I've been Hacked

bynw · February 08, 2025, 10:49:28 AM

I know it's truly a hack as my site has been defaced. Every topic and every post has been changed sometime overnight.

I have a ticket open with my host about it and waiting to hear from them. What can I do in the meantime to see if I can restore anything at all.

Thanks.

vbgamer45 · February 08, 2025, 11:36:53 AM

Change password remove other admins.
Hopefullyh you have backups or your host has backups.
I would also maybe take your site offline.

Illori · February 08, 2025, 12:15:04 PM

https://wiki.simplemachines.org/smf/Hacking_-_I_think_I_have_been_hacked

Doug Heffernan · February 08, 2025, 12:26:00 PM

Additionally a thorough checkup of your entire server space, and not only the forum folder, is in order too imo, to make sure that there are no backdoors and such left behind.

bynw · February 08, 2025, 12:39:03 PM

I've done all of those here so far and looks like the defacement was just on the posts and topics. But they hit all of them. 30,000+ posts.

So it sounds like they just hit the database and changed every post and topic but the backups survived. Only lost a day's worth of posts and messages when restoring it.

Changed the database password too now.

Doug Heffernan · February 08, 2025, 01:59:59 PM

Quote from: bynw on February 08, 2025, 12:39:03 PMChanged the database password too now.

It would be best to change all the passwords. Your cPanel, ftp and forum admin too. i.e. everything.

On a side note,I've coded a mod that helps increase the security of the forum. Should you be interested you can see it here:

https://www.simplemachines.org/community/index.php?topic=589922

bynw · February 08, 2025, 04:22:32 PM

That did not stop them. They just defaced my site again.

bynw · February 08, 2025, 05:04:14 PM

Looking around here ... trying to find out how they keep getting in. Is there any reason that the Settings.php file would be modified during the course of normal use on the forum? I am showing mine was modified right around the time everything got changed again.

If it should be modified with a timestamp during normal use. How can I prevent it from being accessed. It's set with 644 permissions.

Doug Heffernan · February 08, 2025, 05:12:38 PM

Quote from: bynw on February 08, 2025, 05:04:14 PMLooking around here ... trying to find out how they keep getting in. Is there any reason that the Settings.php file would be modified during the course of normal use on the forum? I am showing mine was modified right around the time everything got changed again.

If you didn't modify it yourself, and your host didn't either, then chances are that it was modified by the hackers. Ask your host to check the ftp and cPanel logs for around the time that the hack happened to see if there was any unauthorised access.

bynw · February 08, 2025, 05:40:49 PM

That's what I thought. I am checking with my host to see if they see anything.

Could I do an htaccess file and block access to it for everything except the server itself ...

bynw · February 08, 2025, 06:45:46 PM

Per my host. They do not see anything thing in their logs of any access for FTP or accessing the control panel around the time frame of the Settings.php file being modified. So I don't yet know how they are gaining access to it.

In order to change all nearly 3000 topics and 30000+ posts to their profanity in a short time wouldn't that have to be through the database by running a query on it with those changes. It's the only thing I can think of ....

Illori · February 08, 2025, 06:48:50 PM

can you ask your host if they allow external access to the MySQL database you are using? if so that may be one way if they had the username and password.

bynw · February 08, 2025, 07:07:33 PM

Quote from: Illori on February 08, 2025, 06:48:50 PMcan you ask your host if they allow external access to the MySQL database you are using? if so that may be one way if they had the username and password.

I checked. by default no. that is not allowed. But phpmyadmin is available from the host and urls are available in their knowledgebase.

So still able to run queries that way too. Just not as fast as the command line method.

Just trying to find out HOW they are accessing the forum and changing the data.

Sir Osis of Liver · February 08, 2025, 09:31:14 PM

If you have good backups, move to a better host.

bynw · February 08, 2025, 09:57:02 PM

Quote from: Sir Osis of Liver on February 08, 2025, 09:31:14 PMIf you have good backups, move to a better host.

In theory I could do that easily enough. It would be a pain due to DNS propagation and getting a new hosting account setup and running everything that way. But, since I don't know how the defacing is happening ... it may only slow them down from doing it a 3rd time as the IP changes.

They change all the topics and all the posts to their message which is vulgar.
Just as if the user themselves did the edit, none are listed by any strange user names.
The Settings.php file shows a modified timestamp just before the change is made to the forum.
And of course that has the database login information in it.
Now I know that's not accessible outside of my host except via phpmyadmin.
If they have the information from Settings.php then they can use phpmyadmin and make a quick query to edit everything at least in theory.
So unless they are doing something else ... I don't know what ... but they are getting the information.

Sir Osis of Liver · February 08, 2025, 10:05:23 PM

Either your host account is insecure, or there's a backdoor somewhere in your forum files. If you have a clean database backup, and backup of your /attachments, that's your content. A clean backup of Settings.php is helpful, but not necessary. I would delete everything in the forum directory, do a clean 2.1.4 install with new database, import the production db into the new install, see what happens. If you're hacked again, the problem is probably with your host account, not the forum.

Johnny54 · February 09, 2025, 03:13:58 AM

Stupid idea.
Is your computer at home not infected with malware?
So that they get the new passwords etc. from there.

bynw · February 09, 2025, 09:53:41 AM

Quote from: Johnny54 on February 09, 2025, 03:13:58 AMStupid idea.
Is your computer at home not infected with malware?
So that they get the new passwords etc. from there.

I thought of that myself as well. Nothing shows on any scans.
And I don't store the database password on my computer.

Illori · February 09, 2025, 02:10:42 PM

if you have a backup of your files, which you should have, on your computer then you do have the database password on your computer.

Sir Osis of Liver · February 09, 2025, 03:33:12 PM

Quote from: bynw on February 08, 2025, 12:39:03 PMChanged the database password too now.

If you change the db password, you have to change it in Settings.php or the forum cannot connect, so whatever else you've done the new db credentials are exposed to the same hack if it's in your forum files and you haven't deleted the files.

Quote from: Johnny54 on February 09, 2025, 03:13:58 AMStupid idea.
Is your computer at home not infected with malware?
So that they get the new passwords etc. from there.

No, it's not a stupid idea, it's the basic advice for when a forum is hacked. Most forum hacks are the result of direct attacks on the forum install. There are much more interesting things for malware to grab off a user's local computer than forum credentials (i.e., bank, vendor, social media logins). If you have anything useful to contribute, please do it courteously.

News:

I've been Hacked