My forum got hacked!

Started by PokémonS, June 21, 2013, 12:13:30 PM

Previous topic - Next topic

MrPhil

BEFORE changing passwords (host control panel access, FTP, SMF Admin account, database, etc.) you MUST scan your PC for spyware (especially keystroke loggers and password sniffers). You also should be running a FIREWALL on the PC, so that if spyware is sending your passwords to a hacker, at least you have a chance of learning about it, if not outright blocking it.

Do you have anything besides SMF on this account? Are you keeping it up to date? Are you listening in on its discussion groups to see if exploits are known?

PokémonS

Okay,

The hacker emailed me, he said that he used symlink to hack our forum which has base64_decode enabled and mod_security disabled. I have forwarded that email to the host, they said the only solution is: change the SMF's Settings.php and Settings_bak.php chmod (file permission) to 0400, so the hacker cannot see the db's user and pass, (the hacker never edits our files, but database). Also, I have changed all passwords such as database, admin, cPanel, etc. I have to do it since 3 days ago and semms our forum back to normal.

He emailed me again to congrats our revival forum.
And, the hacker also said that there are no vulnerability in SMF.

Thx all and sorry if you worried about this problem.
きみと手をつなごう つらいときはもっと
ゼロからはじめよう ほら ほら 手をつなごう
みんな手をつなごう つらいときはもっと
力を合わせよう ほら ほら 手をつなごう

Kindred

ummmm.... no.

Your host is full of BS.

If the hacker actually used a symlink hack... that means that your HOST is running an outdated and insecure version of apache.
The FIX for that is for them to update Apache and Cpanel.

http://whmscripts.net/misc/2013/apache-symlink-security-issue-fixpatch/
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

MrPhil

Quote from: PokémonS on June 28, 2013, 02:42:58 AM
Also, I have changed all passwords such as database, admin, cPanel, etc. I have to do it since 3 days ago and semms our forum back to normal.
One avenue of attack is to plant spyware on the PC you use to administrate your site, and grab your passwords. Be sure to run an antivirus/antispyware utility to make sure you have no password sniffers or keystroke loggers (spyware). If you do, after cleaning them out, change your passwords again.

Advertisement: