database
How do I move my SMF forum to a different host?

Good luck

News:

Host Suspended my SMF account because of phishing attack - need advise!