Site is being hacked as we speak

[Kimmie]

K I understand.


Off topic.. I keep getting this on "this" site. Perhaps someone needs to be alerted?

[kat]

Yeah, the tech-heads did an upgrade, or something. It's a lot better than it was, but the poor server still stresses out, poor love.

Ta, for passing that on, though.

[Kimmie]

Welcome

I found the program I used way back when I did this once before. I had to use this one to split it because the settings I used to do my backup were wrong initially. There are 3 settings you have to make sure are unchecked or bigdump can't be used.  Back when I first started out an old aquaintence was helping me out and told me when I do backups the only thing I was supposed to change was to check the box labeled "Add DROP TABLE" so that is all I have ever done. Not even sure what it does  lol.

Settings that you have to turn off:

Add IF NOT EXISTS
Complete Inserts
Extended Inserts



SQL Dump Splitter is the program I used.

[Bob Perry of Web Presence Consulting]

Also, your Cpanel password and access should have nothign at all to do with your smf admin access....

unless you used the same username and password for both? (if so, naughty... don't do that)

I'd change my FTP and database passwords too...

[Kimmie]

Also, your Cpanel password and access should have nothign at all to do with your smf admin access....

unless you used the same username and password for both? (if so, naughty... don't do that)

I'd che my FTP and database passwords too...

Yes whenever they have to restore my db for me, they always make cpanel and ftp passwords the same but I go back and change one of them


Right now I am having an argument with them. They are refusing to give me back permissions so I can chmod.. and they cannot grasp WHY I need those permissions. GRR!

[busterone]

mmm, Any host worth a grain of salt would understand that.  I would be looking for a new host. It already sounds like they have serious security issues in the first place.

[Bob Perry of Web Presence Consulting]

mmm, Any host worth a grain of salt would understand that.  I would be looking for a new host. It already sounds like they have serious security issues in the first place.

The host that I use is quite good, started with them many years ago and rarely have difficulties of any kind and their customer support 24/7 has always been excellent when an issue does come up...

https://mya.securepaynet.net/default.aspx?prog_id=domainspricedright

[Chalky]

Bob, you do know Domains Priced Right is another operating name of GoDaddy??

[Bob Perry of Web Presence Consulting]

Bob, you do know Domains Priced Right is another operating name of GoDaddy??

Makes little difference, I stand by them wholeheartedly, until I encounter issues which warrant otherwise moving, I have no complaints at all... at that url and the ensuing 24/7 help number, you always speak to a live tech one on one...

[Kimmie]

I would never use GoDaddy or any  host associated with them.  That pretty much solves that debate ')


It has been 18 hours and they still do not have my site back up. I have decided to try and get this done myself. What I need to know is, those two files I uploaded.. ajax.php and configphp3 -- someone here already confirmed they were suspicious files. Do I need to delete those?

[busterone]

Unless they came with a particular mod that I am unaware of, then neither of those 2 files are part of SMF and should be eliminated.

[Kimmie]

They finally got my site back up, but now I have FTP issues (well they have been ongoing)  as I posted here http://www.simplemachines.org/community/index.php?topic=515145.0   - since it didn't have anything to do with this issue, I started a new thread.. hope that was ok.


CuteFTP told me it is happening because the host has denied my IP root access.. and the host says they haven't. I also found out that my CHMOD permissions got changed when they had a ddos attack a few months back (they changed everyone's), and that is also the same time I lost FTP access.

[kat]

Your host seems to be confused and, as a result, confusing.

[Kimmie]

Your host seems to be confused and, as a result, confusing.

Totally agree with that statement LOL.

[Kimmie]

I have been hacked AGAIN!!!! This is the 3rd time since november.

When I got to my site it appears all they have done is changed where the main url routes to. Does anyone know where they would have changed this at?

[Kindred]

You need to talk to your host ASAP and determine HOW they are getting in.

They probably installed a redirect in the root directory.....  unless they were able to get into your hosting account, in which case they could have changed the DNS entries.

[Kimmie]

Oh I have already ripped my host a new a hole.. but since they are 6 hours ahead of me, no idea when they will respond.

This is my root directory do you see anything out of the ordinary?

[Kindred]

your webroot (public_html)

and- with any decent host, 6 hours ahead or not should not matter.
My host is staffed 24 hours a day and answers any support ticket within 5 minutes - without fail.

[Kimmie]

Ok sorry  (2 images)  - I looked at the "modified" dates on all these and none of them are last night and is when it happened because my site was fine around 3am this morning.

[Kindred]

I don't see anything with that file list... but it could be in a bunch of different places, including index.template.php or a block in your portal, if they got into your admin account.

or the htaccess?