RC4 Hacked

[DirtRider]

Well we got a surprised today when our domain name was suspended due to it being used as a pilfering platform. On investigation it would seem the following folder was created.

abes/internet-banking/absa.accounts/securtiy-upgrade/online.net/online-secure.php"

Unfortunately I was not able to get to it before the host deleted all the files. I am also battling to get it out of the host how they got in and the server logs. If I manage to get more information from them I will post it here. Thought I would just make this thread so if anyone else that would like to check for this file can

[Illori]

do you run any other php apps on your server? you should also check with your host on how secure your server is, it is possible another server got hacked, then got access to your server and then was able to add the files and such to your server.

[DirtRider]

no other php apps at all. As I say the host is not giving out much info. What amazes me is this is a new forum only up a week and I have not even added it to Google or anything. Within a day I had spammers knocking at the door. 

[Illori]

sounds like a host issue and not an issue with smf, or anything that you have done. what host are you using?

[Tyrsson]

Sounds like its most likely they got in via a different account, usually host are not to keen on admitting that.

[LiroyvH]

He is using HostGator. If I recall correctly.
Wouldnt surprise me if their configuration would allow access everywhere on the server with stuff like a phpshell.

Exactly why have they deleted all your files? Impossible for you to find what caused the issue. If this was a RC4 bug, more people should have reported being hacked.

Any mods running? Any portals? Any other PHP scripts?

[DirtRider]

Funny I also got the feeling it was a hosting issue. I will push them for more info tomorrow again.

This is the host first time I have had dealings with them http://www.serv.co.za/main/

[kat]

Looks like it's a bit of this:

http://www.phishtank.com/phish_detail.php?phish_id=1102458

[DirtRider]

He is using HostGator. If I recall correctly.
Wouldnt surprise me if their configuration would allow access everywhere on the server with stuff like a phpshell.

Exactly why have they deleted all your files? Impossible for you to find what caused the issue. If this was a RC4 bug, more people should have reported being hacked.

Any mods running? Any portals? Any other PHP scripts?

Nope not one of my Hostgator sites as you can see in the above post. Basically I am running the same mods I have on most of my other forums.

1.    URL Popup    1.0.1    [ List Files ] [ Delete ]
2.    PortaMx Patch for v0.990    0.1    [ Uninstall ] [ List Files ] [ Delete ]
3.    Hide Edited Line    1.1.0    [ List Files ] [ Delete ]
4.    Hide Membergroup Titles    1.0    [ List Files ] [ Delete ]
5.    Aeva Media    2.10    [ Uninstall ] [ List Files ] [ Delete ]
6.    PortaMx Aeva BUG FIX    0.1    [ Uninstall ] [ List Files ] [ Delete ]
7.    SMFShop    3.1.6.1    [ Uninstall ] [ List Files ] [ Delete ]
8.    RSS Feeder    1.1.5    [ Uninstall ] [ List Files ] [ Delete ]
9.    PortaMx v0.990    0.990    [ Uninstall ] [ List Files ] [ Delete ]
10.    Avatar on Member List    2.0    [ Uninstall ] [ List Files ] [ Delete ]
11.    CATINTHEHAT    1.0    [ Uninstall ] [ List Files ] [ Delete ]
12.    NiceTooltips    1.7    [ Uninstall ] [ List Files ] [ Delete ]
13.    ResizeImagesToFitScreen    0.1.6    [ Uninstall ] [ List Files ] [ Delete ]
14.    Users Online Today    1.5.6    [ Uninstall ] [ List Files ] [ Delete ]
15.    Yet Another Global Announcements Mod    2.7.3    [ List Files ] [ Delete ]
16.    Tidy Child Boards    1.3    [ List Files ] [ Delete ]
17.    Ultimate Profile    0.9.1    [ Uninstall ] [ List Files ] [ Delete ]
18.    Footnotes    1.08    [ Uninstall ] [ List Files ] [ Delete ]
19.    Tapatalk SMF 2.0 RC4 Plugin    1.3.0    [ Uninstall ] [ List Files ] [ Delete ]
20.    Board Viewers Mod    1.2.1.1a    [ Uninstall ] [ List Files ] [ Delete ]

[LiroyvH]

Funny I also got the feeling it was a hosting issue. I will push them for more info tomorrow again.

This is the host first time I have had dealings with them http://www.serv.co.za/main/

Any chance on a phpinfo.php?

[ARG01]

Just an FYI: If your host was at fault by allowing someone to sneak past their server security and hack your site or access your files, you will never get true, unedited copies of logs from them.
They simply will never admit to a hack job being the fault of their security programs or practices or, lack there of. Your best bet would be to find another web host and start over. Sad, but true. 

[DirtRider]

The problem is they did a backup restore of the last good config before I could get to them. Also I am not the account holder of this site so it makes it a bit more difficult for me to get info out of them. I was also very busy today at work so I will see what I can drag up tomorrow and post it here

[DirtRider]

Yeah well they are back again using a proxy by the looks of it, so will they get in again. Also very interesting they created email address to send the mail from as well. Now they could have not got in through the CP as the password was changed and apparently after that more email addresses were created 

[Tyrsson]

Dirtrider, run a full virus scan of your comp. I have seen things similar due to someone being hit with a key logger.

[DirtRider]

Already done that nothing came up

[LiroyvH]

You could check if in phpinfo if they have openbase dir restrictions set. If not, it may very well originate from another account.

[Deaks]

my suggestion is simple but I doubt you will like it DirtRider

[DirtRider]

my suggestion is simple but I doubt you will like it DirtRider

And that would be 

Asked the host for the logs with no luck

[Deaks]

get a new host

[IceXaos]

If you are into dedicated hosting .. Zenex 5ive has done me well and I'm still usin' them.