My website seems to keep getting hacked

[blockhead]

Can anyone advise me on this please.

My website seems to keep getting hacked. I can restore it to an earlier date which puts it right again but then within a couple of days it is hacked again. When I do the restore I have to reinstall the upgrade to 2.0.5.

I was blacklisted and managed to get that removed and thought everything was ok. When I logged on today I got redirected to adultfriendfinder. I have done the restore  and it now says it is clean again but I'm not expecting it to last.

Can anyone advise me of what I can do to prevent the hacks from happening in the first place.

Thank you

[margarett]

There are no known vulnerabilities in SMF. So you have:
- host issue (host is using outdated patches and you are affected through this --> UNLIKELY)
- weak passwords (yourself or other admin --> PROBABLY THIS) Do you change them after each restore?
- infected computer so run a good anti-virus in it

[blockhead]

Thanks for this. I will contact my other admin and tell them to change their passwords.

I run virus scans on my computer constantly, I will get other admins to check theirs too.

I appreciate your quick reply and hopefully will be able to sort it out once and for all.

[Burke ♞ Knight]

How do I make my forum safer against hacker attacks?

[Kindred]

you also do not note what other software you might be running on your site.... or what mods you have installed.

SMF 2.0.5 has no current known vulnerabilities.
So, if you keep getting hacked, it suggests that (in additiona to what margarett notes)
a) you have an insecure software script somewhere
b) you are not actually, fully, cleaning your server (hackers often leave back door scripts buried deep in directories)
c) you are running an insecure mod...

[Arantor]

d) You're installing mods and not putting the file permissions back afterwards leaving you insecure.

[Sir Osis of Liver]

Some hacks are embedded in forum files that don't delete and can't be overwritten, so they're still there after reloading forum files.  You have to delete the forum completely (save backups of Settings.php and attachments), and confirm that all directories and files are gone before uploading clean files.

[Arantor]

Some hacks are embedded in forum files that don't delete and can't be overwritten

Citation needed.

[Sir Osis of Liver]

I've seen this twice on forums with base64 hacks.  Server refused to delete a legit font file and all directories above because it "contains a running process".  Could not overwrite file via ftp upload.  All other files/directories were gone.  Both instances were on windows servers.  Had to screw around with file permissions for twenty minutes before file finally deleted.  Didn't save the infected file, it kind of creeped me out.

[johnpaul2k2]

*haven't heard of "smf got hacked"*

[blockhead]

I will gladly remove the forum completely. Is it simple enough to save all of the posts and put them back after reinstalling forum?

[margarett]

Save your MySQL database and Settings.php.
Also, save your attachments folder, but download it to your computer and have some virus scans in it.

Then load a Large Update and you're as good as new

[blockhead]

Thanks for the help with this.

I have now got a clean install of a forum.

Is there a particular order I should put the settings, database and attachments back please?

*edit I put the settings and attachments back and the forum seemed to be back. Every time I try to put the database back through phpmyadmin (the way I backed it up) I get an error.

[margarett]

Yes, you probably get a timeout if importing via phpmyadmin... Upload the backup file to your webspace and ask you host to import it or use a tool like "bigdump"
http://www.ozerov.de/bigdump/

[blockhead]

It wasn't a time out error.

After messing about last night deleting things I had to get the host to reinstall the site as I'd lost the databases.

At the moment I am back to having an infected site.

After taking the site down and installing a clean site what order should I put the settings, attachments and backed up databases back? or does it not matter what order I do it in?

Thanks for the responses I appreciate your help.

[margarett]

Well, exactly the same as before, sorry to insist...

You know that you are restoring to an "infected" state so I would:
- change all passwords (cPanel, FTP, mysql user, ...)
- Edit Settings.php and set your maintenance mode to "2" (unusable)
- backup the "infected" database and files to your local machine
- check the files with an AV
- Delete all files from the server except "Settings.php" and "attachments" (if your scan for virus was "clean")
- Load a "Large Upgrade" package. Delete all the "upgrade*.php"
- Edit Settings.php and set your maintenance mode to "0".
- Login to your site and change your password. Remove all other administrators until they change their passwords also.

Something like this should do the trick, I think.

[blockhead]

Thank you very much for all your help.

I did everything you said and with a little help from my host at the end I now appear to have a fully functioning, virus free forum.

[gigashiga]

Thankyou very much for the help I am following these steps and will revert back as soon as it is complete

Well, exactly the same as before, sorry to insist...

You know that you are restoring to an "infected" state so I would:
- change all passwords (cPanel, FTP, mysql user, ...)

above done

- Edit Settings.php and set your maintenance mode to "2" (unusable)
- backup the "infected" database and files to your local machine

infected database? does this mean that sql database is also infected? and virus scanner wont harm it?

- check the files with an AV

ftp files from server on my comp for scanning ....is it required?
or I just overwrite existing files?

- Delete all files from the server except "Settings.php" and "attachments" (if your scan for virus was "clean")
- Load a "Large Upgrade" package. Delete all the "upgrade*.php"

I have done some changes in the code and template which I do not keep track of, any suggestions on this please?

- Edit Settings.php and set your maintenance mode to "0".
- Login to your site and change your password. Remove all other administrators until they change their passwords also.

Something like this should do the trick, I think.

I also have some code being displayed on my websites header

Code Select Expand

if(empty($eht)) { $eht = " "; echo $eht; } ?>

kindly see other thread where my website link is if you need my website link.
http://www.simplemachines.org/community/index.php?topic=511435.0

[Cyberhost]

Thankyou very much for the help I am following these steps and will revert back as soon as it is complete

Well, exactly the same as before, sorry to insist...

You know that you are restoring to an "infected" state so I would:
- change all passwords (cPanel, FTP, mysql user, ...)

above done

- Edit Settings.php and set your maintenance mode to "2" (unusable)
- backup the "infected" database and files to your local machine

infected database? does this mean that sql database is also infected? and virus scanner wont harm it?

- check the files with an AV

ftp files from server on my comp for scanning ....is it required?
or I just overwrite existing files?

- Delete all files from the server except "Settings.php" and "attachments" (if your scan for virus was "clean")
- Load a "Large Upgrade" package. Delete all the "upgrade*.php"

I have done some changes in the code and template which I do not keep track of, any suggestions on this please?

- Edit Settings.php and set your maintenance mode to "0".
- Login to your site and change your password. Remove all other administrators until they change their passwords also.

Something like this should do the trick, I think.

I also have some code being displayed on my websites header

Code Select Expand

if(empty($eht)) { $eht = " "; echo $eht; } ?>

kindly see other thread where my website link is if you need my website link.
http://www.simplemachines.org/community/index.php?topic=511435.0

I checked your site and scanned it with many anti-virus program and a few of anti-virus programs marked it as malicious site, so there's high possibility that your files has been affected by malware program, I'd recommend you to delete your forum and reinstall it.

[blockhead]

I plodded on with this and in the end I got my site nuked. I then did a clean install and restored my databses etc. My site was ok for about a week and then the infection was back.

Earlier today I got the site nuked again. I ran a clean install again. This time I added nothing. No restoring of databases. No modifications. Absolutely nothing.

About an hour later I went to my site and I was redirected to adult friend finder again. My host (Hostmonster) are trying their best to get me to pay for sitelock or go to another company and get them to monitor my site, something else to pay for.

They also advised I try here to see if there is anything I can do to stop the hack happening. I use smf 2.0.5

Does anyone have any ideas as to what is going on cos it is beyond my capabilities.

Thanks for any help you can offer.