My forum has been hacked

futeball · kesäkuu 25, 2011, 07:00:05 AP

My forum been hacked today. I'm using SMF 1.1.14. The front page (index.php) has been altered.

Here's the link to my forum http://4aeoc.net

Need help on how to overcome this problem in the future. Just upgrade to latest smf version. How did they manage to exploit/hacked the forum?

I have backup of my database. How do I reload it?

I'm afraid to login using admin account coz afraid they put sniffer or trojan horse on the forum to capture my password.

All help are highly appreciated. TQ.

futeball · kesäkuu 25, 2011, 07:14:24 AP

Just found out all username account does not exist.

Illori · kesäkuu 25, 2011, 07:15:54 AP

do you have any other php apps on your server?

Restoring a Database

futeball · kesäkuu 25, 2011, 07:38:47 AP

My webhosting server using cpanel and have phpmyadmin apps.

Is there by any chance to recover my forum without loading the backup database?

Illori · kesäkuu 25, 2011, 07:40:59 AP

you can ask your host to restore a backup. also let them know of the issue, sounds like someone else on your server got hacked and it let them get access to your files as well.

futeball · kesäkuu 25, 2011, 07:46:18 AP

I think they only hacked through the forum database or php exploit using remote exploit. IMHO, I don't think they hacked through the webhosting server coz they didn't change any password or username of the webhosting server login.

Illori · kesäkuu 25, 2011, 07:47:23 AP

they dont always change passwords

JBlaze · kesäkuu 25, 2011, 07:48:34 AP

Lainaus käyttäjältä: futeball - kesäkuu 25, 2011, 07:46:18 AP
I think they only hacked through the forum database or php exploit using remote exploit. IMHO, I don't think they hacked through the webhosting server coz they didn't change any password or username of the webhosting server login.

Most likely they exploited a weakness in your server's software. This allowed them to gain full access to all data on your server.

Talk with your webhost and ask to see the latest access logs.

futeball · kesäkuu 25, 2011, 08:01:00 AP

Is it possible this is security issue relating to latest smf 1.1.14 version? Maybe the hackers has found security vulnerability in smf 1.1.14.
I will try to check the server log if there is any intrusion on the server side. If no intrusion detected, surely they hacked thru smf forum using tools like php exploit or avatar/attachment exploits (I googled it to get info on remote exploit on SMF).

Illori · kesäkuu 25, 2011, 08:03:30 AP

those hacks have been fixed in prior patches. ask your host to look into it first.

futeball · kesäkuu 25, 2011, 08:07:05 AP

Lainaus käyttäjältä: Illori - kesäkuu 25, 2011, 08:03:30 AP
those hacks have been fixed in prior patches. ask your host to look into it first.

glad to hear that. will update soon on hosting logs.

thanks for the superfast reply. you guys did a good work here.

futeball · kesäkuu 25, 2011, 02:31:47 IP

sad to hear that my webhosting doesn't keep the latest access log.

just found out that only username & realname of all user account has been changed by the hackers in database.
other database is untouch and safe.

Does they hack thru the folder permission or remote directly to mysql database connection? how do i prevent this exploit? any suggestion to patch it would be grateful.

Illori · kesäkuu 25, 2011, 03:24:23 IP

sounds like an issue with server security and not really an smf issue

futeball · kesäkuu 28, 2011, 04:35:38 AP

they hacked thru php/sql and get mysql password. then he entered mysql server to alter the smf_members database.

futeball · kesäkuu 28, 2011, 12:57:08 IP

i got some raw logs...

Lainaa115.134.92.84 - - [28/Jun/2011:20:35:21 +0800] "GET /Themes/default/script.js?fin11 HTTP/1.1" 200 13506 "http://zonehmirrors.net/defaced/2011/06/24/4aeoc.net/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18"
115.134.92.84 - - [28/Jun/2011:20:35:21 +0800] "GET /Themes/ClassRedTP1/chrome.js HTTP/1.1" 200 5038 "http://zonehmirrors.net/defaced/2011/06/24/4aeoc.net/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18"

any comment?

lorth · kesäkuu 28, 2011, 01:22:30 IP

zonehmirrors.net is just a showcase where "hackers" display what they have done.
these accesses are not bad, they are just from the copy hosted over there.
this is not related to the real breakin.

futeball · kesäkuu 28, 2011, 01:28:26 IP

Lainaus käyttäjältä: lorth - kesäkuu 28, 2011, 01:22:30 IP
zonehmirrors.net is just a showcase where "hackers" display what they have done.
these accesses are not bad, they are just from the copy hosted over there.
this is not related to the real breakin.

i'll try to dig more on the access log.

I set my forum under maintenance mode. When I changed mysql password aand save it, i can't access my forum anymore.
Here some screenshot of my forum.

Illori · kesäkuu 28, 2011, 01:29:46 IP

did you change the password in settings.php?

futeball · kesäkuu 28, 2011, 01:43:51 IP

Lainaus käyttäjältä: Illori - kesäkuu 28, 2011, 01:29:46 IP
did you change the password in settings.php?

nope.

Illori · kesäkuu 28, 2011, 01:45:27 IP

if you changed your database password you must change it in settings.php as well.

Simple Machines Community Forum

Uutiset:

My forum has been hacked

futeball

futeball

Illori

futeball

Illori

futeball

Illori

JBlaze

futeball

Illori

futeball

futeball

Illori

futeball

futeball

lorth

futeball

Illori

futeball

Illori