Difference between revisions of "Hacking - I think I have been hacked"

From Online Manual

Jump to: navigation, search
m (wikilink, not URL)
(use $maintenance=2)
Line 6: Line 6:
 
== I am sure I have been hacked...what do I do now? ==
 
== I am sure I have been hacked...what do I do now? ==
 
First of all, keep calm. When the forum has been hacked, there are a few simple steps for the administrator to do.
 
First of all, keep calm. When the forum has been hacked, there are a few simple steps for the administrator to do.
 +
* Check your Settings.php file for bad code.
 +
* Put your forum in maintenance mode level 2 by setting the $maintenance setting in your Settings.php file -- see [[Settings.php#$maintenance]]
 +
 
* [[Backup]] your database and your files (even the infected ones)
 
* [[Backup]] your database and your files (even the infected ones)
  
Line 30: Line 33:
 
One measure that you can take, is to apply some or all of these [http://wiki.simplemachines.org/smf/Security_Tips security tips]. These tips help you to protect your forum from any further attacks.
 
One measure that you can take, is to apply some or all of these [http://wiki.simplemachines.org/smf/Security_Tips security tips]. These tips help you to protect your forum from any further attacks.
  
 
+
* Take your database out of maintenance mode by removing the the $maintenance setting in your Settings.php file -- see [[Settings.php#$maintenance]]
 
 
 
[[Category:FAQ]]
 
[[Category:FAQ]]

Revision as of 10:26, 5 May 2014

I think I have been hacked, I'm not sure, how do I check?

This is a difficult question, since it depends on the type of the hack. As an indication, you can open up a few of the Source files (the files located in ./Sources) and see if there is any trace of base64_decode. If there is, there are chances that your forum has been hacked, and there are a few utilities and steps that help users to recover their SMF installation. This code is usually put on the first line of code. So, if the first line isn't "<?php" and absolutely nothing else, you've almost certainly been hacked.

Another way of checking, although it's far less thorough, is to look at the datestamps on your files. If you haven't installed any mods/themes, recently, yet some of your files show as being edited, recently, chances are that they've been modified by someone who shouldn't be able to.

I am sure I have been hacked...what do I do now?

First of all, keep calm. When the forum has been hacked, there are a few simple steps for the administrator to do.

  • Check your Settings.php file for bad code.
  • Put your forum in maintenance mode level 2 by setting the $maintenance setting in your Settings.php file -- see Settings.php#$maintenance
  • Backup your database and your files (even the infected ones)

One of the most critical steps is to make backups of the whole SMF system, including the database. You want the database in case something goes wrong. You want all the SMF files (even the infected ones) so that your host and/or the SMF team can help figure out how you got hacked. And you want backups of all your attachments and avatars and any other files in special directories in case they get messed up or deleted while you are working to delete the infected files.

  • Tell your host that you've been hacked.

Notify your host so that they can make sure no other servers have been affected. When you report the hack to your host, ask them to check their logs to see who might have had access to your server and, also, get them to check your file permissions. With some hosts, incorrect file permissions can leave files open for easier hacking.

  • File a security report with SMF.

If your forum was breached via a security weakness within SMF, or an SMF mod and not via a weakness in a non-SMF script, please report it to the SMF developers, so that the issue can be investigated and, if confirmed, patched. Please report Security issues here. Please give detailed information, such as webserver logs and/or FTP logs, so the SMF team can help discover the source of the problem. Usually, you can find these logs in your host's control panel, or in a directory called /logs in your account.

  • Replace all your SMF files with uninfected files.
    • You can use a recent backup of your files, or you can use a fresh set of SMF files. But first, you want to make sure you can get rid of any file that might be dangerous to your users or your site.
    • Carefully check Settings.php, Settings_bak.php, and the attachments directory. Make sure the php files do not have any bad code in them. Remove any extra php or js files from your attachments directory, and check its index.php for bad code.
    • If you have any custom directories (like a gallery mod directory), remove any executable code files -- they can be re-installed later.
    • Besides your Settings.php and Settings_bak.php files, and your attachments (and any other directories with files you can't get back), delete everything to do with your SMF installation. This will get rid of any files that might have been infected.
    • If you are unable to delete any of the files, get help from your host.
    • If you are using your own backed-up files, restore your backup now (see restoring your forum files) for more information
    • If you are using a fresh set of files, upload them now (see How to upload a fresh set of files for more information).
    • Once that is done, you'll have a fresh set of files.

I have cleared my hacked SMF installation, how can I prevent this from happening again?

One measure that you can take, is to apply some or all of these security tips. These tips help you to protect your forum from any further attacks.

  • Take your database out of maintenance mode by removing the the $maintenance setting in your Settings.php file -- see Settings.php#$maintenance