SMF 2.0 RC5 keeps getting SQL hacked by a hacker

Started by Karlanse, March 15, 2011, 06:48:44 PM

Previous topic - Next topic

Arantor

Not at all, no.

If they have access through your account credentials, they can edit anything in www by pretending to be you.

But they might not be accessing via your account credentials, they might be on the server and executing commands through a different piece of software on a different account - if the file permissions allow them to edit the files.

SlammedDime

Looking through the logs you sent me, I can see what he is doing and it's pretty clear, but I can't access your forum any longer.  It looks like Settings.php is either wiped out or not there or has the wrong information.

Have you noticed any 'Password Reset' emails come to your email box throughout any of this?

On a side note, can you look in your Themes/core/css directory and see if there is a file named cb.php.  If so, please download it, zip it up and send me a link to download it so I can view it, then delete it from the directory.
SlammedDime
Former Lead Customizer
BitBucket Projects
GeekStorage.com Hosting
                      My Mods
SimpleSEF
Ajax Quick Reply
Sitemap
more...
                     

Karlanse

Quote from: SlammedDime on March 21, 2011, 11:39:04 AM
Looking through the logs you sent me, I can see what he is doing and it's pretty clear, but I can't access your forum any longer.  It looks like Settings.php is either wiped out or not there or has the wrong information.

Have you noticed any 'Password Reset' emails come to your email box throughout any of this?

On a side note, can you look in your Themes/core/css directory and see if there is a file named cb.php.  If so, please download it, zip it up and send me a link to download it so I can view it, then delete it from the directory.
I took the forums down by renaming the directory since there's no reason for it to be up while I'm migrating hosts. I could put it up at any moment's notice if you would like to take a look at it.

No I have not noticed any password resets. Between the couple of times that he hacked my forums, I've either had my secret question as some random button mash, or have it blank and not set, and it seemed to have made no difference. I just checked my hosting webmail and my own email webaddress and both do not have any password reset emails, although I noticed that everytime he hacked me he changed the email address to his.

There is indeed a cb.php file in that directory and it was modified on the day of hacking, sending it to you now.

Thank you sir

dahuamao

I  have similar problem with him. My forum has been hacked twice. But now I have not found the reason. I need some help.
I am using a FTP account, I did not find cb.php in Themes/core/css directory.
I don't know how to repair it. Who can help us?

Xarcell

Quote from: dahuamao on July 27, 2011, 10:51:16 PM
I  have similar problem with him. My forum has been hacked twice. But now I have not found the reason. I need some help.
I am using a FTP account, I did not find cb.php in Themes/core/css directory.
I don't know how to repair it. Who can help us?

Can we see your site?

dahuamao

I have send PM to you.

Quote from: Xarcell on July 27, 2011, 11:00:59 PM
Quote from: dahuamao on July 27, 2011, 10:51:16 PM
I  have similar problem with him. My forum has been hacked twice. But now I have not found the reason. I need some help.
I am using a FTP account, I did not find cb.php in Themes/core/css directory.
I don't know how to repair it. Who can help us?

Can we see your site?

dahuamao

Also, they changed the index.php to their page, like this hxxp:www.zone-h.com/mirror/id/13410497 [nonactive]; Hacked by JH-TEAM

Xarcell

Quote from: dahuamao on July 27, 2011, 11:25:35 PM
Also, they changed the index.php to their page, like this http://www.zone-h.com/mirror/id/13410497; Hacked by JH-TEAM


You will need to open your own topic so that people can help you properly.

If your index.php was changed, they either got your FTP login details from your FTP client or cPanel. They hacked you to get the FTP details before they hacked your site. It will happen again unless your take precautions to protect yourself first. Run a virus/malware remover, and change your FTP password to something more complex before attempting to fix your site.

The changed they made is causing the "Warning: session_start() [function.session-start]: The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/wwwroot/Settings.php on line 4" error. Not sure which file though. Look at your Settings.php file for anything suspicious.

Advertisement: