My forum been hacked today. I'm using SMF 1.1.14. The front page (index.php) has been altered.
Here's the link to my forum http://4aeoc.net
Need help on how to overcome this problem in the future. Just upgrade to latest smf version. How did they manage to exploit/hacked the forum?
I have backup of my database. How do I reload it?
I'm afraid to login using admin account coz afraid they put sniffer or trojan horse on the forum to capture my password.
All help are highly appreciated. TQ.
Just found out all username account does not exist.
do you have any other php apps on your server?
Restoring a Database (http://wiki.simplemachines.org/smf/Restoring_a_MySQL_Database)
My webhosting server using cpanel and have phpmyadmin apps.
Is there by any chance to recover my forum without loading the backup database?
you can ask your host to restore a backup. also let them know of the issue, sounds like someone else on your server got hacked and it let them get access to your files as well.
I think they only hacked through the forum database or php exploit using remote exploit. IMHO, I don't think they hacked through the webhosting server coz they didn't change any password or username of the webhosting server login.
they dont always change passwords
Lainaus käyttäjältä: futeball - kesäkuu 25, 2011, 07:46:18 AP
I think they only hacked through the forum database or php exploit using remote exploit. IMHO, I don't think they hacked through the webhosting server coz they didn't change any password or username of the webhosting server login.
Most likely they exploited a weakness in your server's software. This allowed them to gain full access to all data on your server.
Talk with your webhost and ask to see the latest access logs.
Is it possible this is security issue relating to latest smf 1.1.14 version? Maybe the hackers has found security vulnerability in smf 1.1.14.
I will try to check the server log if there is any intrusion on the server side. If no intrusion detected, surely they hacked thru smf forum using tools like php exploit or avatar/attachment exploits (I googled it to get info on remote exploit on SMF).
those hacks have been fixed in prior patches. ask your host to look into it first.
Lainaus käyttäjältä: Illori - kesäkuu 25, 2011, 08:03:30 AP
those hacks have been fixed in prior patches. ask your host to look into it first.
glad to hear that. will update soon on hosting logs.
thanks for the superfast reply. you guys did a good work here. :)
sad to hear that my webhosting doesn't keep the latest access log.
just found out that only username & realname of all user account has been changed by the hackers in database.
other database is untouch and safe.
Does they hack thru the folder permission or remote directly to mysql database connection? how do i prevent this exploit? any suggestion to patch it would be grateful.
sounds like an issue with server security and not really an smf issue
they hacked thru php/sql and get mysql password. then he entered mysql server to alter the smf_members database.
i got some raw logs...
Lainaa115.134.92.84 - - [28/Jun/2011:20:35:21 +0800] "GET /Themes/default/script.js?fin11 HTTP/1.1" 200 13506 "http://zonehmirrors.net/defaced/2011/06/24/4aeoc.net/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18"
115.134.92.84 - - [28/Jun/2011:20:35:21 +0800] "GET /Themes/ClassRedTP1/chrome.js HTTP/1.1" 200 5038 "http://zonehmirrors.net/defaced/2011/06/24/4aeoc.net/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18"
any comment?
zonehmirrors.net is just a showcase where "hackers" display what they have done.
these accesses are not bad, they are just from the copy hosted over there.
this is not related to the real breakin.
Lainaus käyttäjältä: lorth - kesäkuu 28, 2011, 01:22:30 IP
zonehmirrors.net is just a showcase where "hackers" display what they have done.
these accesses are not bad, they are just from the copy hosted over there.
this is not related to the real breakin.
i'll try to dig more on the access log.
I set my forum under maintenance mode. When I changed mysql password aand save it, i can't access my forum anymore.
Here some screenshot of my forum.
did you change the password in settings.php?
if you changed your database password you must change it in settings.php as well.
Ok, found it. Try to edit it now....
Lainaus käyttäjältä: Illori - kesäkuu 28, 2011, 01:45:27 IP
if you changed your database password you must change it in settings.php as well.
Tq Illori. the forum is back on track. although have to revert back to last month posting coz i forgot to make backup of the database recently.
Thanks for the support and help.
Lainaus käyttäjältä: futeball - kesäkuu 28, 2011, 01:53:33 IP
Lainaus käyttäjältä: Illori - kesäkuu 28, 2011, 01:45:27 IP
if you changed your database password you must change it in settings.php as well.
Tq Illori. the forum is back on track. although have to revert back to last month posting coz i forgot to make backup of the database recently.
Thanks for the support and help.
Glad to hear you got it going again!
I heard that CPanel had a few security issues years ago, I hope they have that long straightened out.
One thing to check: Look in the root directory of your website for a file called "phpshell.php". It simply acts like a low power file manager/reader. It gets around the common prohibition of the server coughing up the files in a directory if there is no index file.
Years ago when my host used CPanel, I found phpshell in the root directory of one of my sites. When I navigated directly to it, I found my entire site's files were open to the world, and I could add/change files without having file manager or FTP support. I removed it as soon as I found that. I had a couple site features being hacked and misused until I found and removed it.
I frequently check my sites for unknown files. It is easy as I have them mirrored on my computer here at home so anything out of place like extra files sticks out. Of course, the files can be altered and it takes a bit more work to make sure they are as you intended.
thanks for the tips capitalw