[TheLastSuperman]

Quote:

Originally Posted by CarolSEL

5. Host restored a web file backup from 2 days prior to hacker reg, ran malware checks; site crashed and I cannot access ACP.

When I refer to backups I always say database backup and filesystem backup, one being a copy of your database at the time the backup was made and the other being the actual folders with files.

When you say they restored a web backup do you mean they had a full database(1)
AND filesystem(2) backup and restored both(3)?

1 If the host restored then they know to drop the tables in fact the entire database depending on restore method. The issue here for some site owners who attempt this themselves is the fact they tend to import a backup onto a populated database i.e. overwriting newer data with older data and that can cause issues. The proper way to do it is to drop all tables from the database then import the backup into the now empty database thereby restoring it.

2 If the host restored a filesystem backup, it must be BOTH filesystem AND database because the two must match each other i.e. timeframe, if the database backup was made at 5pm your time then the filesystem backup should be from that same time and by disabling the forum before a backup you ensure no activity is taking place i.e. avatar/image uploads so the two will in fact match what the database knows is within the filesystem.

3 If only one was done, as I said above in note #2 it must be both. Now is there an exception? Yes! The inability to access the admincp could be modification related, if you restored fresh files only and forgot to upload all the missing plugin files then that can cause inability to access, if you feel that is the case locate the missing modification files and upload them (you can still access the database via phpmyadmin so check the product and plugin tables). If you have issues tracking down the files OR truly believe this is the issue then start disabling each plugin one by one using this article until you find the culprit as not all plugins disable when you disable mods via the config file, I've seen some odd situations and scenarios with certain third-party modifications/plugins.

Quote:

Originally Posted by CarolSEL

6. Following instructions from this site, I downloaded a fresh copy of 4.2.1 and uploaded the files to the server, overwriting the old ones.

Was the version you were running at the time of the hacking in fact 4.2.1? If you were lets say for example running 4.2.0 and then overwrote those files with 4.2.1 files without running the upgrade script then issues can occur and if that is the case simply run the upgrade script to resolve (and on that note, when you uploaded those 4.2.1 files you did delete the /install/ folder before uploading the contents of the .zip correct? See where I'm headed with this ).

Quote:

Originally Posted by CarolSEL

So how do I know if the db is clean? If not, have I lost all the member data? Is there a way to delete all the files except the forum and membership?

You need to manually inspect it, there are queries listed in some of the articles and blog entries we linked you to prior in this thread, you can modify those queries i.e. for example you can search in the database for http://adf.ly/VRrrp as mentioned in this post. Edit: Removed some info I was mistaken and needed to clarify.

Your site is more than likely intact, other than one site where they edited the master style I have only seen defacement no thread or post deletions but make sure to check regardless.