Site is being hacked as we speak

Kimmie · November 17, 2013, 04:26:26 PM

Quote from: Krash. on November 17, 2013, 04:11:05 PM

No, don't delete the database. If you've changed all your passwords, you should be secure, unless your host has been hacked. Restore the forum backup, update Settings.php so the forum reconnects to the existing database, and see what you have. If you have a recent db backup, make sure it's in a safe place.

Ok sounds good. Only having to upload the backup sounds easy enough. I keep them all on one of my external drives so they should be pretty safe. I will wait an hour or two and see if I hear back from the host before I do anything else.

If I have any other problems or questions I will let you know.

Again, to everyone who helped out, THANKS!

Kimmie · November 17, 2013, 04:36:36 PM

Not sure if this will help anyone here, perhaps the developers can use this information. This is who hacked me.

https://www.facebook.com/klachnikove.tn

kat · November 17, 2013, 04:37:34 PM

Hmmm... If this had been my forum, I'd not be relying on the current database, myself. Particularly as you said, earlier:

Quote from: Kimmie on November 17, 2013, 02:30:50 PMthe person told me they were going to do it and that they already had my DB (not sure what they meant).

DB=Database. Seems they had it, for a while. They could've put heaven knows what, in there, and put it in place of the current one, perhaps?

He MIGHT not have left anything, there. But, he sure could have. If you want to risk being hacked and having to go through all this, again, risk it.

But, in your place, I have to confess that I wouldn't.

Kimmie · November 17, 2013, 04:44:17 PM

By the looks of their facebook page and some of their conversations on there, these are professionals. I will probably just wait until I hear back from my host before I proceed. I was able to capture the IP he was using at the time, and even though it is an Egypt IP which is where the site says they are, it could have been masked.

WHY do people do this? I am so frustrated right now.

kat · November 17, 2013, 04:50:17 PM

They're dumb enough to think it's cool.

Heaven knows why, though.

Kimmie · November 17, 2013, 05:00:33 PM

Anyone know what they did to put that video up there? I would like to at least try and get that off while I am waiting on my host

kat · November 17, 2013, 05:06:35 PM

I'd assume that he's messed around with the root index.php file.

Can't be certain, though.

Looks like he's using http://www.youtube.com/player_api That address might be in that file.

Seems it links to this:

http://www.youtube.com/watch?v=Hk9ovX5t7kI

You COULD try getting hold of YouTube, to report this...

Kimmie · November 17, 2013, 06:01:57 PM

Just heard back from the host. The latest backup they have is from the 1st (UGHGGGGGG) but I am going to let them do it because they can do this A LOT faster than I can. Will keep you posted.

Kimmie · November 17, 2013, 06:07:13 PM

Quote from: K@ on November 17, 2013, 05:06:35 PM
I'd assume that he's messed around with the root index.php file.

Can't be certain, though.

Looks like he's using http://www.youtube.com/player_api That address might be in that file.

Seems it links to this:

http://www.youtube.com/watch?v=Hk9ovX5t7kI

You COULD try getting hold of YouTube, to report this...

Video has been reported

LIKE 10 times now from several of my site members.

Kindred · November 17, 2013, 08:56:43 PM

Clean files are really the way to go here....

kat · November 18, 2013, 07:18:30 AM

Quote from: Kimmie on November 17, 2013, 06:07:13 PMVideo has been reported LIKE 10 times now from several of my site members.

I like your style.

Kimmie · November 18, 2013, 10:45:08 AM

Quote from: K@ on November 18, 2013, 07:18:30 AM
Quote from: Kimmie on November 17, 2013, 06:07:13 PMVideo has been reported LIKE 10 times now from several of my site members.

I like your style.

I am all for putting these people out of business who hack. I know they all cannot be taken down but every little bit helps. So far, that video has been reported 112 times from us, and their facebook page, about 100 times.

Site seems to be ok so far. I have even changed all my passwords again. I plan on doing that once a month. I also sent in a hack report to SMF. I hope they can figure out how it happened in case they need to put out a fix for the vulnerability. I love the SMF software and want to do my part in helping to keep it safe for everyone not just for my site.

Again, I want to thank ALL OF YOU who helped me out with this. You guys came to my rescue faster than I could have hoped and I appreciate that more than you know.

Marking as solved. Here's hoping I never have to go through this again, but if I do, I now know how to try and get it stopped fast and I have you all to thank for that!

kat · November 18, 2013, 10:49:15 AM

No sweat, mate. Most of us have been there, or thereabouts.

You might want to ask your host about how they got in, because they keep access logs and stuff, which should tell them.

If you have other admins, on your site, you might want to check if they may have leaked stuff.

Kimmie · November 18, 2013, 10:52:42 AM

I only have one other admin, and I trust her with my life. We have known each other for about 12 years now.

My host is supposed to get back to me on what they find in terms of how it happened. Hopefully they can provide me with info that I can then, in turn, give back to the smf devs.

Kindred · November 18, 2013, 11:06:32 AM

remember -- you site is only as secure as the accounts and password you (and other admins) use.

If you use the same username/password combination across multiple sites -- and one of those other sites get compromised -- then your site is now vulnerable.

You should always use different passwords between sites - and even between services on the same site (mySQL, cpanel, smf, ftp -- these should all be using different passwords)

Kimmie · November 18, 2013, 11:09:19 AM

UPDATE TO ME TODAY FROM FACEBOOK::: You reported ‎كـــــــالاشـــــــنيكـــــــوف.TN‎ for harassment.

Status This page was removed
Details We reviewed the page you reported for harassment. Since it violated our Community Standards, we removed it. Thanks for your report. We let ‎كـــــــالاشـــــــنيكـــــــوف.TN‎ know that their page has been removed, but not who reported it. Facebook never discloses who submits a report.

Hell hath no fury like a woman scorned!!!

kat · November 18, 2013, 11:33:08 AM

Yay!

Kimmie · November 18, 2013, 01:37:18 PM

Just got word that "Sinbad's" page has also been removed.

Today is a good day!

(no need to reply, just wanted to update)

kat · November 18, 2013, 02:38:12 PM

As you say, it's shaping-up to be a good day. After what happened, yesterday, I'd class that as a bit of a WoOt!

Kimmie · November 30, 2013, 12:11:03 AM

I HAVE BEEN HACKED AGAIN BY THE SAME PERSON!!!!!! They have not yet changed my main page, but I know for a fact it was them. They changed my email to the same one as before and they have changed both my password as well as removed my other admins permissions in terms of being able to change passwords, but she still shows up as admin

Here is what my email shows as

News:

Site is being hacked as we speak

kat

kat

kat

kat

kat

kat

kat