#1 By: Nox Subject:Well, I just got hacked...  Time: 14.Oct.06 16:38:38
...how the heck to I fix this?

www.thegalacticirregulars.com/...orums/index.php

Never had it happen before. 


#2 By: Nox Subject:Re:Well, I just got hacked...  Time: 14.Oct.06 16:45:49
Hmmm... seems I need to replace my index.php file - hoping that fixes it.  How do I secure my site to keep this from happening?  Sorry a bit of a n00b when it comes to this stuff - I know there are no guarantees from this type of thing, but I'm assuming I goofed somewhere in setting or resetting file permissions. 


#3 By: Nox Subject:Re:Well, I just got hacked...  Time: 14.Oct.06 17:14:15
Ok, dl'd the files from here (I'm out of town this weekend of course...) and replaced the index.php file.  Back to working order.  I must have left the index.php file in 777 mode originally - not very bright of me.  Changed that so hopefully it won't happen again.

Are there any other pointers beyond what is in the install instructions for permission settings? 


#4 By: Nox Subject:Re:Well, I just got hacked...  Time: 14.Oct.06 19:28:52
Damn... had everything going for a while with no problems - reset the permissions (took writing off of most everything) and as I'm going back and forth between my forums I suddenly get hacked AGAIN!  Different outfit this time it looks...

Tried replacing the index.php file again and this time it doesn't seem to work - I get a popup and a redirection script kicks in.  Don't no where to look for it - any ideas?  Also, what am I leaving open that is causing this to be able to happen?  Never ever had this before and suddently twice in one day.  Is there something else I'm leaving open for this to happen?  Any help would be appreciated guys.


#5 By: Nox Subject:Re:Well, I just got hacked...  Time: 14.Oct.06 21:56:33
Ok, so that time they got my Settings.php file and overwrote it.  I fixed that with the backup file, but I changed all the permissions to 755 for any of the settings files (I had left them at 777).  Of course, now I can't modify settings through the admin functions.  What setting can I put those files at safely so I don't have to worry about them being hacked anymore but can still edit them through admin?  If I give Write permissions to Group but not World does that work?

Also, to be safe I changed both my account and dbase passwords.  Sorry about the string of rambling posts guys.  But any advice you can offer would be awesome.


#6 By: Datarunner Subject:Well, I just got hacked...  Time: 15.Oct.06 16:38:02
Hi Nox you are not the only one, I just got hacked this morning.
Therefore I now have set the registration tool that new users have to get checked by the admin first before they can write. Somebody uploaded a file called root.php. Now I wonder, where in the admin panel can I activate the news users' acccounts that are in the yabbsm_prereg_member table? Or do I have to use phpmyadmin?

Yep, they also overwrite my Settings file. It took me some time to re-do.
Now I am also wondering what can be done... since Wiziwig took this issue very serious from the beginning on, maybe he has a good advice for us what we can do, besides disallowing immediate registration and activation of the acccount.
If something has to be re-programmed;  I am going to be available in a few days anyway.
I am writing tests on Wednesday and Thursday.


bye



#7 By: Nox Subject:Re:Well, I just got hacked...  Time: 15.Oct.06 16:53:15
Yeah, they hit me a third time - this time somebody got in and banned all the admin accounts.  How they hell did they manage that and what else are they going to be able to do?

Going to go into the dbase and get myself unbanned - then I'll change it over so registration has to to be approved like you said.  But is that going to stop them?  Also, where did you find that root.php file?  This time they didn't mess with either the index or the Settings file, but there is still a redirection to their site after it tells me I'm banned...

I wish I knew how to plug the hole... what if I temporarily set permissions to 644?


#8 By: Nox Subject:Re:Well, I just got hacked...  Time: 15.Oct.06 17:03:38
By the way Data. I was just poking around the index code and saw this sitting in there but not active on line 410:

//   'register2' => array("$sourcedir/Admin.php", 'registerApplicant'),

Does that have anything to do with having the admins register the applicants? 


#9 By: Nox Subject:Re:Well, I just got hacked...  Time: 16.Oct.06 17:36:23
Well, apparently it's not limited to the beta version as one of my 3.0.0 boards was hacked as well.  I'm not sure how they are getting in but there seems to be a security hole somewhere.  It does appear limited to the forums themselves as they haven't altered anything outside of the forum root folders (yet).  I've already pulled back the permissions on my beta site so it's not accessible by anyone - have to do the same with all of my forum folders I think. 


#10 By: Guardian Subject:Re:Well, I just got hacked...  Time: 21.Oct.06 03:26:08
I got hacked over on NoPC last week. What they did is overlaid one of the files (helpadmin.help_fr_FR) and with this cshell99 program that literally gave them the run of the system. Then it looks like they uploaded a file to tmp/, compiled it, and ran it with Apache authority. Screwed up every web site on the server. NoPC was a version 3.0 board too. There was also a shell script uploaded. I have NOT restored NoPC yet, so if any one wants to look at what was there, I'd be willing to let you.