Since 2009

[Important] We were hacked!

Discussion started on Main News

NIBOGO

Dear community members,

Today I discovered that our website has been hacked by an unknown hacker. It remains unknown how he had access, and specially if the hole comes from SMF. All passwords were in secure places and the ones from database, FTP and administration were different, even so the hacker was able to break our security system. An antivirus program was executed in my personal laptop (the only want where I login) and it throws no errors.

We are checking our logs in order to identify how this was done and what kind of data he got from our database. We strongly recommend that you change your password here and in every website when you where using the same one. We don't know yet if this is related with the hack done over simplemachines.org: http://www.simplemachines.org/community/index.php?topic=508232.0 a few days ago. I also have different passwords there and here, so if my data was pulled from their database it's useless here.

Every single password has been changed with a key that is really secure. I'm also working with our server administrator in order to get more information, and know if the hacker was able to extract our database. Keep in mind we do not store your credit card information nor your PayPal login details, they are not here as we do not process the payments, 2CheckOut does it.

Thank you very much for understanding. And please change your password!

Linkback: https://www.smfpacks.com/b1/we-were-hacked/1824/
#1 - October 31, 2013, 11:19:11 AM

wuka

I hope few things "how find a hole on hacked server" from this post may help you

First of all search files that modifiend since 7 days ago


Code: [Select]
find . -type f -name '*.php' -mtime -7
Find php files with suspictious code

Code: [Select]
find . -type f -name '*.php' | xargs grep -l "eval *(" --color
find . -type f -name '*.php' | xargs grep -l "base64_decode *(" --color
find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color
find . -type f -name '*.php' | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color
find . -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream_socket_client|exec|system|passthru|eval|base64_decode) *\("
find . -type f -name '*.php' | xargs egrep -i "preg_replace *\((['|\"])(.).*\2[a-z]*e[^\1]*\1 *," --color
find . -type f -name '\.htaccess' | xargs grep -i http;
#2 - November 01, 2013, 05:40:07 AM
  • Like
    Dislike
    Love
    HaHa
    Angry
    Sad
    Party

angeljs

Sorry to hear that. :(  I know exactly how you feel, these people are the scum of the internet.
#3 - November 01, 2013, 05:53:15 AM
  • Like
    Dislike
    Love
    HaHa
    Angry
    Sad
    Party

Autopilot

It is sad that one of the favorite SMF support sites gets hit. I think it was only a matter of time though considering the number of critical security issues they have had over the past few years.
Anyway best of luck fixing this at your end and please keep us updated with any resolves.
#4 - November 01, 2013, 08:07:01 AM
  • Like
    Dislike
    Love
    HaHa
    Angry
    Sad
    Party

NIBOGO

Thank you for your replies. I'll dig into this and I'll let you know.
#5 - November 01, 2013, 02:28:21 PM
  • Like
    Dislike
    Love
    HaHa
    Angry
    Sad
    Party

Autopilot

Thank you for your replies. I'll dig into this and I'll let you know.

Any further updates on this hack?
#6 - November 03, 2013, 02:00:01 PM
  • Like
    Dislike
    Love
    HaHa
    Angry
    Sad
    Party

NIBOGO

I already checked and files are fine. We are still unsure if there was access to the database. Our logs doesn't show any access, but we cannot guarantee that 100%
#7 - November 03, 2013, 02:46:09 PM
  • Like
    Dislike
    Love
    HaHa
    Angry
    Sad
    Party

Autopilot

Roger that, thanks.
#8 - November 03, 2013, 03:05:10 PM
  • Like
    Dislike
    Love
    HaHa
    Angry
    Sad
    Party

Members:

0 Members and 1 Guest are viewing this topic.


Share via delicious Share via digg Share via facebook Share via linkedin Share via pinterest Share via reddit Share via stumble Share via tumblr Share via twitter