My website seems to keep getting hacked

Kindred · October 08, 2013, 03:08:35 PM

If this happens within an hour or so, then you should not have many server logs to investigate.

Get the server logs from the time that you installed to the time you noticed the hack.

Verify how they are getting in.

There are no KNOWN holes in SMF that would allow this, at this time (asusming you are running 2.0.5)

So
1- someone has discovered a new vector. In which case we need the logs so we can patch it ASAP
2- you are running some other script on your site which has a hole. In which case, the server logs will tell us where it is.
3- you did not fully clean your site and the hackers still have a back door program buried somewhere. In which case, the logs will tell us how they got in.
4- the hackers are getting in through another account on your shared host (in which case, the misconfiguration of security is entirely the host's fault and there is NOTHING we can do to help you except tell you to go to a new how)

blockhead · October 08, 2013, 04:10:11 PM

Cheers for the reply, I will investigate, are there any guides that tell me exactly what I am looking for?

I had the host nuke the site so according to them it is just like a brand new site. When they did that I installed an smf forum and then nothing else. I only have the one site on the server with no mods added. I am running 2.0.5.

My plan was to slowly reintroduce everything to see if I could discover if it was a mod causing my original problems or if my database was compromised.

Arantor · October 08, 2013, 04:10:43 PM

I'd check that *your* computer isn't compromised too.

Illori · October 08, 2013, 04:18:21 PM

or using the same cpanel/ftp username and password over and over again. if they have your ftp info they can do just about anything.

blockhead · October 08, 2013, 04:19:35 PM

I have been mate, constantly its doing my head in.

How do I get the server logs? Is it through my host or my forum?

I want to make sure I am looking in the right place.

Cheers

Illori · October 08, 2013, 04:26:31 PM

you want to be looking at your access logs, there may be a section to access them in your hosts control panel. if you dont see the option ask your host. [it may require connecting to ftp with a different username]

blockhead · October 08, 2013, 05:31:34 PM

Got my access log and I can't open it. It is apparently a dos program and both my pcs won't open it. Is there another way?

Illori · October 08, 2013, 05:32:25 PM

it is a .log file but any text editor can open it.

blockhead · October 08, 2013, 06:19:30 PM

for some reason mine is a .com file but I have now found something that opens it. Now I just have to find out what I am looking for.

blockhead · October 10, 2013, 06:31:33 PM

Can anyone advise me on what I am actually looking for in the access log please?

Are there any keywords that will tell me someone has made changes?

Sorry for being a pain but programming isn't my thing (you've probably guesses that).

Kindred · October 10, 2013, 07:44:49 PM

If you can send the log to security at simplemachines.org, our devs will take a look through it.

News:

My website seems to keep getting hacked