SMF/Joomla site possibly hacked

Started by rsmini, July 03, 2010, 04:18:29 PM

Previous topic - Next topic

rsmini

Split from Forum got Hacked Need some advice please.

I am thinking along the same lines as my forum has just gone down. Perhaps a fresh install might be a way around it. this is showing at the moment

QuoteWarning: main(/content/BusinessHostPlus/b/r/mydomain/web/smf/Settings.php) [function.main]: failed to open stream: No such file or directory in /content/BusinessHostPlus/b/r/mydomain/web/smf/index.php  on line 51

Fatal error: main() [function.require]: Failed opening required '/content/BusinessHostPlus/b/r/mydomain/web/smf/Settings.php' (include_path='.:/usr/local/lib/php') in /content/BusinessHostPlus/b/r/mydomain/web/smf/index.php on line 51

Strangly my joomla site is showing a 403 access denied message. The two are link by a 'bridge' My host is struggling to find the problem.

Would a fresh install of the forum and deleting the bridge be worth doing. If so what would be the best way to do this so I can use the current db. I presume this would install my boards and threads plus members. So members would not really notice the change.
Remember to check the website for the latest info & news on the Mini. -
British Mini Club

xenovanis

Before you do that, check your Settings.php file. It might be corrupted. If it is, make a copy of the file Settings_bak.php and rename that copy Settings.php.
"Insanity: doing the same thing over and over again and expecting different results."

rsmini

Will do as soon as I can thank you.. And sorry for hijacking the thread, but I thought it sounded a similar problem. If I have been hacked and they managed to change the theme therefore installing a roque .png image. Would this enable them to get to the joomla site via the bridge we have installed?
Remember to check the website for the latest info & news on the Mini. -
British Mini Club

xenovanis

What versions were you using then?
"Insanity: doing the same thing over and over again and expecting different results."

rsmini

The forum is 1.1.11 and joomla is 1.0.x (if I remember right) I am in the process of migrating to joomla 1. 5 then this happens :(
Remember to check the website for the latest info & news on the Mini. -
British Mini Club

rsmini

#5
Just noticed I dont have a settings.php or settings_bak.php installed. I will just reinstall them and see what happens

Reinstalled via a clean download of 1.1.11 the index page now shows this
Quote
Connection Problems
Sorry, SMF was unable to connect to the database. This may be caused by the server being busy. Please try again later
Remember to check the website for the latest info & news on the Mini. -
British Mini Club

xenovanis

Was your Jooma site up to date? Are you sure it's SMF they hacked? Make sure no scripts were placed on your server to create an entrance!

The errormessage either means the databaseinformation stored in Settings.php is incorrect or there is a problem with your server.
"Insanity: doing the same thing over and over again and expecting different results."

rsmini

Thats where it gets confusing, we have no idea if we have been hacked or not. We are working on moving the joomla site to the latest 1.5 version. The host is also totally confused. We have asked them to restore the site back to 3 days previous to the problem. They are having problems with that as they say a big chunk of the site is missing and something is blocking the site from showing in browsers. The site and forum both stopped working at the same time. As far as I can tell looking at the site through ftp everything is in place

Hopefully we will be back soon as we get a million visits a month. would this be better in a thread of its own?
Remember to check the website for the latest info & news on the Mini. -
British Mini Club

xenovanis

Quote from: rsmini on July 03, 2010, 06:18:52 PM
Thats where it gets confusing, we have no idea if we have been hacked or not. We are working on moving the joomla site to the latest 1.5 version. The host is also totally confused. We have asked them to restore the site back to 3 days previous to the problem. They are having problems with that as they say a big chunk of the site is missing and something is blocking the site from showing in browsers. The site and forum both stopped working at the same time. As far as I can tell looking at the site through ftp everything is in place

What bridge were you using? Did you check your database info for SMF?

For the 403 error, check the filepermissions for index.php in your root. It should probably be set to 644.

Quote from: rsmini on July 03, 2010, 06:18:52 PM
..would this be better in a thread of its own?

Nah, took care of that  ;) I'm even tempted to move this to the Joomla board, but I'll see where this goes first.
"Insanity: doing the same thing over and over again and expecting different results."

rsmini

I don't want to too much today other than check things as I have a guy at the host working today (Sunday) and he is going to have a good look for me and see if he can sort it. Also I will post what I have done recently to the forum to see if anyone has any clues

Thanks for your time with this I do appreciate your help
Remember to check the website for the latest info & news on the Mini. -
British Mini Club

xenovanis

Goodluck, please post back your progress on this  :)
"Insanity: doing the same thing over and over again and expecting different results."

rsmini

I will defo keep you upto date. My host has just replied, bearing in mind they only have skeleton staff on a sunday, that they can't do a full restore today. Monday would be the best time and they can probably restore the whole thing back 3 days previous to the problem.

Would you like me to list the order the problems occured, would that help.

My host along the same lines as myself that I do a fresh install of SMF and point it to the same db. I am going to try that now. I'm struggling to find the bridge. I know it is a joomla-smf bridge. I have found in joomla components a com_smf folder I presume that is it. Might be worth just deleting via ftp. would that be the right thing to do?
Remember to check the website for the latest info & news on the Mini. -
British Mini Club

xenovanis

Do you remember how long you are using this bridge? I've got to tell you that my site was hacked due to an obsolete version of Joomla, which I couldn't update because of the bridge losing functionality then. Maybe that could be your problem as well?

For as far as I remember, all files related to the bridge are in both components and modules folder of Joomla, having the prefix mod_smf_.. or com_smf_...

Now moving this to the Joomla Bridge board.  ;)
"Insanity: doing the same thing over and over again and expecting different results."

rsmini

#13
We are getting moved a lot :) I have been using the bridge for a good 3 years. to be fair we have not made the best use of it so we could manage without.

I will delete the mod_smf and com_smf via ftp.


I am also just extracting a fresh download of smf 1.1.11
Remember to check the website for the latest info & news on the Mini. -
British Mini Club

rsmini

I'm just  working on a holding page but my host has just replied with this

QuoteYou can upload a page if you like, but I don't think it will work, as you have a script in place that is rewriting your URL's
Remember to check the website for the latest info & news on the Mini. -
British Mini Club

xenovanis

Honestly, I can't help you with that. There must be hundreds of files on your server that *could* have been infected. There were multiple exploits in older modules and components for Joomla. You'll have to compare each and everyone with the default ones or open them to see if they're infected.

If I were you (and believe me, I've been there and I know how hard it is to throw your work away), I'd remove all files from my server and start with clean installs with the most recent versions.

Make a sitebackup first, though, maybe your host is able to determine whcih files are infected.
"Insanity: doing the same thing over and over again and expecting different results."

rsmini

I quite agree with that one. I have managed to get a holding page up and running with links to our pages on facebook and our blog. he next step is the forum. I can add extra pages to the blog which may help.

I am working an upgrade on the joomla site. I need to work out how to move the content across. The old joomla version and new one are very different in the back end!!

if anyone is interested the URL is www.britishminiclub.co.uk and the forum is www.britishminiclub.co.uk/smf

Hopefully removing the bridge between the two might help remove the problem. Trouble is I need to get the old site back up running as it has so much on it.

I was thinking of moving to word press as joomla can prove to be a pain in the back side  ::)
Remember to check the website for the latest info & news on the Mini. -
British Mini Club

rsmini

Might be getting somewhere.. then again might not :) We have a zencart shop installed but has never been set live. The host seems to think the shops .htaccess and .rewrite might be causing problems. Wont find out till monday though
Remember to check the website for the latest info & news on the Mini. -
British Mini Club

xenovanis

Well, as long as you're up and safe. Good luck  :)
"Insanity: doing the same thing over and over again and expecting different results."

rsmini

nope  >:( those files have been checked and changed to be correct and still no luck !!
Remember to check the website for the latest info & news on the Mini. -
British Mini Club

Advertisement: