News:

Wondering if this will always be free?  See why free is better.

Main Menu

Forum Hacked - Help Needed Please

Started by LLandL, January 28, 2012, 04:23:13 AM

Previous topic - Next topic

LLandL

Hi,

My forum was hacked yesterday afternoon. Not sure how it was done but the only files I can see that have been edited yesterday are the index.php and Settings.php files.

I'm running the latest version of the SMF software 1.1.16 with Tiny Portal.

Here's the link to my forum...

http://www.lovelockandload.net/forum/index.php

After being hacked all that would display for my site was an image of a woman with a syringe through her tongue and the words SouTHRaNDA wAs HeRE

I've attached the two PHP files if that's any help? I've also re-named them on my server so that the above image doesn't show and I just get an error page instead. Any help would be greatly appreciated.

I have back up files from my server host but wanted to see if there was a way of restoring my forum without losing any posts first. I'm not very tech savvy so am a bit lost when it comes to restoring old files etc

Thanks

Branko.

Look for backup index.php and Settings.php , same name but with tilde ~ .Remove "infected" files, then rename two existing (just remove tilde)
Strong people don't put others down, they lift them up.
A clever person solves a problem. A wise person avoids it.

kat

Quote from: LLandL on January 28, 2012, 04:23:13 AMI have back up files from my server host but wanted to see if there was a way of restoring my forum without losing any posts first.

If they restore a backup of the forum, your posts/members will be OK, because they're stored in the database.

As long as they only restore the files, you'll be A-OK. :)

LLandL

Thanks for the feedback guys. Had some help from a friend and we seem to be back up and running now.

Illori

you should also upgrade your tinyportal install

Quote from: IchBin™ on January 03, 2012, 03:06:12 PM
Quote from: sonnenblende on January 03, 2012, 01:07:33 PM
Hi,

I had the exact same issue with two older SMF sites today.

Best way to fix is:

a) restore index.php and Settings.php from last backup (you should always run backups!)

b) make sure your index.php and Settings.php are NOT world/group writable!

c) make sure your /tp-images folder is NOT world/group writable!

d) remove the directory "File" from /tp-images (that's where they seem to break in)

e) by all means CHANGE your database and administrator passwords (part of the hack is them trying to pull a dump of your members table!)

That should clear it. Most important thing is indeed they must not be able to use php code to overwrite your index.php and Settings.php - depends on your hosts setup if and how they can achieve that.

Regards,
Jerry

I should note that I fixed the security issue with tp-images/ folder back in TP 1 rc1.2. If you are not running TP on or after that version you are vulnerable.

kat


sawz

keep smiling, they'll always wonder what your up too.....


stljeeper

Had this same issue today with our site.  The image described by the OP is exactly what we had.  Restored index.php and settings.php, deleted tp_images/File and we're pretty much back up.  Thanks for the great info in this thread.  Changed db and admin passwords.

SMF 2.0.2, TinyPortal (not sure which version (just downloaded it a couple weeks ago)... this is the second time we've been hacked in about 15 days.

Our tp_images folder permissions were/are set to 705.  Is that correct?  Is there a tool we can use to scan for remnants to try to prevent this from happening again?

IchBin™

Quote from: stljeeper on April 10, 2012, 11:19:49 AM
Had this same issue today with our site.  The image described by the OP is exactly what we had.  Restored index.php and settings.php, deleted tp_images/File and we're pretty much back up.  Thanks for the great info in this thread.  Changed db and admin passwords.

SMF 2.0.2, TinyPortal (not sure which version (just downloaded it a couple weeks ago)... this is the second time we've been hacked in about 15 days.

Our tp_images folder permissions were/are set to 705.  Is that correct?  Is there a tool we can use to scan for remnants to try to prevent this from happening again?

It's no so much the permissions you need to worry about. It's what is allowing someone to write files to that folder in the first place. Do you have an access_log that you can share from the time your site was compromised? I'm not aware of any TP vulnerabilities, but I'd like to check your log to see if there was anything anyway.
IchBin™        TinyPortal

stljeeper

Thanks for the quick response.  Sorry to be dense, but which access_log are you looking for?  I have the apache logs.  I'm not sure which other logs are available.

IchBin™

Apache access_log. Please note the time you think the exploit happened so that it's easier to parse the log to find "when" it may have occurred.
IchBin™        TinyPortal

stljeeper

OK.  How would you like me to send the files?  It's about 700K for yesterday and today (the compromise was sometime between ~ 20:00 4/9 and 08:00 4/10 (US Eastern))

IchBin™

zip the file up and attach it here if you'd like. Shouldn't be anything private enough to worry about in an apache log.
IchBin™        TinyPortal

stljeeper


IchBin™

Are you using the FCKEditor for another mod? Or do you have a previous older install of TP? FCKeditor back a couple of years ago when it was included in with TP was known to have an exploit that allowed this type of hack. I see the FCKEditor in your access logs, which I'm guessing is the problem.
IchBin™        TinyPortal

stljeeper

Thank you.  I believe we did have FCKEditor at one point... in an old (offline) backup I see it at \forum\FCKEditor ... but I don't see it in our current installation (we changed hosts).

stljeeper

I see the log entries for */forum/FCKEditor*  that go back for several days even before we had the issue last night.  What's weird is that I don't see the folder on the server now and AFAIK our only other admin didn't delete anything.

stljeeper

I did find it (FCKeditor) in a subfolder (used for dev-type stuff) and deleted it.  Thanks for your help IchBin ... I owe you a beer or 6.  I'd still be interested if there's a way to scan through everything to look for known vulnerabilities.

Advertisement: