My Forum is hacked.. Expert's Help needed

[danishj]

Hello,

My Forum is hacked, Someone has add google adscense in index.php page. I removed and he did again with the warning msg that if I will remove his add again he will shutdown my website.. lolz

I don't know how he got access to index.php page? well meanwhile here is a strange issue with the forum it's giving error

Connection Problems
Sorry, SMF was unable to connect to the database. This may be caused by the server being busy. Please try again later.

Please help me step by step for getting out of this strange issue.
forum: www.goodmorningpakistan.com

Thanking you
Danish

[Dem0n]

It seems that your host has either caught this person, and shut down the connection to the database, or your webhost server is/was busy at the time you got that message.

Contact your host.

[rommul]

check if you still have settings.php file and the dimensions is not zero (0)

if so just copy settings_bak .php as settings.php

[danishj]

Friend my webhost server is not busy and i change setting.php. there is some other issue.. what should I do?

[riker]

You could also find his adsense Id and report the hacker!

[JimM]

Contact your host.

The advice given by DemOn is right on target.  Nothing much we can help you with until you can gain access to your database.

[danishj]

Reporting the hacker is the good Idea.. Let me let access to database then I'll get back to you people again.. Thank You

[Adish - (F.L.A.M.E.R)]

Well the Message of sorry you cannot connect to the database means either your information in settings.php is wrong or the host's MySQL has an issue.

Adding of adsense in index.php would be something that might be related to the host. Does your host have a scheme of adding ads on the accounts they give out.. Mostly on free hosting it is.

Checking out with the host is the best thing you can do after all. Best of Luck!.

[LOADING...]

Access settings file via FTP and make sure you have the right data inserted 

[master2oo8]

Maybe the hacker has deleted your database?

[danishj]

Hello, I restored everything from backup. I have solved to database connection problem. New there is some template issue. Please check it out.

http://www.goodmorningpakistan.com/

[JimM]

Have you made any edits to the template lately?  If you used FTP to restore files, you may need to do it again and make sure it is successful.

[Adish - (F.L.A.M.E.R)]

Template Parse Error!
It seems something has gone sour on the forum with the template system. This problem should only be temporary, so please come back later and try again. If you continue to see this message, please contact the administrator.

some template error.... revert to default might help...

[swtdivalove]

If you need to report hacking attempts on your site, to include threats, there is a site for this.

But, you must be warned that they take this very seriously.

Internet Crime Complaint Center

Quoted directly from their site:

The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA).

[master2oo8]

If you need to report hacking attempts on your site, to include threats, there is a site for this.

But, you must be warned that they take this very seriously.

Internet Crime Complaint Center

Quoted directly from their site:

The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA).

Will not help, clever hackers use proxies.

Template Parse Error!
It seems something has gone sour on the forum with the template system. This problem should only be temporary, so please come back later and try again. If you continue to see this message, please contact the administrator.

some template error.... revert to default might help...

Can you change Template to standard theme? Install your Theme new or download SMF and replace template files and install your mods new.

[danishj]

Hello,

I'm confused I don't know how to repair it.. anyway Finally I'm going for new installation. Will you guys help me to connect with installation with old database? I have database backups of different dates in ".gz" format

waiting...

[swtdivalove]

Usually it's just some kid with no parents at home...  Real hackers use proxies, but kids at home aren't that smart enough to manage something as sophisticated as a proxy.

Kids lack the cognitive ability to distinguish between right and wrong.  They will hack a forum because it is something they see that they can do.

However, reporting it 'DOES' help.

Personally, I would like to see someone on the team that can hack into SMF to help in making SMF much more secure.  SMF is secure, but there is always room to improve upon it.

[danishj]

My Question is still there.. I have backups of database.. Should I go for new Installation if it is possible to connect it with old database?? one more thing.. my previous SMF was 1.1.4 or old.. Now I'm going to install 1.1.7.
I hope there is no database compatibility issue?

[swtdivalove]

There are some minor changes...  You may want to install 1.1.4 before you upgrade to 1.1.7.  Or at least install 1.1.6 first, then upgrade to 1.1.7.

[taha116]

AWww....i feel extra bad 4 u, why?
1 Cuz im Paki
2 Cuz I hate hackers
3 Cuz the guy who hacked didnt get the wooping someone should give him


I had same troubles with backups and cpanel, that pisses me off i know someone who just used adobe to make a great manual instialtion of SMF video should i ask him to do one for backups?

[greyknight17]

Guys, please don't reply unless it helps the user's problem. The staff at SMF do find security holes and try to get them fixed as soon as possible. Keep in mind that they can't find every single exploit. That's why we advise that all users who believe they are hacked and it may be related to SMF code to file a Security Report.

danishj, just upload a new set of SMF 1.1.4 files to your SMF folder on the server. Then use repair_settings.php and make sure that the database information is correct. Then click on the Recommended values. Save the changes. That should restore your forum back to working order. Delete the repair_settings.php file once you are done.

You may then go to Admin > Packages and you should see a link for an update to 1.1.5. Install that update. Then go back to Packages and install another update for 1.1.6....then 1.1.7.

[danishj]

thank you greyknight17 for your kind advise.

I just copied very old backup of my forum and now its working. now there are 2 issues I'm faceing.

plz help me to solve one then I will ask you the other one.

problem is with topics links. they are not working please check out

www.gmpak.com

lot of thanks

[danishj]

should I do something with repair_setting.php?

[JimM]

Then use repair_settings.php and make sure that the database information is correct. Then click on the Recommended values. Save the changes. That should restore your forum back to working order. Delete the repair_settings.php file once you are done.

I'm sure greyknight17 will be along today but from his instructions, yes you need to run repair_settings.php as your next step.  Congrats on getting your forum back.

[danishj]

yoo I'm done with url setting. Thanks Every one..

Now the final and major issue.

Before the hack attack I was having more than 20 new fake members registration daily and they were doing porn stuff posting in political topic. Now after 20 days I start forum again and in 15 mins there were 4 new member and they posted porn stuff in same board. Now I've enable the member approval option now There are 20 members awaiting approval. they all have ip address from different countries. I'm afraid that if I'm not giving them approval then why are they registering again and again.. It seem like someone is using automatic registration and posting software.. if there is any.

Plz tell me how to get rid out of this problem?

[JimM]

You may then go to Admin > Packages and you should see a link for an update to 1.1.5. Install that update. Then go back to Packages and install another update for 1.1.6....then 1.1.7.

This would be your next step.  Once you get to 1.1.7 there is an outstanding mod that will go along way to getting rid of your spammer problem.  Right now you need to get updated.

Note to admin or mod - this should not be in the 2.0 Support area as the board concerned is 1.1.4.

[taha116]

No problem, use censored words feature and cut out words often used in those type of posts (I should not really say them  )
Even if the put images if the link has those words it wont work. You can use IP Banns on members who are actually doing it and if it continues skip IP Bans cuz it could be jsut one or a couple hackers tricking your server and giving IPs of other people.


Just open the Mod site and search for  "Spam" & "Register" and realted Mods and you will probably get alot of good results