problem with my site after it was hacked

shamoonluay · August 09, 2023, 04:03:40 AM

hello,

I have a problem with my site after it was hacked according to what i think!
I tried every way to get it back as it is, but without result.
is there anyone to help me please, fortunatly i have the backup of all the tables

thanks

peter_mein · August 09, 2023, 04:22:03 AM

Do you also have a backup of your server?

shamoonluay · August 09, 2023, 05:17:08 AM

yes

shamoonluay · August 09, 2023, 05:20:08 AM

what is the best way to get it back?
i tried to restore the backup from the server, but i have still always many problems with the site!!

Aleksi "Lex" Kilpinen · August 09, 2023, 05:29:34 AM

It could help, greatly, if we knew what made you believe you were hacked in the first place,
and what issues are you still facing after restoring the backup.

Just saying "I was hacked" tells nothing, and "many problems" is even worse.
Please describe your issues.

peter_mein · August 09, 2023, 05:33:59 AM

If you have a backup of the database and the server, you just have to restore it. Delete the database completely, only the content, not the database itself. then delete the content from the server where the forum was installed. Again, delete only the content from the one under direktory. Now play back the database data and then play back the server data. Then it should run again.

shamoonluay · August 09, 2023, 05:49:32 AM

Fatal error: Uncaught Error: Call to undefined function shell_exec() in /customers/4/f/e/baretly.net/httpd.www/Sources/Load.php:377 Stack trace: #0 /customers/4/f/e/baretly.net/httpd.www/index.php(142): reloadSettings() #1 {main} thrown in /customers/4/f/e/baretly.net/httpd.www/Sources/Load.php on line 377

Doug Heffernan · August 09, 2023, 06:38:07 AM

Quote from: shamoonluay on August 09, 2023, 05:49:32 AMFatal error: Uncaught Error: Call to undefined function shell_exec() in /customers/4/f/e/baretly.net/httpd.www/Sources/Load.php:377 Stack trace: #0 /customers/4/f/e/baretly.net/httpd.www/index.php(142): reloadSettings() #1 {main} thrown in /customers/4/f/e/baretly.net/httpd.www/Sources/Load.php on line 377

It looks like the shell_exec() function has been disabled by your host. Can you get to the Admin Panel? If you can go to Server Settings and tick the box that says 'Disable hostname lookups' and save the changes. I remember seen a few posts here about this and doing the above has fixed the problem for them. Hopefully it will help you as well.

I have a couple of questions, what made you think that you were hacked? How did you try to restore the backup? What php version do you have?

For future reference, as mentioned above, when asking for support try to be give out as many details as possible, rather than being vague. i.e. help us to help you.

shamoonluay · August 09, 2023, 03:04:42 PM

thanks for help, but my srver provider can not do this for security reasons!!
is there any other way to fix this problem please?

Kindred · August 09, 2023, 03:08:00 PM

Get a better host?

shamoonluay · August 09, 2023, 03:11:34 PM

it is more than 15 years with the same provideor without any problem..
I do not know what is happen this time

can i begin a new smf forum from scratch and then upload the old database?

Doug Heffernan · August 09, 2023, 03:12:22 PM

Quote from: shamoonluay on August 09, 2023, 03:04:42 PMthanks for help, but my srver provider can not do this for security reasons!!
is there any other way to fix this problem please?

Quote from: Doug Heffernan on August 09, 2023, 06:38:07 AMCan you get to the Admin Panel? If you can go to Server Settings and tick the box that says 'Disable hostname lookups' and save the changes. I remember seen a few posts here about this and doing the above has fixed the problem for them. Hopefully it will help you as well.

This!

Quote from: Kindred on August 09, 2023, 03:08:00 PMGet a better host?

What about these questions?

Quote from: Doug Heffernan on August 09, 2023, 06:38:07 AMI have a couple of questions, what made you think that you were hacked? How did you try to restore the backup? What php version do you have?

shamoonluay · August 09, 2023, 03:16:40 PM

What about these questions?

Quote from: Doug Heffernan on August 09, 2023, 06:38:07 AMI have a couple of questions, what made you think that you were hacked? How did you try to restore the backup? What php version do you have?

[/quote]

because is the first time that happend to my site, backup via the admin panel of the server, PHP 8

SpacePhoenix · August 09, 2023, 03:20:25 PM

You should change your FTP password straight away and make sure the new password is a strong one

shamoonluay · August 09, 2023, 03:23:34 PM

i have already changed my password

Doug Heffernan · August 09, 2023, 03:24:20 PM

Quote from: shamoonluay on August 09, 2023, 03:16:40 PMbecause is the first time that happend to my site

You still haven't told us what type of hack it was. Have you contacted your host and told them about it? If you were really hacked a very thorugh checkup of your server space for any backdoor(s) is in order. It is very important that the point of entry is discovered and dealt with. The same goes for the backdoor(s), otherwise it can/will happen again and again. Also a change of all passwords, as adviced above, is strongly recommended.

That being said, regarding the error have you read my post above?

Quote from: Doug Heffernan on August 09, 2023, 06:38:07 AMCan you get to the Admin Panel? If you can go to Server Settings and tick the box that says 'Disable hostname lookups' and save the changes. I remember seen a few posts here about this and doing the above has fixed the problem for them. Hopefully it will help you as well.

shamoonluay · August 09, 2023, 03:33:16 PM

i can get the admin panel, but i can not disable hostname lookups, it is not available
but if is not hacked why my site down!!!

Doug Heffernan · August 09, 2023, 03:40:14 PM

Quote from: shamoonluay on August 09, 2023, 03:33:16 PMi can get the admin panel, but i can not disable hostname lookups, it is not available

Do you mean that it is not listed? Can you please post a screenshot of that part of your admin panel?

Anyways, you can disable it with a sql query as well.

Run the following at the SQL tab of your phpmyadmin, or whatever tool your host is using to manage the databases.

Code Select

UPDATE smf_settings SET value = 0 WHERE variable = 'disableHostnameLookup';
If you are using another database prefix, use that instead of smf_ in the query above.

Quote from: shamoonluay on August 09, 2023, 03:33:16 PMbut if is not hacked why my site down!!!

It could be many other things, such as an issue with a custom mod or a server error for example. It's hard to say without the details. Hence why you were asked about what type of hack it was, but you didn't, and are still not providing any details.

Tyrsson · August 10, 2023, 12:38:01 AM

Access logs and error logs would be helpful as well as long as they do not disclose any vital information. As mentioned before, attack vector here is VERY important. Can you provide any of the malicious script or an access log entry that leads one to think that you "were actually hacked"?

Please keep in mind. If you are in a VPS or shared hosting environment that the actual attack vector may not lye in your domain, it could possibly be a vector in a domain that is adjacent to yours.

shamoonluay · August 10, 2023, 08:24:31 AM

I am very sorry that i could not explain the problem wel, but after I tried all the methods I did not find any solution to get my forum back, so I decided to start a new one from scratch.
now how can i upload the old tables and overwrite it to the new ones?
i get always a fatal error that this table is already exist!!

News:

problem with my site after it was hacked