Forum got Hacked Need some advice please.

Started by dragonflyuk, June 16, 2010, 09:25:04 AM

Previous topic - Next topic

dragonflyuk

Hello

I have been using SMF for a long time now and for some reason over the past wekk I have been hacked by some saudi hackers  :o >:(

I would like a little advice please. I am planing on reinstalling my forum from scratch with a fresh install of the SMF forum package. Not saying that it was not a upto date anyway but I am going to start a fresh just in case.

I would like to know please how do I backup all of my forums and categories. I am not interested in the plugins or users or posts just the forum categories etc as I do not want to start to build my forum all over again.

Also please. Are there any tips to making the smf forum a lot more secure to stop or prevent hackers from finding and accessing my forum please.

Thanks all in advance.
Kind Regards

m33rra

I got hacked also on my past forum. Luckily the hacker was nice (if that's even possible)... he gave me a contact email and I emailed him and he gave me a back up of all my files and told me how he was able to intrude my site.

Not sure what your case might be, but the guy told me that if you allow users to change their theme, then they can upload a script into a .PNG image and do something so that they can access admin panel >< IDK im not a hacker, but I just changed settings so that no one could change Theme and he said that would fix it.

sharks

what SMF version were you using when you got hacked?
if you used a SMF RC version then it is likely someone exploited one of the many bugs that have yet to be fixed.
for your backup, go to your backup option in cpanel. if you're going to stay on the same server, then just delete or rename your hacked forum folder and then extract a new forum package there and link it back to your existing db using the repair_settings.php file.

@m33rra thanks for this info. i am using only 2 different themes on my forum and i allow my members to choose either of these 2, so i'm wondering if i should only allow one theme? or did you allow your users to actually upload and/or edit the themes? i'm not sure i understand exactly what you mean, so please elaborate, if you can. :)

dragonflyuk

I was using the smf version 1.1.11

Thanks for the theme tip.

I am not into emailing hackers and I doubt they would tell me how they got in. I must confess it was good of them to tell you how they managed to hack your forum.

All I want to do is to backup the boards details so I dont neet to rebuild them.

sharks

 dragonflyuk, whatever way the  hacker/s found to get into your forum, i highly recommend that you report this to the SMF developers, so that a patch can be released for SMF 1.1.12 - the way things are right now, it's probable that all of us are at risk.

dragonflyuk

Quotedragonflyuk, whatever way the  hacker/s found to get into your forum, i highly recommend that you report this to the SMF developers, so that a patch can be released for SMF 1.1.12 - the way things are right now, it's probable that all of us are at risk.

Thanks for your reply.

Sadly I will not know as all files where over written with my backup files and I reinstalled the default sql database previous to the hack.

I still do not know how to backup the board details only so I can reinstall a NEW smf forum on my ROOT directory as it is not in a forum folder and start again without having to rebuild my boards manually.
If anyone knows how to do this and would like to explain I would be most greatful. :)


Thanks

moosegal

I was hacked also.  The guy hacked the newest version which I recently installed and I used the back up of my 1.1 .. also hacked it. Yes .. he is using the themes weakness .. I tracked him doing it but didn't know how to stop it.  He also managed to get into the rest of my site .. including my shopping cart which is now deleted due to phishing.  There are files installed in the forum file .. believe it or not, it's title is hack ... this is part of the contents of one of the file .. used fflush exit exec pipe signal puts print map_errno_location.  As I was tracking this guy .. I did see a lot of the code come up in the last actions boxes ..

I have my forum off line at the moment and I am going though the whole site for more .php files but I don't want to have to delete my forum and everything else.  Is there a way to get this guy out of my site, restore all my files, clean out my data base and not lose any or very little of the forum contents?  I have very little experience in this and no knowledge of the data base so please explain it as basic as possible. 

Original poster .. sorry to hear about your hack.  I hope you are able to salvage your forum content too.  Heck .. I'd hate to lose members PM's, log ins and anything else they need or have.  :(

Thank you. 

moosegal

I have the forum in maintenance mode and yet this guy is still in there .. this is the message I get from the tracking sections.  This guy is using an IP mirror .. Yendex but he is also know to use RIPE and a few more.  Is there anyway to get him out?  I have renamed all his hack files and I do not know how he is getting around the maintenance mode.  He is banned, can not log in, register or post yet he is getting round any blocks I put in the way ... help!!!
Quote8: Undefined variable: bunch of numbers and letters
File: /home/content/h/a/i/mydatabase/html/moosegal/forum/Themes/Aero79_smf11final/Display.template.php (eval?)
Line: 1
?topic=278.msg2080

wynnyelle

you sure he isn't in your server and cpanel and stuff? Then it wouldn't matter what restrictions you placed on the forum.

Kays


If at first you don't succeed, use a bigger hammer. If that fails, read the manual.
My Mods

moosegal

Quote from: Groovystar on June 17, 2010, 10:24:28 AM
you sure he isn't in your server and cpanel and stuff? Then it wouldn't matter what restrictions you placed on the forum.

I don't know if they are in the CPanel but I know they are much further up the chain than the forum.  I am in the process of backing up as much content as possible and we are going to have to delete the forum and database.  My computer has been scanned at two online virus scan sites, I ran my own hjt and will have one of the crew from the pitstop take an better look at it and I have scanned my computer with my own antivirus and all four malware programs I have on it.  Unless someone from the pit see something I missed in the hjt ... I can confidently say my computer is clean. 

Now I thought about the log in for my ftp .. but I have access to over 20 site and moosegal seems to be the only one having trouble.  Moosegal does not share the same data base as the others and only a few sites have the same hosting.  o.O  My guess .. point of entry is from the forum. 

I will need to make sure that after we install a new and clean version of SMF this guy won't be able to come it.  If there is a hole, then there must be a patch. 

Anyone know of a easier and faster way to copy the content and messages from the forum? 

sharks

I think you are just doing things without really thinking it over. I am of the same opinion as what Groovystar said. Check you Cpanel and CHANGE all the passwords to your host.
As for SMF getting hacked, the only way that i've read it being done, is if you allow your members to change themes. There is a simple way to fix that and you already know it.

busterone

The boards and topics are in your database. The only way to save them is to keep a regular backup of your database.
The boards are in smf_boards, the topics are in smf_topics, and the posts are in smf_messages. Those are also intertwined with smf_members and several other tables.(posting member id, etc.)
If you have a backup from before the hack, then all of your boards, topics and posts can be restored.
Instead of rashly overwriting a hacked forum, it may be wise to copy off all the files to a separate location first, so they can be studied, and then fresh files installed.


vSupremacy

I'm not sure how you all are mysteriously getting hacked but you should definitely report it to any online SMF developer thus helping the rest of the users maintain a secure forum. The next release they should have patched this (What ever the problem is).

I haven't had any hacking attempts to my forums or anything related to that. You may be infected with a keylogger or Zeus (botnet) or some type of rootkit. If you've downloaded any software that was suspicious and when you installed you possibly got an error or it just simply didn't install this could be the launch of malicious content on your computer.

These so called "hackers" could easily gain access to your forums by simply looking at all your saved passwords on your browser and all your recent keystrokes and recent web pages. Bot nets usually trigger when you are on a certain website. Let's say they wanted to get into a paypal account, they would make it so when someone loads the PayPal webpage, the botnet or keylogger simply starts gaining data and keystrokes thus getting your account information quickly and easily.


Advertisement: