I've been Hacked

bynw · February 09, 2025, 05:01:24 PM

Quote from: Sir Osis of Liver on February 09, 2025, 03:33:12 PM
Quote from: bynw on February 08, 2025, 12:39:03 PMChanged the database password too now.
If you change the db password, you have to change it in Settings.php or the forum cannot connect, so whatever else you've done the new db credentials are exposed to the same hack if it's in your forum files and you haven't deleted the files.

Are there any files that would be safe to keep? Avatars/Attachments? or just nuke everything??

Sir Osis of Liver · February 09, 2025, 05:09:31 PM

Attachments are usually a major part of your content, so you'll want to back them up, avatars not so much but you can keep them as well. /attachments contains two files, .htaccess and index.php, and /avatars contains an index.php. I would delete them from backups. They will be replaced when you do clean install. Make local backups, don't save anything in the server directory.

bynw · February 09, 2025, 06:34:06 PM

Quote from: Sir Osis of Liver on February 09, 2025, 05:09:31 PMAttachments are usually a major part of your content, so you'll want to back them up, avatars not so much but you can keep them as well. /attachments contains two files, .htaccess and index.php, and /avatars contains an index.php. I would delete them from backups. They will be replaced when you do clean install. Make local backups, don't save anything in the server directory.

The Clean Install is using the files from the Large upgrade package correct?

Illori · February 09, 2025, 07:07:04 PM

please review the link i provided earlier in this topic, it has that information contained within it.

Sir Osis of Liver · February 09, 2025, 09:28:28 PM

Not on my computer, so this is the short version. Once you have complete local backups, delete everything in the forum directory, then do a clean install with the 2.1.4 install package and a new database. When it's up and running, drop all tables from the database and import your production database backup. If all is well, you can copy /attachments and /avatars to the new install, minus the files I mentioned above,

bynw · February 09, 2025, 10:09:05 PM

In the Online Manual it gives this as permissions:

QuoteFile and directory permissions control who can see your files and use your directories. They can control whether you will be able to install mods to your forum. On Linux and other Unix-like servers the chmod command is used to designate permissions. On most servers, a setting of 755 for directories and 644 for files will work. If this does not work on your hosting service, you may need 777 or 775 for directories, and 666 or 664 for files. Some hosts do not allow using 777 for directories or 666 for files -- using such high values will cause Internal Server Errors, 500 erors, or other errors. If the permission on your files or directories does not make them writable, the SMF installer will report the problem -- if it can detect it.

The install also said that the main directory was writable but didn't suggest any permissions changes.
Are these the best permissions or should they be stricter??

Sir Osis of Liver · February 09, 2025, 10:15:14 PM

755/644 are fine, go with that.

Dave J · February 10, 2025, 04:28:43 AM

As I was reading this a thought occurred to me.

In your cPanel, or similar, under databases there should be an option for 'Remote MySQL'

Have a look under that and see if there is a % under the heading 'Access List', if there is remove it.

That % means that any IP address can access the database from anywhere.

I've just added that to my list to show you what I mean, it's now gone

bynw · February 10, 2025, 07:39:30 AM

it's a custom panel and does it differently. but i did check and only the webhost is allowed direct access or of course anyone if they have the username/password through phpmyadmin that the host has installed

Doug Heffernan · February 10, 2025, 09:03:13 AM

Quote from: bynw on February 10, 2025, 07:39:30 AMit's a custom panel and does it differently. but i did check and only the webhost is allowed direct access or of course anyone if they have the username/password through phpmyadmin that the host has installed

Do you mean that phpmyadmin is directly accessible though the url, as in yoursite.com/phpmyadmin? If that's the case remove it a.s.a.p. That poses a huge security risk imo.

Sir Osis of Liver · February 10, 2025, 11:27:33 AM

IIRC, some hosts require a second login when you access pma from their control panel, but I don't think you can access it directly. Of course pma is free software and can be installed as a free standing app, but I wouldn't.

bynw · February 10, 2025, 09:34:28 PM

I've replaced all the files and created a brand new database
Let it sit all day and it was not attacked
I dropped that database and imported via command line but got an error:

ERROR 1062 (23000) at line 3255915: Duplicate entry 'ip20.171.207.11' for key 'smfrc_log_online.PRIMARY'

And the site is giving an error as well:

An error has occurred
Sorry, this section isn't available at this time.

I tried running the repair_settings.php to see if it would help but it did not resolve the error.

I can drop the table again if needed and see if I can fix that line number given in the error message if that is required.

Doug Heffernan · February 11, 2025, 07:49:03 AM

Quote from: bynw on February 10, 2025, 09:34:28 PMERROR 1062 (23000) at line 3255915: Duplicate entry 'ip20.171.207.11' for key 'smfrc_log_online.PRIMARY'

Most likely the smfrc_log_online table already contains a value '20.171.207.11' in the field 'ip'.

Therefore attempts to insert another row containing '20.171.207.11' in the field 'ip' will cause the aforementioned error, since the 'ip' is an unique key where only one occurrence is possible.

Quote from: bynw on February 10, 2025, 09:34:28 PMAnd the site is giving an error as well:
An error has occurred
Sorry, this section isn't available at this time.

I tried running the repair_settings.php to see if it would help but it did not resolve the error.

Running the repair_settings.php tool won't work in this case.

Quote from: bynw on February 10, 2025, 09:34:28 PMI can drop the table again if needed and see if I can fix that line number given in the error message if that is required.

You can't just drop tables from the database, otherwise you will get the tables missing errors. That said, you can truncate said table as it doesn't hold any vital data. Doing that will log off everyone from the online list. But should you decide to drop it instead, you must re-add the table again in the database. Hope it helps.

bynw · February 11, 2025, 09:04:16 AM

Quote from: Doug Heffernan on February 11, 2025, 07:49:03 AMYou can't just drop tables from the database, otherwise you will get the tables missing errors. That said, you can truncate said table as it doesn't hold any vital data. Doing that will log off everyone from the online list. But should you decide to drop it instead, you must re-add the table again in the database. Hope it helps.

How do I truncate the table?

Kindred · February 11, 2025, 09:07:57 AM

TRUNCATE TABLE tbl_name

https://dev.mysql.com/doc/refman/8.4/en/truncate-table.html

Doug Heffernan · February 11, 2025, 09:31:12 AM

Quote from: bynw on February 11, 2025, 09:04:16 AMHow do I truncate the table?

Besides running the above query, another way to go about this is to select the table in question, and from the drop down list of options all the way to the bottom select the truncate one.

bynw · February 11, 2025, 10:32:18 AM

Thanks @Doug Heffernan I did that with phpmyadmin

The forum is still giving me the error message so it's not displaying anything.
When I tried to log in I got a token error.
Cleared my browser cache and was able to login.

There are 165,781 errors in the error log. Anytime I attempt to do anything in the admin panel I keep getting reprompted for my password.

Under Admin>Maintenance>Forum Maintenance>Integration Hooks there are 2 pages of errors since none of my mods are currently installed since this is a fresh install. When I click on the button to remove the hook, again I'm prompted for my admin password and when I get back to the Integration Hooks page, the hook is still there.

Doug Heffernan · February 11, 2025, 11:47:14 AM

Quote from: bynw on February 11, 2025, 10:32:18 AMThanks @Doug Heffernan I did that with phpmyadmin

No problem

Quote from: bynw on February 11, 2025, 10:32:18 AMThe forum is still giving me the error message so it's not displaying anything.

Is it the same error you posted previously?

Quote from: bynw on February 10, 2025, 09:34:28 PMAn error has occurred
Sorry, this section isn't available at this time.

Can you please post the url to your forum? If you don't want to post it publicly you can pm it to me.

Quote from: bynw on February 11, 2025, 10:32:18 AMThere are 165,781 errors in the error log. Anytime I attempt to do anything in the admin panel I keep getting reprompted for my password.

Can you post the most recent couple of errors?

Quote from: bynw on February 11, 2025, 10:32:18 AMUnder Admin>Maintenance>Forum Maintenance>Integration Hooks there are 2 pages of errors since none of my mods are currently installed since this is a fresh install. When I click on the button to remove the hook, again I'm prompted for my admin password and when I get back to the Integration Hooks page, the hook is still there.

A screenshot would help as it's hard to give advice without seeing the errors.

Sir Osis of Liver · February 11, 2025, 04:02:23 PM

Hooks are in the database, you're getting errors because hooks are present for uninstalled mods. You can remove all hooks with repair_settings.

bynw · February 11, 2025, 06:15:13 PM

I got the hooks taken care of ....

But myself and other users I'm having test the rebuild of the site keep getting Token errors.

I was logged out of my forum. I logged back in. Went to change my Avatar and got the error.

You cannot view this attachment.

This constantly happens also in the Admin panel as well.

News:

I've been Hacked