Got hacked. What now?

[Berethorn]

Hi everyone, haven't been here in a long time,

But last week my site got hacked. Practically every single page displays the typical black bg "you were hacked, haha" message (and nothing else) Restoring the entire file system did nothing, leading me to believe the hack is hidden in the database somewhere.

I'm not sure if I should post the link to my forum so people can see, or not?

Not only has it been a terribly long time since I backed up the database (I've been a bad admin and haven't been active at my forum), but the backup file is so large I don't know if I can restore it with phpMyAdmin.

A much better solution would be fixing the database. Where should I look in the database? Keep in mind that this bit of code or whatever effects every page with the exception of admincp/index.php (it displays the login page, but once you try to login, you get the hacked page again).

Any help is appreciated!!!

[Lynne]

I would look for files in your directories that shouldn't be there. Is there a link to the site that we can see this happening?

[Berethorn]

http://www.landofrohan.com/forum/forumdisplay.php

(I edited the index.php page to give a notice to forumites - hence the link to forumdisplay)

I do believe I took care of any files that shouldn't have been there, as I replaced the entire /forum directory with a backup.

[Quarterbore]

I am working on a server side spider to find hacked files and I would really be interested in working with you on this if you are game.

First, go into your server and look for an .htaccess file and make sure they didn't drop something in there. Often that is how they do this and it could be an easy fix to make it stop.

Next, go into your FTP program and look at the date/time that your files were changed. It is possible that they did not change all of your files. The files that were changed should be copied somewhere where they can be looked at later to try to help identify the culprate and perhaps learn how to identify their work in the future.

Then, you should replace all of the files that were modified with safe versions. I hope you have backups as otherwise this can be a painful experience. From there, let's hope that your site works but if not you may need to get more help.

If you find modified files, send me a PM and I will give you some clues on what I could use to bulk my hacker detector script I have started.

--------------- Added [DATE]1224186718[/DATE] at [TIME]1224186718[/TIME] ---------------

I also find it strange when you look atthe source for the code I get this:

PHP Code:

<!-- saved from url=(0026)http://woot.king-nerd.com/ --> 


The site itself is just a front...

[Berethorn]

I know, it's very strange. And it seems like it would be easy to find.

As for .htaccess, I can't find one unfortunately - that would have been too easy.

For your second suggestion, alas, I already over writ the entire forum directory, so no evidence remains. But since the hack is still there, I don't believe it's actually in the files themselves. I still think it's a database thing.

[puertoblack2003]

Quote:

Originally Posted by Berethorn

http://www.landofrohan.com/forum/forumdisplay.php

(I edited the index.php page to give a notice to forumites - hence the link to forumdisplay)

I do believe I took care of any files that shouldn't have been there, as I replaced the entire /forum directory with a backup.

it appears to be a file that you have to check when viewing the source code

index4_files/ads.js find that file some how it's using that to deface your page and in the sql you would have to go to post or thread to view that code too.

[Berethorn]

Hmn. There's no index4_files/ads.js anywhere on my server. Seems that's hosted remotely somewhere else. I'll look in post or thread in the DB though I'm not sure where to look in them.

[Lynne]

After you got hacked, did you restore your database from a backup?

Search and see if you have a plugin you don't recognize.

[Berethorn]

I haven't backed up the database, no. The last backup is from January. You don't have to tell me I should have backed up more (I used to).

I would still try to restore the January one if I could, but I think it's too big for phpMyAdmin to handle, and too big to send to the folks at my server to have them do it. Nonetheless I will find a way if needs must.

All the plugins are of my own installation.

[Quarterbore]

Quote:

Originally Posted by Berethorn

I haven't backed up the database, no. The last backup is from January. You don't have to tell me I should have backed up more (I used to).

I would still try to restore the January one if I could, but I think it's too big for phpMyAdmin to handle, and too big to send to the folks at my server to have them do it. Nonetheless I will find a way if needs must.

A reminder to everyone that this really is easy to prevent!!!

Tutorial: Using the CRON tab to do daily backups and long term MYSQL archives

--------------- Added [DATE]1224191004[/DATE] at [TIME]1224191004[/TIME] ---------------

Did you try disabling the plugin system by editing your config file?

To temporarily disable the plugin system, edit config.php

FIND

PHP Code:

<?php

AFTER ADD

PHP Code:

define('DISABLE_HOOKS', true); 


That will at least confirm there is no way it is in the plugin system somehow.

Just remove it when you are done and you will be back to normal.