HELPPPPPPPPPPPPPPPPPPPPPPPPPPP!!!!!!!!!!!!!!
Now that is a good support request, isn't it? :P
Honestly, do you think we can do anything to help you with the topic you created?
...
1) How do you know it is being hacked?
2) If it is being hacked, modify Settings.php, where it says $maintenance = 0 and change that to $maintenance = 2; which will lock down the forum, followed by making all the files permissions of 000 to disable them even being read by Apache.
Sorry I AM FRANTIC..lol
They took over my admin account, removed my other admins changed the name I had to "admin and changed my password
Working the setting file thing now
AWESOME. I now have a white page that says Maintenance In Progress. Please be patient Estimated Down Time 1-2 Hours
What can I do now?
Maybe you will find something here helpful.
http://wiki.simplemachines.org/smf/Hacking_-_I_think_I_have_been_hacked
ok I will go through that and see if it helps me get this sorted. Thanks.
you got that white screen with text because you put the forum into maintenance mode lockdown.
Did you set the file permissions?
How do you know you were hacked?
Do you have any server logs (check with your host if you don't know what those are)
I though the said it would change them all to 000 automatically
Because the person told me they were going to do it and that they already had my DB (not sure what they meant). They have taken over my account, changed not only my PW but the name, email., everything,
I can still get into CPanel. Is that where the log is you need?
Well that did't work.. now I have this
http://patriotgames2.info/index.php?action=forum
I will gladly give one of you my info if you can help me get this stopped
If that was my site, I'd get onto my host PDQ. I'd also change all of my passwords and restore my latest backup.
I agree with K@.
You do have backups, correct?
I already sent them a ticket but they are a few hours ahead of me so I have no idea when they will even get back to me. I changed my cpanel password but if they can do that to the forum main page, doesn't that mean they already have it?
Yes I have backups
It has been so long since I have restored one, I don't even know where to start.
No point in even thinking about restoring, until you can stop them rehacking you.
Get onto your host, first.
When you get to the point of restoring, you can think about CPanel>Files>Backups and restoring. ;)
Also, your Cpanel password and access should have nothign at all to do with your smf admin access....
unless you used the same username and password for both? (if so, naughty... don't do that)
Who is your host?
Yeah the passwords were the same on my admin account. To be honest, I didn't know that they could be different. I don't recall it ever asking me to use a different one.
How are they accessing my database if CPanel has nothing to do with it? (I have no idea how all that works)
Change your host account password.
Change your main FTP password and delete all additional FTP users.
Change your database password.
Use phpmyadmin to access your database and delete all admins (id_group = 1).
By host account password, do you mean my password for their website?
CPanel pw has been changed
FTP password has been changed
And I will do the last one now.
EDIT: I was able to log into cpanel but phpmyadmin is not wanting to load. (just to update, still have not heard back from host yet)
EDIT: it finally loaded. Gotta find where to delete the admin accounts
Quote from: Krash. on November 17, 2013, 02:55:44 PM
Change your host account password.
Change your main FTP password and delete all additional FTP users.
Change your database password.
Use phpmyadmin to access your database and delete all admins (id_group = 1).
and never offer to gladly give out your info in a public forum, lol...
Quote from: Kimmie on November 17, 2013, 02:35:27 PM
I will gladly give one of you my info if you can help me get this stopped
you must have an account in your host site, change the pwd of that account. That's the host pwd
I would not have given it out here..lol. I would have pmd it ;)
Quote from: DON JAJO on November 17, 2013, 03:02:24 PM
you must have an account in your host site, change the pwd of that account. That's the host pwd
My confusion is coming from what you mean by "host site". Are you referring to their website where I log in if I need to submit a ticket etc?
Quote from: Kimmie on November 17, 2013, 03:02:27 PM
I would not have given it out here..lol. I would have pmd it ;)
I figured that and I should have said, never state in a public forum that you are willing to give out your info, via PM or what have you. ;)
Quote from: Kimmie on November 17, 2013, 03:04:35 PM
Quote from: DON JAJO on November 17, 2013, 03:02:24 PM
you must have an account in your host site, change the pwd of that account. That's the host pwd
My confusion is coming from what you mean by "host site". Are you referring to their website where I log in if I need to submit a ticket etc?
How about you just change all your passwords. :)
yea
Seems like a plan, that. :)
well, if they got into your hosting cpanel account, then they have access to all your files and all your databases
However, we need to be certain that we are talking about the same thing here...
When I say Cpanel -- I DO NOT mean the SMF admin screens. I mean your HOSTING LEVEL Control Panel.
SMF has no feature in it to directly access or edit the database....
That being said, if the hacker is half-way decent, once he go into your smf admin account, he could upload his own files which could allow him to do things...
so, hence Arantor's suggestion to turn off all permissions to all files (chmod 000)
Seriously though... you really should be working with your host on this.
There is no need to DELETE all admins -- just delete their membership in the admin group
"Use phpmyadmin to access your database and delete all admins (id_group = 1)."
There are only 2 1's which means he deleted 2 accounts - including the one I used. One of the 1's on here is my root account. I always used a different one incase things like this happened.
Before I do this, Are you telling me it is ok to delete my root account?
"When I say Cpanel -- I DO NOT mean the SMF admin screens. I mean your HOSTING LEVEL Control Panel."
This pw has been changed.
"so, hence Arantor's suggestion to turn off all permissions to all files (chmod 000)"
When I edited settings.php and changed the maintenace to 2, I was under the impression this was done automatically. What is the fastest way to get these all changed manually?
If you delete ALL accounts, they'll be restored, when you restore your backed-up database.
Quickest way to CHMOD would be with an FTP client.
Quote from: K@ on November 17, 2013, 03:14:36 PM
If you delete ALL accounts, they'll be restored, when you restore your backed-up database.
Quickest way to CHMOD would be with an FTP client.
Ok I am in there.. do I just highlight everything right click and chmod? or do I have to do everything one by one? OR...lol.. do I just need to change certain files?
THANKS TO ALL OF YOU WHO ARE HELPING!!
Quote from: Kimmie on November 17, 2013, 03:11:45 PM
Before I do this, Are you telling me it is ok to delete my root account?
People do it all the time. When the forum is cleaned up you re-register then use phpmyadmin to change your
id_group to '1'. Or you can change all the
id_group=1 to
id_group=0. You don't know if the hacker is using your root admin account.
Quote from: Krash. on November 17, 2013, 03:18:17 PM
Quote from: Kimmie on November 17, 2013, 03:11:45 PM
Before I do this, Are you telling me it is ok to delete my root account?
People do it all the time. When the forum is cleaned up you re-register then use phpmyadmin to change your id_group to '1'. Or you can change all the id_group=1 to id_group=0. You don't know if the hacker is using your root admin account.
Thank you for that info!! I also deleted an account that had the ID Group 10. That is what his was showing as.
Update: Still waiting to hear back from my host.
Quote from: Kimmie on November 17, 2013, 03:16:29 PMdo I just highlight everything right click and chmod? or do I have to do everything one by one? OR...lol.. do I just need to change certain files?
CHMOD the parent directory (Usually public_html) and set it to do all subdirectories/files, too.
Have you changed the database password?
Quote from: K@ on November 17, 2013, 03:22:28 PM
Quote from: Kimmie on November 17, 2013, 03:16:29 PMdo I just highlight everything right click and chmod? or do I have to do everything one by one? OR...lol.. do I just need to change certain files?
CHMOD the parent directory (Usually public_html) and set it do do all subdirectories/files, too.
Ok I don't see anywhere that I can tell it to do the subdirectories.
(http://i.imgur.com/r9xnVNa.png)
Quote from: Krash. on November 17, 2013, 03:23:44 PM
Have you changed the database password?
Isn't that the CPanel password? if so, yes. (too many friggin pw's to keep up with lol)
Is that Filezilla? IIRC (Which I may not be, coz it's been a while since I used it), it asks you, once you hit "OK".
CuteFTPPro.
And it won't keep the changes. I click apply, then ok. Refresh and check and they are back at 750
The number of folders on that properties page keeps going up.
The database password is just for the db. If your friend had cpanel access or got a look at your Settings.php and has your db credentials, he can access it directly with external script. Should be able to change it in the MySQL section of your cpanel.
Quote from: Kimmie on November 17, 2013, 03:31:02 PMAnd it won't keep the changes. I click apply, then ok. Refresh and check and they are back at 750
One for your host, then. :)
Quote from: Krash. on November 17, 2013, 03:32:11 PM
The database password is just for the db. If your friend had cpanel access or got a look at your Settings.php and has your db credentials, he can access it directly with external script. Should be able to change it in the MySQL section of your cpanel.
Ok this is done.
When did you last back up your forum files, or install a mod?
Have not installed any mods for quite some time now. Last backup 11/14. Tried to do one last night but could not get one. Guess this is why lol
Three days ain't so bad. :)
If you're lucky, your host might have a more recent one.
Well most of the time I do one every night. I have been sick for the past 2 days lol,
At this point is there anything else I need to do, or am I just basically waiting on my host at this point?
I would just dump the whole forum, delete everything (and make sure it's gone), then upload the backup. That should remove any code hacks, unless they were done prior to the backup and not used until today. You can also do a clean install from the large upgrade package, then reinstall your mods and themes. Remember to update the db password in Settings.php.
Edit: Talking about the forum files, not the database. Let's assume the db is ok for now.
Quote from: Krash. on November 17, 2013, 03:51:33 PM
I would just dump the whole forum, delete everything (and make sure it's gone), then upload the backup. That should remove any code hacks, unless they were done prior to the backup and not used until today. You can also do a clean install from the large upgrade package, then reinstall your mods and themes. Remember to update the db password in Settings.php.
Well I tried 3 different times last night to make a backup and each time I couldn't get it passed about 8mb so I am hoping that is when they were in the middle of actually hacking in. They didnt start making any changes until about 10 min or so before I posted here. Had the nerve to post on my site and brag they were going to do it. >:( Ad again, I apologize again for the way I started out.. I was freaking out.. its my first hack (and hopefully the last) :/
What I will probably do is step away from my pc.. go make a pot of coffee and calm down for a few minutes. Then if I have not heard back from them by then, I will consider your option. Just a couple more quick questions
1. Dumping the whole forum: You mean delete the DB right? I haven't had to do this before so I want to make sure I get it right
2. I also have a public html backup. Should I delete that as well, and upload the backup?
3. When I get ready to import the backup through CPanel, will it let me upload that large of a file?
Are there any other files outside of the public html folder that they would have changed?
I would much rather prefer to restore vs using the large upgrade as it wipes out all my mods. I will if I have to though.
No, don't delete the database. If you've changed all your passwords, you should be secure, unless your host has been hacked. Restore the forum backup, update Settings.php so the forum reconnects to the existing database, and see what you have. If you have a recent db backup, make sure it's in a safe place.
Because there's no way the miscreants could have left a backdoor or anything in the code, right?
Unless you know for certain that there's no backdoor in the backup, assume it is compromised.
Quote from: Krash. on November 17, 2013, 03:51:33 PM
That should remove any code hacks, unless they were done prior to the backup and not used until today.
No harm in trying while waiting for host support to respond.
Believing yourself to be secure when you're wide open is the worst kind of security.
But you clearly got this one covered, don't need my help at all.
<sigh>
Quote from: Krash. on November 17, 2013, 04:11:05 PM
No, don't delete the database. If you've changed all your passwords, you should be secure, unless your host has been hacked. Restore the forum backup, update Settings.php so the forum reconnects to the existing database, and see what you have. If you have a recent db backup, make sure it's in a safe place.
Ok sounds good. Only having to upload the backup sounds easy enough. I keep them all on one of my external drives so they should be pretty safe. I will wait an hour or two and see if I hear back from the host before I do anything else.
If I have any other problems or questions I will let you know.
Again, to everyone who helped out, THANKS! :D
Not sure if this will help anyone here, perhaps the developers can use this information. This is who hacked me.
https://www.facebook.com/klachnikove.tn
Hmmm... If this had been my forum, I'd not be relying on the current database, myself. Particularly as you said, earlier:
Quote from: Kimmie on November 17, 2013, 02:30:50 PMthe person told me they were going to do it and that they already had my DB (not sure what they meant).
DB=Database. Seems they had it, for a while. They could've put heaven knows what, in there, and put it in place of the current one, perhaps?
He MIGHT not have left anything, there. But, he sure could have. If you want to risk being hacked and having to go through all this, again, risk it.
But, in your place, I have to confess that I wouldn't.
By the looks of their facebook page and some of their conversations on there, these are professionals. I will probably just wait until I hear back from my host before I proceed. I was able to capture the IP he was using at the time, and even though it is an Egypt IP which is where the site says they are, it could have been masked.
WHY do people do this? I am so frustrated right now.
They're dumb enough to think it's cool.
Heaven knows why, though.
Anyone know what they did to put that video up there? I would like to at least try and get that off while I am waiting on my host
I'd assume that he's messed around with the root index.php file.
Can't be certain, though.
Looks like he's using http://www.youtube.com/player_api That address might be in that file.
Seems it links to this:
http://www.youtube.com/watch?v=Hk9ovX5t7kI
You COULD try getting hold of YouTube, to report this... ;)
Just heard back from the host. The latest backup they have is from the 1st (UGHGGGGGG) but I am going to let them do it because they can do this A LOT faster than I can. Will keep you posted.
Quote from: K@ on November 17, 2013, 05:06:35 PM
I'd assume that he's messed around with the root index.php file.
Can't be certain, though.
Looks like he's using http://www.youtube.com/player_api That address might be in that file.
Seems it links to this:
http://www.youtube.com/watch?v=Hk9ovX5t7kI
You COULD try getting hold of YouTube, to report this... ;)
Video has been reported :) LIKE 10 times now from several of my site members.
Clean files are really the way to go here....
Quote from: Kimmie on November 17, 2013, 06:07:13 PMVideo has been reported :) LIKE 10 times now from several of my site members.
I like your style. :)
Quote from: K@ on November 18, 2013, 07:18:30 AM
Quote from: Kimmie on November 17, 2013, 06:07:13 PMVideo has been reported :) LIKE 10 times now from several of my site members.
I like your style. :)
8) I am all for putting these people out of business who hack. I know they all cannot be taken down but every little bit helps. So far, that video has been reported 112 times from us, and their facebook page, about 100 times.
Site seems to be ok so far. I have even changed all my passwords again. I plan on doing that once a month. I also sent in a hack report to SMF. I hope they can figure out how it happened in case they need to put out a fix for the vulnerability. I love the SMF software and want to do my part in helping to keep it safe for everyone not just for my site. :)
Again, I want to thank ALL OF YOU who helped me out with this. You guys came to my rescue faster than I could have hoped and I appreciate that more than you know.
Marking as solved. Here's hoping I never have to go through this again, but if I do, I now know how to try and get it stopped fast and I have you all to thank for that! ;D
No sweat, mate. Most of us have been there, or thereabouts.
You might want to ask your host about how they got in, because they keep access logs and stuff, which should tell them.
If you have other admins, on your site, you might want to check if they may have leaked stuff.
I only have one other admin, and I trust her with my life. We have known each other for about 12 years now.
My host is supposed to get back to me on what they find in terms of how it happened. Hopefully they can provide me with info that I can then, in turn, give back to the smf devs.
remember -- you site is only as secure as the accounts and password you (and other admins) use.
If you use the same username/password combination across multiple sites -- and one of those other sites get compromised -- then your site is now vulnerable.
You should always use different passwords between sites - and even between services on the same site (mySQL, cpanel, smf, ftp -- these should all be using different passwords)
UPDATE TO ME TODAY FROM FACEBOOK::: You reported كـــــــالاشـــــــنيكـــــــوف.TN for harassment.
Status This page was removed
Details We reviewed the page you reported for harassment. Since it violated our Community Standards, we removed it. Thanks for your report. We let كـــــــالاشـــــــنيكـــــــوف.TN know that their page has been removed, but not who reported it. Facebook never discloses who submits a report.
Hell hath no fury like a woman scorned!!! (http://patriotgames2.info/Smileys/classic/PCBash.gif)
8) 8) 8) 8)
Yay! (http://www.katzy.dsl.pipex.com/Smileys/c014.gif)
Just got word that "Sinbad's" page has also been removed.
Today is a good day!
(no need to reply, just wanted to update)
As you say, it's shaping-up to be a good day. After what happened, yesterday, I'd class that as a bit of a WoOt! :)
I HAVE BEEN HACKED AGAIN BY THE SAME PERSON!!!!!! They have not yet changed my main page, but I know for a fact it was them. They changed my email to the same one as before and they have changed both my password as well as removed my other admins permissions in terms of being able to change passwords, but she still shows up as admin
Here is what my email shows as
(http://i299.photobucket.com/albums/mm294/patriotforce/profile2.jpg)
Here is his post and it shows his IP address that he used
(http://i.imgur.com/mCRXSrT.png)
Link to google news about this jerkoff!!
http://news.google.com/newspapers?nid=1291&dat=19860331&id=YQtUAAAAIBAJ&sjid=kowDAAAAIBAJ&pg=4187,11416642
Did your host ever come up with any information?
/me wonders if there is something deeper going on... like permissions not properly configured on files.
No. And I even talked to them as late as yesterday morning. There is a huge vulnerability somewhere and we gotta find it. I can't keep going through this. I have even changed all my pw's twice since the last time I talked to you folks here
Did you put up clean files like we suggested?
Any themes that shouldn't be there?
I used a backup from almost 1 month prior to it happening before. All themes are the ones I have had. I threw my site into maintenance mode but CPanel will not let me import the backup. File is too big. I was told to use bigdump but I have never used it before. On this part here.. do I leave this as local host or do I change it to the server ip?
(http://i.imgur.com/z1dGFK7.png)
Sources Folder: Ajax.php
PublicHtml Folder: .config.php3
These files are showing as having being updated at 8pm tonight which was right after I was on the site last and is probably when he did it. Can you look at it and see if you see anything suspicious?
Had to put this one as sep reply
Yes, both of those are suspicious files.
That tells me file permissions weren't set up properly allowing for files to be written to your website from somewhere else (ask your host, they should have logs)
But as we warned you, there was no guarantee the backup would be clean. It's entirely possible that the backup was already previously compromised somehow (e.g. bad file permissions)
Yes but according to my host the files in the backup they used had not been modified in any way so I chose to leave it like that. Only problem with file permissions as I stated before is I have no control over those. I tried changing them then but the changes would not take.
If you can list for me what they are supposed to be, I can not only see if they can give me access to change them (every other host I have used I had that permission, with them I don't), but I can also see which ones need to be changed.
Why do you not have control! This sounds like a recipe for disaster, and almost certainly contributed to being hacked.
I had it originally when I first put my site on this host 2years ago. They since changed that but I plan on making them give those permissions back to me once they finally contact me. They are 5-6 hours ahead of me time wise so it will be a few hours before they even see my ticket.
I am currently trying to upload a backup via cpanel/backups option so hopefully this will work for now
Does this email address ring a bell?
[email protected]
Here is what he is seeing.
Now you have my attention. Anyone who wants to have a look at this little tool he is using
http://192.241.210.14/ajax.php
He likes to use the password: 484654
Quote from: Colin on November 30, 2013, 02:16:29 AM
Does this email address ring a bell?
[email protected]
No I have never seen that one before
This has been sitting here for 2 hours now. Any idea how long this is supposed to take :/ (uploading backup using CPanel/backups/Restore
(http://img6.imageshack.us/img6/2821/tq2y.png)
How big is your backup?
---------------------------
LOL this guy removed the credit for the person who actually built this web shell script. Go figure a hacker that won't credit a fellow hacker.
It looks like it is Web Shell by oRb that he is using.
gzipped its 84.1MB
No that should take only a couple of minutes. Try restarting that and trying it again.
Ended up falling asleep since it was so late. Let it sit all night and it didn't work. Going to try it again here in just a few minutes. Before I do that, I think I am going to use the large upgrade so I can have all new files but I want to make sure I do this right first. I am following this so I assume it is still accurate and up to date
http://wiki.simplemachines.org/smf/Upgrading#Extract_the_SMF_archive_and_upload_the_files_to_your_website
1. I need to delete publichtml folder. ----- is there any other files I need to delete? If I have the large upgrade extracted on my pc I can go by that right?
2. Once those are deleted, I highlight all upgrade files and upload. This will put them in their respective places
3. CHmod files (if I can - still have not heard from host). using this to go by
http://wiki.simplemachines.org/smf/Chmod
4. Run upgrade tool (point my browser to it). Once complete tell it to remove those files
If your forum's on SMF v2.0.6, you've no need to do step four.
http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files
Quote from: Kimmie on November 30, 2013, 10:29:43 AM
1. I need to delete publichtml folder. ----- is there any other files I need to delete? If I have the large upgrade extracted on my pc I can go by that right?
No, don't delete the public_html folder, just what's inside it.
Except Settings.php, Settings_bak.php, attachments folder and avatars folder. Make sure those four things are backed up to your computer just in case there's an accident (making sure Filezilla is in binary mode, if that's the FTP tool you're using).
Quote2. Once those are deleted, I highlight all upgrade files and upload. This will put them in their respective places
Everything inside the unzipped Large Upgrade thingy, yes, except the four things mentioned above.
Quote4. Run upgrade tool (point my browser to it). Once complete tell it to remove those files
No, you're not actually upgrading, just replacing your compromised files with clean ones. There is no need to copy Upgrade.php file to your server at all. If you already did, just delete it, you're done :)
This is the guide you need to be following http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files
ok I will go by that page instead. Thanks :)
ok Here is my plan. Trying to upload backup for now. Not only will this give me the practice I need but it will get my forum back up for the time being. I figure since the host does not let me chmod, I have the time lol
Then later tonight or first thing tomorrow I am going to wipe out forum files and upload upgrade. It means reinstalling mods, but I want to know that things are safe again and there is no telling where all he has that script.
Then I am going to rip my host a new a hole.
Then I will do a happy dance because hopefully my site will be back lol
---------------------------------------------------
Backup upload has now been sitting here for about 10 minutes and shows the same as I posted above. I assume this should have already been finished? Going to let my other admin (yes, whom I trust), do it and see if she can get it done.
Quote from: ChalkCat on November 30, 2013, 10:38:14 AM
Quote from: Kimmie on November 30, 2013, 10:29:43 AM
1. I need to delete publichtml folder. ----- is there any other files I need to delete? If I have the large upgrade extracted on my pc I can go by that right?
No, don't delete the public_html folder, just what's inside it. Except Settings.php, Settings_bak.php, attachments folder and avatars folder. Make sure those four things are backed up to your computer just in case there's an accident (making sure Filezilla is in binary mode, if that's the FTP tool you're using).
Quote2. Once those are deleted, I highlight all upgrade files and upload. This will put them in their respective places
Everything inside the unzipped Large Upgrade thingy, yes, except the four things mentioned above.
Quote4. Run upgrade tool (point my browser to it). Once complete tell it to remove those files
No, you're not actually upgrading, just replacing your compromised files with clean ones. There is no need to copy Upgrade.php file to your server at all. If you already did, just delete it, you're done :)
This is the guide you need to be following http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files
Sorry, did not see this before I made my post. Thanks for all the steps, newbies like me like steps :)
I can write this all down because I know I will need it again. :)
Getting ready to have my friend try and get the backup uploaded. Will keep you posted.
I think you're going to have to be incredibly boring and backup everything, every evening, or something, for a while. Then, if that arsehole hacks you, again, you can restore from the previous day.
Your host SHOULD be your best help against this kinda thing, though. Maybe it's time to switch to a good host?
Well my norm is to back up every night and I almost always do. I have all current backups, however what I am doing now is going back to the 27th which is two days before this dude registered on my site. Not much was posted so it's no big loss. Not like it was last time UGH. I lost 18 days of posts with that one lol
Friend is in the middle of working on upload. If this does not work, any suggestions on how I can get this done? I can't keep relying on host to do it.. they only backup twice a month it seems. (1st and middle). Using IE also if that helps you any.
The terms "Security" and "IE" don't often get mentioned, in the same phrase, usually. Unless the word "Crap" is there, too. ;)
There are two usual ways to backup/restore the actual files. One is via CPabel>Backups. The other, is just using FTP.
The advantage of FTP, is that it can be done "File-by-file", rather than the CPanel way of doing the whole thing in one hit, with an archive. With FTP, should one file upload timeout, you can just retry that file.
The problem, nowadays, is that most ISPs have really slow upload speeds. My download speed is 10MB/s, although I'm only supposed to get 8. But, my upload speed's often less than a quarter of that.
I wonder if it's worth you asking if they offer R1-soft backups, via CPanel? Mine does that and I have instant backups that are done every day. If my site gets screwed, I can restore one of those backups in seconds. They seem to keep months of them, too, which is brilliant!
I know how to upload the forum files but how do I upload the database using FTP?
You can't. :(
That's nowhere near as big as all the files, together, are, though. :)
Quote from: K@ on November 30, 2013, 11:56:09 AM
You can't. :(
That's nowhere near as big as all the files, together, are, though. :)
Oh ok, I misunderstood. I was referring to another alternative of getting my DB uploaded and you must have thought I meant forum files.
Just thought about something. Right now I have my forum turned off (maintenance set to 2). Could this be why I cannot get the backup uploaded? Well, it seems to upload, it just won't restore
Host finally got back to me.. working with them now
Maintenance set to 0 is not turned off...
Yeah I meant 2 I edited my post. that turns it off even to me. Could that be it?
Nope. That won't affect it, one iota. :)
I can only think of two ways, without employing other software and I doubt those would improve things.
From phpmyadmin, use the "Import" function.
From CPanel>Files>Backups, use the "Restore" function.
Quote from: K@ on November 30, 2013, 12:11:16 PM
Nope. That won't affect it, one iota. :)
I can only think of two ways, without employing other software and I doubt those would improve things.
From phpmyadmin, use the "Import" function.
From CPanel>Files>Backups, use the "Restore" function.
Import Function: File is too large.. max is 50MB Mine is around 84
Restore option: Have tried about 25 times since last night and it gets to the restoring database, then nothing happens.
I had to do this once before but it was like 3+ years ago. I remember using a program that split the db file into parts and I uploaded those parts then I think I may have used File Manager in CPanel to extract them (not sure). Only problem is, I don't remember the program and I don't remember how/where I uploaded them to. Gonna have to think on this a bit. It may by my only hope at this point.
I reamed my host a good one for taking away my chmod permissions since I think it is probably safe to assume that is how they got in so easily --- so hopefully they will get that straight. I uploaded my backup for them to restore but I cannot keep relying on them to do it for me. I have got to be able to get this done myself. Otherwise I basically have zero control over my own site. :/
It might be worth reaming your host about the database, too. Perhaps with the wrong end of a pineapple.
Admittedly, yours is quite big (oo-er, misssiz!). But, what's the point in having a restore function that's useless?
Maybe, if you ream them nicely, they might change that.
A quick "How the Hell am I supposed to restore a database, which I've backed-up, like a good girl should, if I can't restore the damned thing?" might do the trick. ;)
HAHA funny! :)
Finally heard back from them and they want to use their own backup since it would be faster.. and is fine with me since they have one for that date. Once I can get the site back up, my next step is to make them change my permissions so I can CHMOD again and I can get all that done. Then I am gonna go through changing pw's etc for now. Then I gotta hunker down and figure out a way to be able to upload my own backups because if I can't there is really no point in me even trying to fix all this mess any more. It will all be pretty pointless.
It will be interesting to see what their reason is for me not being able to upload the db. Since neither of us can do it, that tells me its on their end, not mine.
Sad part is, I have had this site for almost 6 years and it would be a shame to let it go with all the time and money I have put into it. That is my last resort though. I know I shouldn't let it stress me out since he isn't really doing any damage to my site.. I just don't know if I can keep doing this every friggin week lol Now that he knows he can do it to me, he will be back
Perhaps that means it's time to move hosts.
Quote from: Arantor Beeblebrox the First on November 30, 2013, 01:48:49 PM
Perhaps that means it's time to move hosts.
Perhaps. Other than this crap, I have had good luck with them. Barely any down time.
Just heard back from them.. "restore will be complete within 12 hours"
Yep, sure ok...... because I have all that time to sit here and wait. NOT! lol. I am willing to give them one shot at this to get it all straight. Mainly because I have had to change hosts before and not only is not fun, I will lose money. If they fail, they will lose a customer they have had for 2 years.
I'd be curious to know how they respond to the size of your database...
Quote from: K@ on November 30, 2013, 02:26:09 PM
I'd be curious to know how they respond to the size of your database...
Not sure what you mean
If/when you ask them how you're supposed to be able to restore an 80meg database, if they limit it to 50meg.
I mean, the database is THE thing. Everything else can be rebuilt. That can't.
K I understand.
Off topic.. I keep getting this on "this" site. Perhaps someone needs to be alerted?
(http://i.imgur.com/wtylAMB.png)
Yeah, the tech-heads did an upgrade, or something. It's a lot better than it was, but the poor server still stresses out, poor love. ;)
Ta, for passing that on, though. :)
Welcome :)
I found the program I used way back when I did this once before. I had to use this one to split it because the settings I used to do my backup were wrong initially. There are 3 settings you have to make sure are unchecked or bigdump can't be used. Back when I first started out an old aquaintence was helping me out and told me when I do backups the only thing I was supposed to change was to check the box labeled "Add DROP TABLE" so that is all I have ever done. Not even sure what it does lol.
Settings that you have to turn off:
Add IF NOT EXISTS
Complete Inserts
Extended Inserts
SQL Dump Splitter is the program I used.
Quote from: Kindred on November 17, 2013, 02:48:28 PM
Also, your Cpanel password and access should have nothign at all to do with your smf admin access....
unless you used the same username and password for both? (if so, naughty... don't do that)
I'd change my FTP and database passwords too...
Quote from: Bob Perry on November 30, 2013, 05:50:14 PM
Quote from: Kindred on November 17, 2013, 02:48:28 PM
Also, your Cpanel password and access should have nothign at all to do with your smf admin access....
unless you used the same username and password for both? (if so, naughty... don't do that)
I'd che my FTP and database passwords too...
Yes whenever they have to restore my db for me, they always make cpanel and ftp passwords the same but I go back and change one of them
Right now I am having an argument with them. They are refusing to give me back permissions so I can chmod.. and they cannot grasp WHY I need those permissions. GRR!
mmm, Any host worth a grain of salt would understand that. I would be looking for a new host. It already sounds like they have serious security issues in the first place.
Quote from: busterone on November 30, 2013, 09:25:52 PM
mmm, Any host worth a grain of salt would understand that. I would be looking for a new host. It already sounds like they have serious security issues in the first place.
The host that I use is quite good, started with them many years ago and rarely have difficulties of any kind and their customer support 24/7 has always been excellent when an issue does come up...
https://mya.securepaynet.net/default.aspx?prog_id=domainspricedright (https://mya.securepaynet.net/default.aspx?prog_id=domainspricedright)
Bob, you do know Domains Priced Right is another operating name of GoDaddy??
Quote from: ChalkCat on November 30, 2013, 10:00:15 PM
Bob, you do know Domains Priced Right is another operating name of GoDaddy??
Makes little difference, I stand by them wholeheartedly, until I encounter issues which warrant otherwise moving, I have no complaints at all... at that url and the ensuing 24/7 help number, you always speak to a live tech one on one...
I would never use GoDaddy or any host associated with them. That pretty much solves that debate ')
It has been 18 hours and they still do not have my site back up. I have decided to try and get this done myself. What I need to know is, those two files I uploaded.. ajax.php and configphp3 -- someone here already confirmed they were suspicious files. Do I need to delete those?
Unless they came with a particular mod that I am unaware of, then neither of those 2 files are part of SMF and should be eliminated.
They finally got my site back up, but now I have FTP issues (well they have been ongoing) as I posted here http://www.simplemachines.org/community/index.php?topic=515145.0 - since it didn't have anything to do with this issue, I started a new thread.. hope that was ok.
CuteFTP told me it is happening because the host has denied my IP root access.. and the host says they haven't. I also found out that my CHMOD permissions got changed when they had a ddos attack a few months back (they changed everyone's), and that is also the same time I lost FTP access.
Your host seems to be confused and, as a result, confusing.
Quote from: K@ on December 01, 2013, 10:35:42 AM
Your host seems to be confused and, as a result, confusing.
Totally agree with that statement LOL.
I have been hacked AGAIN!!!! This is the 3rd time since november.
When I got to my site it appears all they have done is changed where the main url routes to. Does anyone know where they would have changed this at?
You need to talk to your host ASAP and determine HOW they are getting in.
They probably installed a redirect in the root directory..... unless they were able to get into your hosting account, in which case they could have changed the DNS entries.
Oh I have already ripped my host a new a hole.. but since they are 6 hours ahead of me, no idea when they will respond.
This is my root directory do you see anything out of the ordinary?
(http://img703.imageshack.us/img703/2084/8biu.png)
your webroot (public_html)
and- with any decent host, 6 hours ahead or not should not matter.
My host is staffed 24 hours a day and answers any support ticket within 5 minutes - without fail.
Ok sorry (2 images) - I looked at the "modified" dates on all these and none of them are last night and is when it happened because my site was fine around 3am this morning.
(http://img843.imageshack.us/img843/1562/mjc3.png)
(http://i.imgur.com/JLXYc9H.png)
I don't see anything with that file list... but it could be in a bunch of different places, including index.template.php or a block in your portal, if they got into your admin account.
or the htaccess?
Yeah I looked at htaccess and though it looked really weird and was going to be the next thing I had you look at ;)
(http://i.imgur.com/US9M23s.png)
from this, I assume that your site is patriotgames2.info?
if so, I don't see anything wrong with that file
yes - I have it in main mode now, but I can turn that off so you can see what they did
I wonder...
ipntreas.php makes me think there's a FlashChat installation, on-site.
Just how secure is that thing?
ok I turned the site back on... go check it out
Quote from: K@ on December 26, 2013, 12:08:18 PM
I wonder...
ipntreas.php makes me think there's a FlashChat installation, on-site.
Just how secure is that thing?
The date on that file is 5/16/2013. Not sure what it is.
Its legit...Its from my treasury mod
(http://img577.imageshack.us/img577/2269/nfen.png)
Dunno if this is a clue... But, that image is here:
http://img02.arabsh.com/uploads/image/2013/12/26/0c32434b62fb0c.jpg
<div class="sp_content_padding">
<a href="http://patriotgames2.info/index.php?PHPSESSID=513ae9ad34237af91233a17f9ffd8530&action=profile;u=1"><img src="http://patriotgames2.info/avatars/Various/misc11.gif" alt="kjb0007" width="30" class="sp_float_right" /></a>
<div class="middletext">December 22, 2013, 12:32:44 PM by <a href="http://patriotgames2.info/index.php?PHPSESSID=513ae9ad34237af91233a17f9ffd8530&action=profile;u=1" style="color: #99CCFF;">kjb0007</a><br />Views: 44 | Comments: 8</div>
<div class="post"><hr /><head><link href=http://getpremiumminecraft.com/font/sa3ek/InG.css type=text/css rel=stylesheet></head></div>
that seems to be causing part of your issue.
looks like something was added ot the end of index.php or index.template.php
Quote from: Illori on December 26, 2013, 12:18:45 PM
<div class="sp_content_padding">
<a href="http://patriotgames2.info/index.php?PHPSESSID=513ae9ad34237af91233a17f9ffd8530&action=profile;u=1"><img src="http://patriotgames2.info/avatars/Various/misc11.gif" alt="kjb0007" width="30" class="sp_float_right" /></a>
<div class="middletext">December 22, 2013, 12:32:44 PM by <a href="http://patriotgames2.info/index.php?PHPSESSID=513ae9ad34237af91233a17f9ffd8530&action=profile;u=1" style="color: #99CCFF;">kjb0007</a><br />Views: 44 | Comments: 8</div>
<div class="post"><hr /><head><link href=http://getpremiumminecraft.com/font/sa3ek/InG.css type=text/css rel=stylesheet></head></div>
that seems to be causing part of your issue.
That is the av I use on the site (kjb is me)
(http://i.imgur.com/3lWs1vH.png)
Quote from: Kindred on December 26, 2013, 12:23:10 PM
looks like something was added ot the end of index.php or index.template.php
Index.php from inside root is attached
so.. not there...
Rather than throwing out suggestions, one by one, your host really needs to do a SERVER scan for matching strings and recently added files --- as well as look at the server logs form 3AM onward.
Yeah I gave them the time frame it happened in and told them they had 12 hours to figure out what the heck happened and get it resolved or I was looking for a new host.
In the meantime.. I have a publichtml backup from Dec 1st. In lamens terms (hehe), give me the steps I need to do to rectify this on my end. What would "you"do?
if you look at http://patriotgames2.info/index.php?topic=85549.0 the code i posted above is in that topic in the first post it seems
Quote from: Illori on December 26, 2013, 12:36:22 PM
if you look at http://patriotgames2.info/index.php?topic=85549.0 the code i posted above is in that topic in the first post it seems
Should I go into the DB and delete that thread?
http://patriotgames2.info/index.php?action=post;msg=256089;topic=85549.0
see if that works to modify the post and remove the call to the css in the head tag
Quote from: Illori on December 26, 2013, 12:45:53 PM
http://patriotgames2.info/index.php?action=post;msg=256089;topic=85549.0
see if that works to modify the post and remove the call to the css in the head tag
I am a semi-noobie.. what does that mean? :/
can you click the link? can you remove the content of the post that includes a <head> tag and the link to the css i quoted before?
Quote from: Illori on December 26, 2013, 12:50:24 PM
can you click the link? can you remove the content of the post that includes a <head> tag and the link to the css i quoted before?
When I clicked the link you give me, all I see is that big purple image not the actual post itself so I cannot do any editing on that front.
In the DB when I edit that post, this is what I get. Is there something here I can change?
(http://i.imgur.com/GXgfjRz.png)
that is editing the thread, not the message. you need to look for the messages table and look for message with id of 256089 you should see the code
<head><link href=http://getpremiumminecraft.com/font/sa3ek/InG.css type=text/css rel=stylesheet></head>
somewhere in the message body, remove that and only that.
however, unless something is VERY wrong, posting html in a post like that should **NOT** have the effect that is having...
Quote from: Kindred on December 26, 2013, 01:02:24 PM
however, unless something is VERY wrong, posting html in a post like that should **NOT** have the effect that is having...
well if you go to a page like the help page etc that does not load recent posts [via simple portal?] this page does not show up, so somehow someone got this content into this one post.
Quote from: Illori on December 26, 2013, 12:55:16 PM
that is editing the thread, not the message. you need to look for the messages table and look for message with id of 256089 you should see the code
<head><link href=http://getpremiumminecraft.com/font/sa3ek/InG.css type=text/css rel=stylesheet></head>
somewhere in the message body, remove that and only that.
Sorry had to step away from pc for a minute. Let me do that real quick and see what happens
Ok I cleared that out of that post.
that seemed to fix it on that thread. maybe simple portal has some cache somewhere?
the forum index has the code
<td class="info">
<a class="subject" href="http://patriotgames2.info/index.php?board=173.0" name="b173">Games - Patriot Force</a> <a href="http://patriotgames2.info/index.php?action=autoindex;sa=board;id=173"><img width="20" height="20" style="vertical-align:middle" src="http://patriotgames2.info/Themes/default/images/auto-index.png" alt="Automatic Index" title="Automatic Index" /></a>
<p><head><link href=http://getpremiumminecraft.com/font/sa3ek/InG.css type=text/css rel=stylesheet></head></p>
somewhere.
Quote from: Illori on December 26, 2013, 01:25:12 PM
that seemed to fix it on that thread. maybe simple portal has some cache somewhere?
the forum index has the code
<td class="info">
<a class="subject" href="http://patriotgames2.info/index.php?board=173.0" name="b173">Games - Patriot Force</a> <a href="http://patriotgames2.info/index.php?action=autoindex;sa=board;id=173"><img width="20" height="20" style="vertical-align:middle" src="http://patriotgames2.info/Themes/default/images/auto-index.png" alt="Automatic Index" title="Automatic Index" /></a>
<p><head><link href=http://getpremiumminecraft.com/font/sa3ek/InG.css type=text/css rel=stylesheet></head></p>
somewhere.
Found it and deleted it (Board 173)
and
</td>
<td class="info">
<a class="subject" href="http://patriotgames2.info/index.php?board=293.0" name="b293">Games</a> <a href="http://patriotgames2.info/index.php?action=autoindex;sa=board;id=293"><img width="20" height="20" style="vertical-align:middle" src="http://patriotgames2.info/Themes/default/images/auto-index.png" alt="Automatic Index" title="Automatic Index" /></a>
<p><head><link href=http://getpremiumminecraft.com/font/sa3ek/InG.css type=text/css rel=stylesheet></head></p>
Quote from: Illori on December 26, 2013, 01:37:25 PM
and
</td>
<td class="info">
<a class="subject" href="http://patriotgames2.info/index.php?board=293.0" name="b293">Games</a> <a href="http://patriotgames2.info/index.php?action=autoindex;sa=board;id=293"><img width="20" height="20" style="vertical-align:middle" src="http://patriotgames2.info/Themes/default/images/auto-index.png" alt="Automatic Index" title="Automatic Index" /></a>
<p><head><link href=http://getpremiumminecraft.com/font/sa3ek/InG.css type=text/css rel=stylesheet></head></p>
Done
Not sure at what point we got it, but that big purple image is gone now - no response from host yet so not sure if they did anything in terms of that.
Ok I have decided (without them even responding) that I am going to look for a new host after the holidays. What is the best way to ensure all my files are clean before I get them moved?
As previously advised in this topic:
http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files (http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files)
Quote from: Storman™ on December 26, 2013, 02:10:40 PM
As previously advised in this topic:
http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files (http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files)
Thats just it. I can't make a backup until I know those files are clean.
Quote from: Kimmie on December 26, 2013, 02:12:40 PM
Quote from: Storman™ on December 26, 2013, 02:10:40 PM
As previously advised in this topic:
http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files (http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files)
Thats just it. I can't make a backup until I know those files are clean.
I will have to skip the backup part.. and if something goes wrong, I can use one of my prev backups to do the move.
Suggest you reread it again properly ::)
Concentrate on backing up your database. The only files you need to keep are the ones like attachments, any custom themes/graphics. etc. You'll be replacing all your other files from the package.
I finally got a response from my host and this is what it was. BE HONEST with me here... are they really this stupid or am I?
(http://i.imgur.com/pKaNDQe.png)
I am asking because I need to know how to respond to them. Basically they are "mostly" blaming you all for it and I need to know if I should have your back or not..lol. We pretty much figured out that the first 2 times I was hacked it was because they had the wrong permissions on the folders/files (they still refused to give back to me, the ability to change those settings but I made sure they changed them all for me) - so I am already leery about keeping them as my host.. however, it takes a lot of time and money to move and I also have to consider the fact that I have been with them for 2 years and have never had any real major issues with them until now. I went and looked at when I upgraded to 2.0.6 and it was on October 28th. I started getting hacked 2 weeks later so I have to also wonder if there indeed is a whole in that version somewhere.
Bottom line is, if I have to move, I need to know it is for the right reasons before I go through all this. If it is their fault and something they either refuse to fix, or are too dumb to know how to fix - that would be the right reasons because they are incompetent.
Basically, if they can explain what they believe this "Hole" is, it'll benefit not just you, but every SMF user on the planet.
But, I have to say, I believe they're talking crapTM.
Quote from: K@ on December 27, 2013, 07:58:07 AM
Basically, if they can explain what they believe this "Hole" is, it'll benefit not just you, but every SMF user on the planet.
But, I have to say, I believe they're talking crapTM.
This is what I think too but I want to make sure. This is what I told them
"If that is true, most hosts should be able to tell me where this hole is and how they got in because if I can't tell SMF how it happened, how do you expect them to fix it? SMF does not have control over your server, you do. "
See, here's the deal.
1- There are currently no KNOWN vulnerabilities in SMF (if you were running 2.0.6).
2- Now, we know that you were running a bunch of mods... Our customization team reviews every mod submitted to this site - but there may have been a vulnerability exposed in one of the mods that we don't know about.
Were you running ANYTHING else on your site, other than SMF?
3- --- and this is the most important thing --- The host should have been able to look at the logs (especially since you were able to narrow the time of the attack down to a few hours). Those logs SHOULD have told them *EXACTLY* what vector the attackers used. Now... it might not tell them specifically how they used it... but the host should be able to tell you the time (to the second) and the first URL that the hacker used to gain the first access.
randomly blaming the software by saying "there is a hole in your SMF, somewhere" is either lazy or incompetent.
Quote from: Kindred on December 27, 2013, 08:02:18 AM
See, here's the deal.
1- There are currently no KNOWN vulnerabilities in SMF (if you were running 2.0.6).
2- Now, we know that you were running a bunch of mods... Our customization team reviews every mod submitted to this site - but there may have been a vulnerability exposed in one of the mods that we don't know about.
Were you running ANYTHING else on your site, other than SMF?
3- --- and this is the most important thing --- The host should have been able to look at the logs (especially since you were able to narrow the time of the attack down to a few hours). Those logs SHOULD have told them *EXACTLY* what vector the attackers used. Now... it might not tell them specifically how they used it... but the host should be able to tell you the time (to the second) and the first URL that the hacker used to gain the first access.
randomly blaming the software by saying "there is a hole in your SMF, somewhere" is either lazy or incompetent.
As for running anything else on my site, nothing, outside of the mods you mentioned. They are listed below
(http://i.imgur.com/FQOAzLn.png)
Wanna know something scary? This particular tech person is in Canada. Home of "healthcare.gov" - and we all know how that one turned out LMAO
I believe most of those mods have been around for yonks. I'd be every surprised if any of those are the problem.
Your host needs to either put-up, or shut up, it seems, to me. ;)
Yeah all those mods I have had installed since 2011 with the exception of the treasury mod. I installed it back in May of this year.
it seems to me that whoever hacked your forum either did it via a user account [that had admin access] or from the database, either way could be obtained by uploading files to your server and telling it to give them permissions or execute sql queries. so far you said no files were uploaded, so no real way to know what has happened. your host should be able to research the access logs to determine what is going on.
Quote from: Illori on December 27, 2013, 08:16:25 AM
it seems to me that whoever hacked your forum either did it via a user account [that had admin access] or from the database, either way could be obtained by uploading files to your server and telling it to give them permissions or execute sql queries. so far you said no files were uploaded, so no real way to know what has happened. your host should be able to research the access logs to determine what is going on.
The first two times my site was hacked (by the same group) they always announced their presence right before they did it so I knew who they were and removed those accounts and banned the info as soon as I had things back up and running. I also checked all accounts that registered right before and after them and as far as I could tell, those were ok. After that I also had around 7-8 people (I assume to be bots) register and post that dumb advertising stuff (cheap meds in Canada, etc) and all those accounts have been removed as well as the IP's banned.
And you know, now that I say that out loud, I remember looking at my htaccess file yesterday and there are no ips listed there as being banned. And IP Deny Manager is telling me there are no IP's being blocked.
Man, this just keeps getting better..lol (end sarcasm)
then maybe someone hacked your hosts control panel... you should change your password and the password for any ftp accounts you may have [or better delete them]
Delete those passwords? Or do you mean the FTP account? Not sure what you mean by that.
I have been changing those pw's once a week since the first time I was hacked and I use really long complex pw's (10-15 characters in length, using all sorts of different things). Perhaps I need to up it to 20.
I am paid up with this host through the 18th of Jan and I have already found a few prospective new hosts so for now, I am going to sit tight and see what kind of response I get from them today on this.
Off to work for now. Have a good day guys and thanks again for all the help/feedback. With each and every reply you make, I learn. :)
delete the ftp accounts if you dont change the passwords for them.
are you by chance writing down your password as you are changing it too often to remember?
I don't wish to be funny but we could surmise until the cows come home ::)
There are a 1001 ways to hack a server if a vulnerability exists somewhere.
If SMF is installed correctly with the correct permissions AND it sits on a server where all the software is up to date AND correctly configured then generally there shouldn't be a problem. On a shared hosting account you only have control over the former so you rely on your host for the rest. Like Illori says, ensure you employ good practice with ALL passwords and ensure the permissions on your files are correct. The rest is down to your host.
Far too many hacks happen because a server is running on older deprecated software or the admins lack the knowledge to configure it correctly. Obviously your host isn't going to admit that to you but sadly it's all too often true.
If you do decide to stay with your host, maybe ask them to migrate you to a different node. It would give you partial peace of mind if a vulnerability exist on the current one. If they won't (or can't) do that then you don't have a competent or viable host.
Oh, and as another snippet of info for you, your host is running vBulletin 3.7.2 as their forum support software.
That version is from 2008 (yep 2008) and it has known vulnerabilities and exploits. In effect it hasn't been updated since it was built. So they don't even update the software thats running on their own website ::)
In my mind thats sloppy and sums up their overall outlook.....
You decide....
Yup, the current version of vBulletin 3.x is 3.8.7-pl2 if I'm not mistaken, but they're up to version 5 these days...
Now they are blaming ME
"We are not blaiming your SMF software at all? You get us wrong june.. There a hole is in your account since you got hacked several time and restoring your account simply restore it with the hole still in there allowing the same "hacker" to continue."
And i have still not heard one word of HOW the attacks happened.
I have had it with these MORONS! I have found a new host and will be moving there as soon as my time is up on this one (the 18th),
"I'll go ahead and disabled your account, move it into a fresh one and scan it for you this isn't something we usually as we requires our client to maintain own "shared" account usually.""
Do these people not understand the fact that they had to hack them in order to hack me? How do I have any control over that? lol
Quote from: Kimmie on December 27, 2013, 08:31:39 PMI have found a new host and will be moving there as soon as my time is up on this one (the 18th)
Good plan. :)
Question: If they put me on a new server, wouldn't that change the nameservers I have tied to my domains?
probably not... they (in theory) would control the actual name servers, so they would point their entries at your new server - allowing you to leave the DNS pointing to their generic name servers
Basically, the DNS normally handles the entry into their enclave and then they can redirect anywhere within the enclave from the entry point.
Quote from: Kindred on December 28, 2013, 09:44:59 AM
probably not... they (in theory) would control the actual name servers, so they would point their entries at your new server - allowing you to leave the DNS pointing to their generic name servers
Basically, the DNS normally handles the entry into their enclave and then they can redirect anywhere within the enclave from the entry point.
Ok thanks. So is there anyway I can verify they actually moved me? They did suspend the site while they did whatever, but I just want to make sure that wasn't for show. I am still planning on moving to a new host on the 18th but that is 21 days away and I want to do whatever I can to make sure nothing else happens between now and then
If you have already secured a new host, I would go ahead and move the site there regardless of how much time you have left at your current host. They sound like they are at best incompetent, at worst, well, I can't say what I would like to say here on a public forum. :D
QuoteIf you have already secured a new host, I would go ahead and move the site there regardless of how much time you have left at your current host.
+1