Help a idiot?

Started by Mattioson, May 18, 2013, 12:57:40 PM

Previous topic - Next topic

Mattioson

Hey guys, I'm pretty rubbish at this SMF stuff, I think I know my stuff then I come across an issue I don't have a clue about and basically I need you actual smart SMF people to help me out,

I'm running a forum which version is 2.0.4 - How ever now it's been attacked and I keep getting this link come up when I try and login to my forum
.wpcentral.com/sites/wpcentral.com/files/postimages/15741/microsoftstoreindiaevilhacked.jpg/index.php?action=login2

As you can see it's basically just rubbish, the actual link of my forum is
.mpmservers.com/KickBackHD

That link works for me but I just can't log in, when I try to I get the first link pop up, I honestly don't know what to do to get rid of this, if any of you can help me I'd be very grateful!

Kindred

you need to work with your host to find and remove all of the infected files.

you can start by deleteing and replacing **ALL** forum files and directories (except for settings.php and the avatars and attachments directories) with clean copies
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Mattioson

How does one go about getting those files again?

mashby

Grab the large upgrade package from here.
http://download.simplemachines.org/
Quote**ALL** forum files and directories (except for settings.php and the avatars and attachments directories)
Always be a little kinder than necessary.
- James M. Barrie

MrPhil

Scan your PC (the one you use to do administrative access to your site) for spyware and viruses. Once clean, change all your passwords (hosting account access, FTP, SMF admin account, etc.). Enable your PC firewall. Erase all files except those listed previously (and Settings_bak.php), and replace them with files from the Large Upgrade package (zip file). Eyeball the Settings.php and Settings_bak.php files (not erased) and compare them against fresh copies from the Install package (zip file) to make sure they haven't been tampered with. Make sure the vanilla forum now works. Re-install your mods one at a time. Do you have any other software installed on your site/account? Make sure it's totally up to date too. Google for reports of security problems on your other software, and remove that software if it's known to be a security problem. If hackers still get in after all this, your host is insecure and you should change to another host.

Add: You haven't done something stupid like set your permissions to 666 or 777, have you? That would let anyone sharing your server overwrite your files, and in some cases may permit someone from the Outside World to do the same.

Mattioson

It's only SMF I have on here, With the index files do I need to replace them each individually also?

Thanks again for the responses!

And i'm not even sure on the permissions part I don't think I have lol

MrPhil

The index.* files would have to be replaced (refreshed) along with everything else. It's important to remove ALL files except for the Settings (which contains your configuration) and the user-uploaded avatars and attachment files (which are more or less irreplaceable, at least by you). The two Settings files need to be inspected to see if a hacker messed with them. There should be .htaccess files which minimize the chances of malicious code in the avatars and attachments being run (as well as the hashing of their names, which should keep anyone from even trying to run them).

You need to learn how to find the permissions and ownership of your files. Ask your host if you have no idea how. It will be different between Linux servers and Windows servers.

Mattioson

Hey, now I get this after doing all the files (apart from the ones you told me not to do)

Connection Problems
Sorry, SMF was unable to connect to the database. This may be caused by the server being busy. Please try again later.

Any ideas?
Thanks again for the help!

Colin

Make sure that your mySQL database settings are correct. SMF is unable to connect to your database service.
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

Sir Osis of Liver


The upgrade package includes a generic Settings.php file.  If you didn't save your Settings.php before uploading the the clean files, and overwrote Settings.php, your forum cannot connect to the database because all the db info is in that file.

Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Colin

Repair settings can help make it a bit easier to change settings for you too.


What is repair_settings.php?

"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

Kindred

Krash,

No... the upgrade package does NOT include settings.php.... that is why we tell people to use that bundle....
Only the full install package includes settings.php


Mattioson,

when you deleted the files and folders, you did NOT delete Settings.php, did you?
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Mattioson

That is correct, I only replaced the files you guys suggested, didn't touch any of the 'settings.php' ones or any attachments etc

Kindred

well, it would appear that you did...   since - if you had not touched Settings.php, the db connection would still be there (unless your host is having problems?)


Just to confirm - you are using mySQL as a database?
If so - at this point, use repair_settings.php to re-set your database connection info.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Mattioson

I've done that but when trying to connect to the forum still getting the same issues :(

Kindred

you have done what?

If you use repair_settings.php and it did not give you any connection errors in that, then something is very very very very wrong with your system, since repair_settings.php uses and updates Settings.php
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

MrPhil

Might the hacker have pointed you to a different database (changed Settings.php), or otherwise done something to mess up your database? Can you go into phpMyAdmin and see that your database still exists (under the right name) and appears to have the normal SMF content? If possible, can you check that the user and password defined for SMF usage is still valid, and matches what Settings.php has? It's possible that you'll have to create a new "user" and password and grant them the correct database privileges, and update Settings.php with this information, but try everything else first. Could your host have done something to stop the hacked forum from accessing the database, and forgotten to restore your access?

Mattioson

I've done it, corrected everything that was incorrect, but it shows me at the top that it's not showing me all options because some options are incorrect,  (I am referring to the repair settings) Not quite sure what else to do! (Got work soon so my next reply might take a while thanks for all your assistance though)

(MrPhil will try your idea out when I get back from work)

Sir Osis of Liver

Quote from: Kindred on May 19, 2013, 08:52:25 AM
Krash,

No... the upgrade package does NOT include settings.php.... that is why we tell people to use that bundle....
Only the full install package includes settings.php

Yes, I've been corrected on that by a senior lurker.  Usually use the upgrade package to clean up my test forums, but recently used the install package and overwrote my Settings.php:P

Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Sir Osis of Liver


Some hacks wiil prevent some servers from deleting or overwriting an infected file (I've seen this twice), so unless you check to confirm that all files are gone, the hack will still be there after you reload forum files.

Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Advertisement: