hacked: www.madphilosophers.com / need help

[pipedreams]

Yes, he must have gotten in through security vulnerability, so please do upgrade if you can, thanks!!

Pre-hack, I was the only admin, and I had a strong password and had not logged in for some time. Willem was one of two Global Moderators. After the initial hack it looks like someone else attempted to help, and made Willem admin, but that didn't seem to work for some reason. I'm not sure of the full story as I was just informed of the hack today. Anyway there is only supposed to be one admin, the account name was admin and displayed as pam.

[Deprecated]

Just FYI, since willem had the only admin account, and since it was said that his account had been taken over, I tracked the IP address shown in the smf_members and it originates in Toronto, ON, CA. I don't know if that is willem or the hacker though. It will be easier to tell once the forum is back up and running.

It's amusing that the SMF member accused of this deed is online here right now, probably reading this topic. If that is you, then you can go suck egg.


(I'm posting this right now but I haven't read the two previous posts yet.)

[Deprecated]

Pam I just checked and he deleted your admin account. I can recreate it shortly.

Do you mind losing your modifications and themes? I have no idea what your site looks like normally, plain jane or every bell and whistle in the book. Do you mind going back to SMF default 1.1.6?

[DirtRider]

The William account was created a few days back it is not the original, he created it to try and get money out of the forum members. I would also say go for a fresh 1.1.6 install here

[babjusi]

It's amusing that the SMF member accused of this deed is online here right now, probably reading this topic. If that is you, then you can go suck egg.

I don''t think that it is wise to irritate or mock the hacker. It doesn''t serve any purpose, on the contrary, it will make things worse. Just a word of advice, hope you didn''t mind it

[pipedreams]

I (pam/admin) am based in Toronto, Canada, but Willem is from Belgium. Are you saying the hacker was also from Toronto, Canada?

I do not mind losing any mods or themes. I didn't have too many installed and the main thing is to get the site functional again.

Again, thanks so much for your help

[Deprecated]

Yes, the hacker is in Ontario, or at least the person using the account 'willem' is in Ontario. Small world, eh? It kind of makes you wonder...

Okay on the mods and themes. I'll get on it.

Let's wait until this has a happy ending and then you can send thanks.

[SlammedDime]

Could have just used cPanel to upload and unzip using their file manager...

[CarlT100]

I am following this with great interest.  Thank you Deprecated for keeping us informed.

Pipedreams, once your forum is up and running, I strongly urge you to get a second admin - just in case this happens again and you are not on line.  You and your second admin need to know how to contact each other by email and telephone.

[Deprecated]

Ran into a bit of trouble. I try to use an unzip script and remotely unzip the files but it wasn't working right so I had to create a FTP account for myself, unzipped the files locally, and now I'm uploading them to the site.

One really strange thing: The database had no user. I had to recreate a user/pass and attach it to the database. I don't know how that could disappear, and I don't know how anybody could mess with that without cPanel access. Strange...

BTW I did some backups before starting things. Can't take a chance on losing any data.

Oh, also, I've forwarded the suspect's IP address to SlammedDime. If it matches the SMF member accused of the hack then I guess I see an SMF IP ban in his future. He's gettin' a good IP ban at madphilosophers too, you can bet on that!

[Deprecated]

@Slam: Yeah, there's a thousand ways to do it. I rarely use the file manager so I didn't know it had unzip capability. I've got Filezilla running on another box here and I just set it going and forget about it.

@Carl: Good advice! They have over 2,500 members and that is way, way too big to not have multiple admins. Everything depends on one person, and if they go out of town and problems develop, 2,500 people are out of luck.

Upgrade almost done and ready to go back online. I just remembered there are no admins so I guess it might be a good idea to make one. Duh.

[DirtRider]

Deprecated the bans on all our IP addresses is still active on the site don't forget to sort them out as he was systematically banning members that posted anything about his hack attack on the forum.

Sorry DirtRider, you are banned from using this forum!   

[Deprecated]

Yeah that's good to know. In fact I was just setting up to borrow your account since I don't want to try and create one from phpMyAdmin. I'll restore your access as soon as I can create another admin account and demote yours back to ordinary member. (Sorry. )

Wow, I never knew where you lived until now. Kewl!!!

[DirtRider]

Wow, I never knew where you lived until now. Kewl!!!

Who me 

You can also delete JustMe and TheThinker I created these by bouncing off a proxy so I could keep tabs on the progress on the forum 

[Amacythe]

I've been kinda watching this topic waiting to see someone step up with the cPanel information.  pipedreams, I'm glad you finally posted something so this issue could be resolved.

Just so you're aware, The IP address for MuratbanK here all point to Istanbul, Turkey, not Canada.  The member has been banned from our forum.

[Deprecated]

All I can say is the IP address used in the willem account was in Ontario, CA. Perhaps the SMF member did it, perhaps not. Not for me to decide. Or putting it another way: meh

Dirt, I've got your account put back. Login and let me know if it works okay.

I've recreated the admin account too. I'm gonna go PM the details to pipedreams. At least I know for sure she's who she says she is!

[Deprecated]

Okay I think this story is winding up folks.

Their forum is back up and running on SMF 1.1.6. I have restored pipedreams' admin account for her. I'm waiting to verify that she has achieved access.

At least until it is certain that the forum is operating normally I have created an admin account for me to use, and if she wishes I may stick around for a while just to make sure things stay okay. I'll discuss that with the owner privately.

One final important thing:

As soon is it is determined that things are running normally, pipedreams you must change your cPanel password. Please use something similar to the present password which is a mixture of garbage letters, numbers and punctuation. Make it at least 8-10 characters long or as long as you like, but choose a strong password. I urge you to do this later today and definitely before the end of the day, at the earliest moment that you feel your forum is secure and operating normally.

Just repeating, you must change your cPanel password before the end of today!

[pipedreams]

Thanks so much, Deprecated!! I'm logged in and the cpanel pass is changed now. It looks like Mad Philosophers is back at full functionality, and no longer has the security issue that got us into trouble in the first place.

[Deprecated]

Great! It looks like things are nearly back to normal.

Just for the record I currently have an active admin account at their forum and an active FTP account at her hosting service. I'll discuss any further details with pipedreams privately. Perhaps if I like the forum and she likes me maybe I'll stay on and keep an eye on their security.

Well the story did have a happy ending! Tha, tha, tha, that's all folks!

[willem-sp]

Could you guys unban me now please ? 

I'm now nicknamed Michael Philb or something... The guy was quite cunning....