Site is being hacked as we speak

kat · December 27, 2013, 08:12:18 AM

I believe most of those mods have been around for yonks. I'd be every surprised if any of those are the problem.

Your host needs to either put-up, or shut up, it seems, to me.

Kimmie · December 27, 2013, 08:16:09 AM

Yeah all those mods I have had installed since 2011 with the exception of the treasury mod. I installed it back in May of this year.

Illori · December 27, 2013, 08:16:25 AM

it seems to me that whoever hacked your forum either did it via a user account [that had admin access] or from the database, either way could be obtained by uploading files to your server and telling it to give them permissions or execute sql queries. so far you said no files were uploaded, so no real way to know what has happened. your host should be able to research the access logs to determine what is going on.

Kimmie · December 27, 2013, 08:43:57 AM

Quote from: Illori on December 27, 2013, 08:16:25 AM
it seems to me that whoever hacked your forum either did it via a user account [that had admin access] or from the database, either way could be obtained by uploading files to your server and telling it to give them permissions or execute sql queries. so far you said no files were uploaded, so no real way to know what has happened. your host should be able to research the access logs to determine what is going on.

The first two times my site was hacked (by the same group) they always announced their presence right before they did it so I knew who they were and removed those accounts and banned the info as soon as I had things back up and running. I also checked all accounts that registered right before and after them and as far as I could tell, those were ok. After that I also had around 7-8 people (I assume to be bots) register and post that dumb advertising stuff (cheap meds in Canada, etc) and all those accounts have been removed as well as the IP's banned.

And you know, now that I say that out loud, I remember looking at my htaccess file yesterday and there are no ips listed there as being banned. And IP Deny Manager is telling me there are no IP's being blocked.

Man, this just keeps getting better..lol (end sarcasm)

Illori · December 27, 2013, 08:49:11 AM

then maybe someone hacked your hosts control panel... you should change your password and the password for any ftp accounts you may have [or better delete them]

Kimmie · December 27, 2013, 09:01:30 AM

Delete those passwords? Or do you mean the FTP account? Not sure what you mean by that.

I have been changing those pw's once a week since the first time I was hacked and I use really long complex pw's (10-15 characters in length, using all sorts of different things). Perhaps I need to up it to 20.

I am paid up with this host through the 18th of Jan and I have already found a few prospective new hosts so for now, I am going to sit tight and see what kind of response I get from them today on this.

Off to work for now. Have a good day guys and thanks again for all the help/feedback. With each and every reply you make, I learn.

Illori · December 27, 2013, 09:05:41 AM

delete the ftp accounts if you dont change the passwords for them.

are you by chance writing down your password as you are changing it too often to remember?

Storman™ · December 27, 2013, 09:27:07 AM

I don't wish to be funny but we could surmise until the cows come home

There are a 1001 ways to hack a server if a vulnerability exists somewhere.

If SMF is installed correctly with the correct permissions AND it sits on a server where all the software is up to date AND correctly configured then generally there shouldn't be a problem. On a shared hosting account you only have control over the former so you rely on your host for the rest. Like Illori says, ensure you employ good practice with ALL passwords and ensure the permissions on your files are correct. The rest is down to your host.

Far too many hacks happen because a server is running on older deprecated software or the admins lack the knowledge to configure it correctly. Obviously your host isn't going to admit that to you but sadly it's all too often true.

If you do decide to stay with your host, maybe ask them to migrate you to a different node. It would give you partial peace of mind if a vulnerability exist on the current one. If they won't (or can't) do that then you don't have a competent or viable host.

Storman™ · December 27, 2013, 09:57:33 AM

Oh, and as another snippet of info for you, your host is running vBulletin 3.7.2 as their forum support software.

That version is from 2008 (yep 2008) and it has known vulnerabilities and exploits. In effect it hasn't been updated since it was built. So they don't even update the software thats running on their own website

In my mind thats sloppy and sums up their overall outlook.....

You decide....

Arantor · December 27, 2013, 10:13:12 AM

Yup, the current version of vBulletin 3.x is 3.8.7-pl2 if I'm not mistaken, but they're up to version 5 these days...

Kimmie · December 27, 2013, 08:31:39 PM

Now they are blaming ME

"We are not blaiming your SMF software at all? You get us wrong june.. There a hole is in your account since you got hacked several time and restoring your account simply restore it with the hole still in there allowing the same "hacker" to continue."

And i have still not heard one word of HOW the attacks happened.

I have had it with these MORONS! I have found a new host and will be moving there as soon as my time is up on this one (the 18th),

Kimmie · December 27, 2013, 10:34:13 PM

"I'll go ahead and disabled your account, move it into a fresh one and scan it for you this isn't something we usually as we requires our client to maintain own "shared" account usually.""

Do these people not understand the fact that they had to hack them in order to hack me? How do I have any control over that? lol

kat · December 28, 2013, 05:06:31 AM

Quote from: Kimmie on December 27, 2013, 08:31:39 PMI have found a new host and will be moving there as soon as my time is up on this one (the 18th)

Good plan.

Kimmie · December 28, 2013, 09:29:28 AM

Question: If they put me on a new server, wouldn't that change the nameservers I have tied to my domains?

Kindred · December 28, 2013, 09:44:59 AM

probably not... they (in theory) would control the actual name servers, so they would point their entries at your new server - allowing you to leave the DNS pointing to their generic name servers

Basically, the DNS normally handles the entry into their enclave and then they can redirect anywhere within the enclave from the entry point.

Kimmie · December 28, 2013, 09:43:48 PM

Quote from: Kindred on December 28, 2013, 09:44:59 AM
probably not... they (in theory) would control the actual name servers, so they would point their entries at your new server - allowing you to leave the DNS pointing to their generic name servers

Basically, the DNS normally handles the entry into their enclave and then they can redirect anywhere within the enclave from the entry point.

Ok thanks. So is there anyway I can verify they actually moved me? They did suspend the site while they did whatever, but I just want to make sure that wasn't for show. I am still planning on moving to a new host on the 18th but that is 21 days away and I want to do whatever I can to make sure nothing else happens between now and then

busterone · December 29, 2013, 01:49:11 AM

If you have already secured a new host, I would go ahead and move the site there regardless of how much time you have left at your current host. They sound like they are at best incompetent, at worst, well, I can't say what I would like to say here on a public forum.

Storman™ · December 29, 2013, 08:16:53 AM

QuoteIf you have already secured a new host, I would go ahead and move the site there regardless of how much time you have left at your current host.

+1

News:

Site is being hacked as we speak

kat

kat