I've been Hacked

bynw · February 12, 2025, 08:05:41 AM

Inspite of all these Token Errors since restoring the database the site has been hacked for a 3rd time.

These are the steps I took when it got hacked over the weekend.
1) I changed my FTP password.
2) I deleted all the SMF files and uploaded new ones.
3) I checked the database for malicious code searching for the usual suspects and found none. I ran it through a virus checker designed to check .sql files and found none.
4) Updated PHP from 8.1 to 8.3.
5) I followed the instructions by Sir Osis of Liver and created a brandnew database with an install of SMF and then dropped the tables and imported my own. That's when to Token errors started.

But this morning, the site had been hacked again.

Illori · February 12, 2025, 08:34:52 AM

you changed the database password? you changed your hosts control panel password? if there is any password for phpmyadmin you changed that as well?

bynw · February 12, 2025, 08:37:03 AM

Quote from: Illori on February 12, 2025, 08:34:52 AMyou changed the database password? you changed your hosts control panel password? if there is any password for phpmyadmin you changed that as well?

Yes to all. phpmyadmin uses the database password.

S

Doug Heffernan · February 12, 2025, 08:43:34 AM

Quote from: bynw on February 12, 2025, 08:05:41 AM3) I checked the database for malicious code searching for the usual suspects and found none. I ran it through a virus checker designed to check .sql files and found none.

What did you search for? The main place to search for malicious code/files is the server space.

Quote from: bynw on February 12, 2025, 08:37:03 AMYes to all. phpmyadmin uses the database password.

If they have left a backdoor behind, it doesn't matter how many times you change your passwords. Hence why priority number one should be searching for backdoors and communicating with the host so they can check the raw access logs on their end, and see how they were able to get in, and patch up the security hole a.s.a.p.

Kindred · February 12, 2025, 08:44:42 AM

at this point there are two choices

1- despite loading clean files, you missed that they left a back door somewhere....
2- your HOST is misconfigured or compromised and the hacker has access to your account because someone ELSE'S account was hacked.

If you can wait until tonight (EDT) and are willing to send me full access credentials, I will take a look and clean your site - that way we will know if it is the host.

bynw · February 12, 2025, 08:48:11 AM

Quote from: Kindred on February 12, 2025, 08:44:42 AMat this point there are two choices

1- despite loading clean files, you missed that they left a back door somewhere....
2- your HOST is misconfigured or compromised and the hacker has access to your account because someone ELSE'S account was hacked.

If you can wait until tonight (EDT) and are willing to send me full access credentials, I will take a look and clean your site - that way we will know if it is the host.

I'm not doing anything to the site today. I will wait (see if I'm still awake and up) Thanks Kindred.

bynw · February 12, 2025, 08:54:59 AM

Quote from: Doug Heffernan on February 12, 2025, 08:43:34 AM
Quote from: bynw on February 12, 2025, 08:05:41 AM3) I checked the database for malicious code searching for the usual suspects and found none. I ran it through a virus checker designed to check .sql files and found none.

What did you search for? The main place to search for malicious code/files is the server space.

Quote from: bynw on February 12, 2025, 08:37:03 AMYes to all. phpmyadmin uses the database password.

i searched for strings like:
<iframe
base64_decode
eval()
<script

the usual culprits if the database has malicious code added to it.

If they have left a backdoor behind, it doesn't matter how many times you change your passwords. Hence why priority number one should be searching for backdoors and communicating with the host so they can check the raw access logs on their end, and see how they were able to get in, and patch up the security hole a.s.a.p.

i've had a ticket open with my host since Saturday's original hack. They have reported back that there is no security hole that they are finding. I think they are mistaken.

Illori · February 12, 2025, 09:06:30 AM

then it is time to move to a new host and setup your forum with clean files on the new host with a working database.

Doug Heffernan · February 12, 2025, 10:27:40 AM

Quote from: bynw on February 12, 2025, 08:54:59 AMi've had a ticket open with my host since Saturday's original hack. They have reported back that there is no security hole that they are finding. I think they are mistaken.

In that case I will echo @Illori's advice as well.

Quote from: Illori on February 12, 2025, 09:06:30 AMthen it is time to move to a new host and setup your forum with clean files on the new host with a working database.

Sir Osis of Liver · February 12, 2025, 12:04:47 PM

Quote from: Sir Osis of Liver on February 08, 2025, 09:31:14 PMIf you have good backups, move to a better host.

bynw · February 12, 2025, 04:20:35 PM

The more I look at things the more I think that is the best course of action. To move to a new host.

KittyGalore · February 12, 2025, 04:58:23 PM

Quote from: bynw on February 12, 2025, 04:20:35 PMThe more I look at things the more I think that is the best course of action. To move to a new host.

Out of curiosity what is your current host if you don't mind me asking.

bynw · February 12, 2025, 05:45:00 PM

Dreamhost

Sir Osis of Liver · February 12, 2025, 08:30:33 PM

crocweb.com is inexpensive and has excellent support. I've moved a couple dozen forums there from other hosts. icdsoft.com is also highly recommended.

Kindred · February 13, 2025, 11:45:21 PM

so yeah... I took a look at the site. There definitely seemed to be some back doors left around.

I think I got them all -- but there are some non-SMF directories scattered around which I skimmed, and seems to be mostly images... but the hacker COULD have left files named as images that run a payload -- so I recommend downloading a backup of all of the non-SMF stuff and removing it from the site unless you can positively confirm every jpg, png, and html file in there...

bynw · February 14, 2025, 10:40:45 AM

Thanks @Kindred and everyone else.

I'll check those files when I get off work. Can't do that from work unfortunately.

And I will be changing hosts as well.

bynw · February 15, 2025, 12:37:03 PM

Again I want to thank @Kindred for his invaluable help. But even after changing passwords. Turning of SSH access. Removing the bad files. The site was compromised again at 4:19am this morning. Yes I am moving it.

So the question right now is ... what is the best procedure to follow when moving it to another host?

Doug Heffernan · February 15, 2025, 01:28:09 PM

Have a look at this guide:

https://wiki.simplemachines.org/smf/Hosting_-_How_do_I_move_my_SMF_forum_to_a_different_host

Before you move the files and the database, make real sure that they are clean. Otherwise you will be moving the backdoor(s) as well.

Illori · February 15, 2025, 01:36:59 PM

might be best to move the database attachments/avatars and upload fresh files to make sure nothing is left behind.

bynw · February 15, 2025, 03:16:24 PM

in this last breach i had removed all extra files. no images or anything. so they have a exploit of something.

News:

I've been Hacked