Hacking - I think I have been hacked

From Online Manual

Jump to: navigation, search

I think I have been hacked. How do I check?

If any of your php files start with anything other than <?php all by itself on the line, or if an expert advises that any of your executable files have been infected with malicious code, you should be very suspicious. If your site is unexpectedly sending users to another website or causing unexpected pop ups, if users report that your site causes malware warning or if any of your files has a more recent modified date than you expect it to have, consult an expert quickly.

I am sure I have been hacked...what do I do now?

First of all, keep calm. When the forum has been hacked, there are a few simple steps for the administrator to do. Most infections can be eliminated in just a few minutes.

  • If you can do it quickly and easily, Shut down your website temporarily to stop any bad stuff happening while you are fixing the problem. See instructions below for tips on how to do this. If you can't, skip this step and move on to getting rid of the problem.
  • Check your desktop computer for malware -- A virus on your PC might have given the bad guys your password, or uploaded a file to your website.
  • Change all your passwords -- you don't know yet if any of them have been stolen. That includes all SMF admins, ftp accounts, telnet/ssh users, hosting control panel, database, and even email. If you cannot LOG into your SMF admin account, see below for how to fix the problem. If you do not know how to change your database password or any other passwords associated with your hosting account, get help from your host.
  • Backup your database and your files (even the infected ones) and store it in a safe place

This is important. You want a copy of your database in case something goes wrong. You want a backup of your attachment directory -- you can't get those files back if you accidentally delete them. If you have any other custom file directories (gallery or document storage, etc), you want to protect them, too. You want copies of all the SMF files so you or someone else can figure out later how you got hacked in the first place. Copy the backup files to a safe place. If you are using FTP to copy the backup files, make sure to use binary mode. While your backups are in progress, notify your host and (if you think SMF let the hacker in) the SMF team.

  • Tell your host that you've been hacked.

Let them know about the problem. Ask them to check log files to find out where the attack may have come from. Find out what they recommend to eliminate the infection. Ask them if the malware has left any shell processes running.

  • File a security report with SMF.

If you think the hacker got in using SMF, please report it right away at security reports. Please be prepared to share information about your files and your account logs so the developers can figure out if SMF was the cause, and how to fix SMF if it needs it.

  • Delete all files except for your attachments directory (Be very cautious -- infected files might be in there). Make sure your backup files are stored somewhere safe and don't get deleted. Ask for help if you are unsure. In addition to your SMF files, you should delete any "extra" php files, and you may need to delete .htaccess files, php.ini files, or other configuration files. Talk to your host about this. If you can't delete a file, talk to your host about how to fix the problem.
  • Replace all your SMF files with uninfected files.
    • It is safest to use a fresh set of SMF files rather than a recent file backup. Only use your file backup if you are 100% certain it was not infected.
    • To get a fresh set of files for the same version of SMF you are already using, follow these instructions.
    • If you have any custom directories (like a gallery mod directory), double check them now.
    • Get a copy of Settings.php from your recent file Backup, edit it to correct the password you just changed, and place a copy in your SMF directory.
    • Check your SMF file permissions. Make sure they are OK, security-wise. Ask your host if you are not sure.
    • Patch or upgrade SMF to the most recent, most secure version.
    • Re-install your mods. Use repair_settings if you run into any trouble.
    • Back up your files again.
  • Change all your passwords again. Now that the infection is gone, just to be sure they weren't stolen again before you were done eliminating the infection.
  • Get your website running again if you shut down your website using any of the tips below.

I have cleaned my hacked SMF installation. How can I prevent this from happening again?

Keep your SMF software up to date -- download new versions whenever security fixes are available. Apply some of the security tips, which can help you to protect your forum from any further attacks.

Tools you can use

If your admin password doesn't work any longer

See Resetting an admin users password to find out how to set your password back to something you can use. Login, change the password again, and double-check the email address. You already changed your database password and the email password, right? If the admin account no longer has administrator powers, or if the account has been deleted, read through I accidentally lost my admin account! What can I do for more helpful tips.

Shutting down your Linux/Apache site

If you can alter your .htaccess file and if your site uses the Apache web server with mod_rewrite installed, You can shut down your site using these two files. First, make a copy of your .htaccess file and save it in a safe place. Then replace it with the one below and create a file called maintenance.html in the same directory. If your site does not use the Apache web server, then this method will not work. If you cannot find your .htaccess file, or if this change to your .htaccess file does not shut your site down, get support from your host.

.htaccess

# Enables runtime rewriting engine
RewriteEngine on

# Show maintenance page to visitors
#RewriteCond %{REMOTE_ADDR} !^111\.111\.111\.111 # except if they come from this IP (commented out)
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteRule $ /maintenance.html [R=503,L]

maintenance.html

<html>
<head><title>This site is undergoing maintenance</title></head>
<body>This site is undergoing maintenance</body>
</html>

Shutting down your Windows site

If you are using the IIS webserver and have the ipsecurity restriction for IP Address and Domain Names installed and enabled, save a copy of web.config, replace it with the one below and restart your IIS web server.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <identity impersonate="false" />
    </system.web>
    <system.webServer>
        <security>
            <ipSecurity allowUnlisted="false">
                <clear/>
<!--                <add ipAddress="111.111.111.111" allowed="true" /> --> <!-- Adding your own IP address would allow you to use the website, but might be dangerous to you... -->
            </ipSecurity>
        </security>
    </system.webServer>
</configuration>