My site was hacked twice this day

real1 · March 25, 2010, 12:51:48 PM

Hi i have this website with smf forum:

http://aikidoportugal.net/forum/

Yesterday it got hacked, so i checked all different files in the /forum folder, and updated to 2.0 rc3 version hopping it will be safe for good. So today i get to work, and checked my forum and there it was again. If you check my link you'll see who it is.

What do you advise me, what more can i delete or can i block all ips from that country, if so what is the best way to do it and how? Please.

Is there any security mod, or ban country module or something? Is it possible that he left some files i dont know, and defaced again, because he sent bogus files to my forum root, wich i deleted.

Once again thank you very much for your help.

Kays · March 25, 2010, 01:02:24 PM

Hi, just deleting files won't stop him/her. You need to figure out how access is being gained and to stop that.

Please read and follow all suggestion. Also ensure that any others with admin access do the same.

How do I make my forum safer against hacker attacks?

Jakob Fel · March 25, 2010, 01:10:49 PM

Wow, when I went to your site, it said *****..! Weird.

Kays · March 25, 2010, 01:21:28 PM

It's not a good idea to post that name. They use the Google hits on their name to get an indication of success and for bragging rights.

real1 · March 25, 2010, 01:29:58 PM

Hi, Kays, ill try that later at home. Thanks. If someone has any other ideas, they are welcome. And do delete his name, thats why i didnt posted.

Kays · March 25, 2010, 01:34:42 PM

I removed the name and good luck with this.

Bloodsurfer · March 25, 2010, 02:24:08 PM

FYI: ATM the site is defaced again.

Is this only webhosting or a real server? If it is a server, you should delete and completely reinstall it from scratch, not only delete "bad" files.

Even if it is only a hosted webspace - best is to make a database dump, delete _all_ files, set up a fresh forum with the old database, then change _all_ passwords.

Jakob Fel · March 25, 2010, 03:15:42 PM

Quote from: Kays on March 25, 2010, 01:21:28 PM
It's not a good idea to post that name. They use the Google hits on their name to get an indication of success and for bragging rights.

I have no clue what you mean.

Kays · March 25, 2010, 03:31:24 PM

Hackers rate how successful they are by counting the Google hits on their signature, which they leave on a hacked page. By posting that, you've possibly added another hit to someone's tally.

So it's good practice not to post something like that.

tumbleweed · March 25, 2010, 03:32:22 PM

The op needs to look for some shell (c99.php) scripts in his webspace. If he does not find any it is possible that the server itself has been compromised and contact your host if you are on shared hosting. And really its hard to tell what is going on with the OP maybe he is running outdated programs of another sorts.

What the defacers do is goggle there name and it brings up all the sites they have defaced. Then they head over to there hacking forum and brag to there friends how many sites they have hacked.

Jakob Fel · March 25, 2010, 03:54:04 PM

Oh okay.

tumbleweed · March 25, 2010, 03:57:50 PM

When I get back home. I will post up a cool site that keeps track of defacers like this one.

Frank

Road Rash Jr. · March 30, 2010, 12:53:00 AM

Quote from: tumbleweed on March 25, 2010, 03:57:50 PM
When I get back home. I will post up a cool site that keeps track of defacers like this one.

Frank

Hey Frank did you find that link?

tumbleweed · March 30, 2010, 12:56:04 AM

Here ya go:
http://www.zone-h.org/

Frank

Norv · April 04, 2010, 07:39:49 PM

hello, was this problem solved or do you require more assistance with this?

flapjack · April 04, 2010, 08:57:19 PM

hi OP, can you please let us know what sort of ftp software you are using?

News:

My site was hacked twice this day