Text only | Text with Images

SMFPacks

SMFPacks => Main News => Topic started by: NIBOGO on October 31, 2013, 11:19:11 AM

Title: We were hacked!
Post by: NIBOGO on October 31, 2013, 11:19:11 AM
Dear community members,

Today I discovered that our website has been hacked by an unknown hacker. It remains unknown how he had access, and specially if the hole comes from SMF. All passwords were in secure places and the ones from database, FTP and administration were different, even so the hacker was able to break our security system. An antivirus program was executed in my personal laptop (the only want where I login) and it throws no errors.

We are checking our logs in order to identify how this was done and what kind of data he got from our database. We strongly recommend that you change your password here and in every website when you where using the same one. We don't know yet if this is related with the hack done over simplemachines.org: http://www.simplemachines.org/community/index.php?topic=508232.0 a few days ago. I also have different passwords there and here, so if my data was pulled from their database it's useless here.

Every single password has been changed with a key that is really secure. I'm also working with our server administrator in order to get more information, and know if the hacker was able to extract our database. Keep in mind we do not store your credit card information nor your PayPal login details, they are not here as we do not process the payments, 2CheckOut does it.

Thank you very much for understanding. And please change your password!
Title: Re: We were hacked!
Post by: wuka on November 01, 2013, 05:40:07 AM
I hope few things "how find a hole on hacked server" from this (http://habrahabr.ru/post/188878/) post may help you

First of all search files that modifiend since 7 days ago


Code Select
find . -type f -name '*.php' -mtime -7

Find php files with suspictious code

Code Select
find . -type f -name '*.php' | xargs grep -l "eval *(" --color
find . -type f -name '*.php' | xargs grep -l "base64_decode *(" --color
find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color
find . -type f -name '*.php' | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color
find . -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream_socket_client|exec|system|passthru|eval|base64_decode) *\("
find . -type f -name '*.php' | xargs egrep -i "preg_replace *\((['|\"])(.).*\2[a-z]*e[^\1]*\1 *," --color
find . -type f -name '\.htaccess' | xargs grep -i http;
Title: Re: We were hacked!
Post by: angeljs on November 01, 2013, 05:53:15 AM
Sorry to hear that. :(  I know exactly how you feel, these people are the scum of the internet.
Title: Re: We were hacked!
Post by: Autopilot on November 01, 2013, 08:07:01 AM
It is sad that one of the favorite SMF support sites gets hit. I think it was only a matter of time though considering the number of critical security issues they have had over the past few years.
Anyway best of luck fixing this at your end and please keep us updated with any resolves.
Title: Re: We were hacked!
Post by: NIBOGO on November 01, 2013, 02:28:21 PM
Thank you for your replies. I'll dig into this and I'll let you know.
Title: Re: We were hacked!
Post by: Autopilot on November 03, 2013, 02:00:01 PM
Quote from: NIBOGO on November 01, 2013, 02:28:21 PM
Thank you for your replies. I'll dig into this and I'll let you know.

Any further updates on this hack?
Title: Re: We were hacked!
Post by: NIBOGO on November 03, 2013, 02:46:09 PM
I already checked and files are fine. We are still unsure if there was access to the database. Our logs doesn't show any access, but we cannot guarantee that 100%
Title: Re: We were hacked!
Post by: Autopilot on November 03, 2013, 03:05:10 PM
Roger that, thanks.
Text only | Text with Images