After hack - Database Error

Started by aswuser, July 29, 2022, 10:38:14 PM

Previous topic - Next topic

aswuser

My forum was hacked. I had host restore backup from before hack and now the site shows but I don't have any of my boards are loading. Admin pages seem to be fine.

I'd like some guidance on where to go from here.

I am getting Database Errors:

Unknown column 'b.id_parent' in 'field list'
File: /home/school10/public_html/forumnew/Sources/Subs-BoardIndex.php
Line: 112

Backtrace information


    #0: smf_db_error()
    Called from /home/school10/public_html/forumnew/Sources/Subs-Db-mysql.php on line 494
    #1: smf_db_query()
    Called from /home/school10/public_html/forumnew/Sources/Load.php on line 1114
    #2: loadBoard()
    Called from /home/school10/public_html/forumnew/index.php on line 224
    #3: smf_main()
    Called from /home/school10/public_html/forumnew/index.php on line 191

A second error showing in error log:

8: Trying to access array offset on value of type null
File: /home/school10/public_html/forumnew/Sources/Subs-Db-mysql.php

Backtrace information



    #0: smf_error_handler()
    Called from /home/school10/public_html/forumnew/Sources/Subs-Db-mysql.php on line 590
    #1: smf_db_error()
    Called from /home/school10/public_html/forumnew/Sources/Subs-Db-mysql.php on line 494
    #2: smf_db_query()
    Called from /home/school10/public_html/forumnew/Sources/Load.php on line 1114
    #3: loadBoard()
    Called from /home/school10/public_html/forumnew/index.php on line 224
    #4: smf_main()
    Called from /home/school10/public_html/forumnew/index.php on line 191

A third error showing in error log:

Unknown column 'b.id_parent' in 'field list'
File: /home/school10/public_html/forumnew/Sources/Load.php

Backtrace information



    #0: smf_db_error()
    Called from /home/school10/public_html/forumnew/Sources/Subs-Db-mysql.php on line 494
    #1: smf_db_query()
    Called from /home/school10/public_html/forumnew/Sources/Load.php on line 1114
    #2: loadBoard()
    Called from /home/school10/public_html/forumnew/index.php on line 224
    #3: smf_main()
    Called from /home/school10/public_html/forumnew/index.php on line 191



I did change all my passwords, ran cpanel Virus Scanner. I checked these files to make sure they were clean.

Any ideas on how to restore my boards?

Doug Heffernan

Quote from: aswuser on July 29, 2022, 10:38:14 PMMy forum was hacked. I had host restore backup from before hack and now the site shows but I don't have any of my boards are loading. Admin pages seem to be fine.

I'd like some guidance on where to go from here.

I am getting Database Errors:

Unknown column 'b.id_parent' in 'field list'
File: /home/school10/public_html/forumnew/Sources/Subs-BoardIndex.php
Line: 112

Can you check the boards table and see if the id_parent filed is present? The error indicates that said field is not present in the aforementioned table. Can you check the backup that you restored to make sure that it is whole?

Quote from: aswuser on July 29, 2022, 10:38:14 PM8: Trying to access array offset on value of type null
File: /home/school10/public_html/forumnew/Sources/Subs-Db-mysql.php

Can you please attach here the Subs-Db-mysql.php file?

Quote from: aswuser on July 29, 2022, 10:38:14 PMUnknown column 'b.id_parent' in 'field list'
File: /home/school10/public_html/forumnew/Sources/Load.php

This is the same error as mentioned above.

Quote from: aswuser on July 29, 2022, 10:38:14 PMI did change all my passwords, ran cpanel Virus Scanner. I checked these files to make sure they were clean.

If I were you I would contact the host and ask them to check their logs and see how the hackers got access and what actions were performed.

Next, overwrite all your forum files with those from the large 2.1.2. upgrade package. If you are not already using that version, which is the current version, upgrade your forum to it. A downside of this method so to speak, is that all your mods and any manual edits that you have done will be uninstalled/undone. But all your files will be cleaned up in the event of any infection/injection.

Another thing to do is doing a very thorough checkup of your server for anything out of ordinary, such as files that should not be there. That is to make sure that there are no backdoors left.

What other scripts are you running on the server? What mods do you have installed? What are your php and MySql versions?

aswuser

I searched db and found that id_parent field is present in table smf_membergroups.

But id_parent field is NOT present in table smf_boards.

I have an -old, old- backup which DOES have id_parent field in table smf_boards.

Can I add the id_parent field to my current db?  If so, how to do this?

I did a diff on  Subs-Db-mysql.php - file on server is same as my local file from package. File attached.

I did contact host to inform and ask about access log. They said there was no unusual activity, access that they could find, FTP access only by me.

I also searched for suspicious files and removed any found.

I am using SMF v.2.1.2. I am pretty sure that the SMF files are clean but will reupload from package.

There are 2 Wordpress sites also in same hosting account on different domains. I checked these too. They seem to be fine, are up-to-date, and have security plugins installed.

PHP Version 7.4.30
MySQL Version    10.3.28-MariaDB-cll-lve
No mods installed in SMF

You cannot view this attachment.


Doug Heffernan

Quote from: aswuser on July 30, 2022, 12:11:10 PMBut id_parent field is NOT present in table smf_boards.

The error message you posted told us that, but now it is confirmed.

Quote from: aswuser on July 30, 2022, 12:11:10 PMI have an -old, old- backup which DOES have id_parent field in table smf_boards.

Personally I would hold on restoring a very old backup for a while longer. Doing that will result in lost of all content required from the time when it was made till now. From when is your most recent backup?


Quote from: aswuser on July 30, 2022, 12:11:10 PMCan I add the id_parent field to my current db?  If so, how to do this?

I guess it can be readded, but the thing is it related to several other tables as well and it will be complicated.

Quote from: aswuser on July 30, 2022, 12:11:10 PMI did a diff on  Subs-Db-mysql.php - file on server is same as my local file from package. File attached.

There is nothing wrong with that file as far as I could see.

Quote from: aswuser on July 30, 2022, 12:11:10 PMI did contact host to inform and ask about access log. They said there was no unusual activity, access that they could find, FTP access only by me.

If no one logged in to your account, it means that it was not breached. But you said that you were hacked. May ask why you said that? The more details you give us the better.

Quote from: aswuser on July 30, 2022, 12:11:10 PMI also searched for suspicious files and removed any found.

Did you check the content of those suspicious files?

Something else that I forgot to mention and that I think it will help in strengthening the security, is to change the database user and password. Create a new user with a strong password and give it full permissions/access to the database that you have used to install your smf forum. Then enter the new info to the Settings.php file.

aswuser

Hi Doug,
I just realized you are the one who helped us on the upgrade last year. We were having trouble upgrading from SMF 1.1.x to SMF 2.x. We are still grateful for your help with that.

The hack evidence was that:
Some values on Settings.php were changed including the setting for DB password (last two letters removed).

$boardurl was changed ( an "s" was added)
$sourcedir url was changed
$packagesdir url was changed
$tasksdir = url was changed

Loss of db connection was how we first found out there was a problem.

There were some suspicious files uploaded into forum root directory. I identified them by looking at name and any files that had recent last-mod date. This was easy to identify as we had just recently installed 2.1.2 upgrade.

One file uploaded is called "TinyPortal.php"

I think some images were uploaded to the attachments folder. These are .dat files; they appeared at the same time as attack. When I looked at them, they looked like something that no one on our board would post - political profanity.

in webroot, I found another file named "a2.key". It looks like an SSL cert. It started with
-----BEGIN OPENSSH PRIVATE KEY-----

I asked host about this in particular. All they said was if it looked suspicious to remove it.

I do not access the server by SSH.

My -old, old- db is from 6/22/2022 - not so old but old in terms of forum. We do not want to lose so many posts.

Host says they can restore db from backup up to 30 days. I don't know if this means that they have separate backups from each day. I can check. I suppose I could ask to restore bu from 2 days ago or 7 days ago, something like that.

I would like to see if current db can be repaired.

I am pretty sure the hack was yesterday morning, about 4 am server time as that is when db connection was lost and the time stamp on the suspicious files.

I did change the db password. I didn't change the username - I'll do that too, just in case. I did change the password for the hosting account login, cpanel and ftp accounts. I advised all SMF admins to change password and scan their personal devices for malware.

Thanks for your help. We appreciate it.


Kindred

Tinyportal is a mod,  not a hack

By s added, do you mean http got turned to https?

If so, I don't think you were hacked
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

Quote from: aswuser on July 30, 2022, 03:26:27 PMI think some images were uploaded to the attachments folder. These are .dat files

All attachments in 2.1 have .dat endings now...

Chief of Nothing

Quote from: aswuser on July 30, 2022, 03:26:27 PMin webroot, I found another file named "a2.key". It looks like an SSL cert. It started with
-----BEGIN OPENSSH PRIVATE KEY-----

That's not an SSL certificate, it's for authenticating SSH, without a password if need be. What the private key was doing the web root is strange. Is your host A2 hosting? that's the only reason I can think of for the name of the key.

What permissions do your admins have? Can they access the package manager? If so I wonder if one of them tried to install the TinyPortal mod (possibly a rogue version) as you state you didn't try to install it yet at least one file of that name was present.

I'll echo Doug's call, did you check the contents of the suspicious files? make a list of the suspicious filenames and the directories they were in that you could post at least? Sometimes knowing this can give insights into what actually happened and your hosts advice to just delete them is probably the worst advice ever to give.

By changing your hosting/cPanel/FTP/DB password and just deleting the suspicious files I doubt you have actually closed off the "attack vector" (I say that loosely, we don't know yet if it was an actual attack or something else weird).

I hope your using SFTP and not plain FTP.

Kindred

From everything noted so far, it is very much looking like there was no hack at all. It looks like aswuser saw something that they did not understand and made a wrong assumption.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Chief of Nothing

That could very well be the case Kindred, "I didn't know what that was so I just deleted it without finding out anything about it" has probably caused more problems than genuine hacks and hinders investigation but until we can say for certain it was user error we should treat it as if a third party, whether external or internal, caused the damage; there's a few things that don't add up if the OP maintains they didn't install any mods etc.

Kindred

Well, awsuser deleted files that were needed, and only got a partial database on restore.... without anything else, that's going to break a site.

Honestly,  I think the host is partially to blame as well... I know that my host would never have reacted with the answers or actions that their host did...

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

aswuser

Since we have resolved the issue, I thought I'd provide an update. Upon discovering the hack, we changed the passwords for SMF admin users, hosting account login, cpanel/ftp, and database.

We were ultimately able to restore the site using a combination of database backup and database repair. The database was indeed corrupted. Once database was restored, perform clean install of all SMF package files. We also removed old files - e.g. old themes etc. We have no mods installed.

Suspicious files were identified as not being part of the 2.18 install package or my theme. I did check the contents of all suspicious files before removing them. As it turns out, only one file was evil - the file named "Tinyportal".  And, as I said above, values in Settings.php were changed.

We still don't know how the hack was done. We are much more vigilant and making more frequent database backups.

Thanks for your suggestions and support during this difficult ordeal.

Advertisement: