Difference between revisions of "Hacking - I think I have been hacked" From Online Manual

Jump to: navigation, search
(Improvements)
m (Reverted edits by Oxlo (talk) to last revision by Irisado)
Tag: Rollback
 
(32 intermediate revisions by 6 users not shown)
Line 1: Line 1:
== I think I have been hacked, I'm not sure, how do I check? ==
+
__NOTOC__== I Think I Have Been Hacked. How Do I Check? ==
This is a difficult question, since it depends on the type of the hack. As an indication, you can open up a few of the Source files (the files located in ./Sources) and see if there is any trace of [http://php.net/manual/en/function.base64-decode.php base64_decode]. If there is, there are chances that your forum has been hacked, and there are a few utilities and steps that help users to recover their SMF installation.
+
If any of your php files start with anything other than '''<?php''' all by itself on the line, or if an expert advises that any of your executable files have been infected with malicious code, you should be very suspicious. If your site is unexpectedly sending users to another website or causing unexpected pop ups, if users report that your site causes malware warning or if any of your files has a more recent modified date than you expect it to have, consult an expert quickly.
  
Another way of checking, although it's far less thorough, is to look at the datestamps on your files. If you haven't install any mods/themes, recently, yet some of your files show as being edited, recently, chances are that they've been modified by someone who shouldn't do.
+
== I Am Sure I Have Been Hacked, What Do I Do Now? ==
 +
First of all, keep calm. When the forum has been hacked, there are a few simple steps for the administrator to do. Most infections can be eliminated in just a few minutes.
  
Another method is to use the [http://www.simplemachines.org/community/index.php?topic=313201.0 kb_scan.php tool]. Please check the topic and follow its instructions.
+
* If you can do it quickly and easily,  '''Shut down your website temporarily''' to stop any bad things happening while you are fixing the problem. See  [[#Shutting_down_your_site|instructions below]] for tips on how to do this. If you cannot shut down your site, skip this step and move on to getting rid of the problem.
  
== I am sure I have been hacked...what do I do now? ==
+
* '''Check your desktop computer for malware'''
First of all, keep calm. When the forum has been hacked, there are a few simple steps the administrator can perform.
+
A virus on your PC might have given the hacker your password, or uploaded a file to your website.
* Backup your database.<br/>One of the most critical steps is to make backups of the whole SMF system, including the database. If the user has not yet made a backup of the database, he/she should do right now. If something goes wrong, you always have a backup at hand.
 
  
* File a security report with SMF.<br/>If your forum was breached via a security weakness within SMF or an SMF mod, and not via a weakness in a non-SMF script, please report it to the SMF developers so the issue can be investigated and, if confirmed, patched. Please report Security issues [http://www.simplemachines.org/about/security.php here].<br/><br/>For security reports to be more useful, and help discovering what the problem really is, please provide your webserver logs, and/or FTP logs. Usually, you can find these logs in your host's control panel, or in a directory called /logs in your account.
+
* '''Change all your passwords'''
 +
You do not know yet if any of them have been stolen.  That includes all SMF admins, ftp accounts, telnet/ssh users, hosting control panel, database, and even email. If you cannot log into your SMF admin account, see below for how to fix the problem. If you do not know how to change your database password or any other passwords associated with your hosting account, get help from your host.
  
* Run the [http://www.simplemachines.org/community/index.php?topic=313201.0 kb_scan.php tool].<br/>Simply upload the tool, attached to the topic, to the forum directory (the directory where SMF is located) via FTP (File Transfer Protocol, [[How do I use FTP]]?), and run it in the browser of the user's preference. The kb_scan utility may find infected files, and in case it does, it will also try to clean them up and recover them.<br/><br/>Please pay attention, in this case, to your database. A hack that can be found by the kb_scan.php tool may have malicious insertions in the database, which kb_scan tries to remove. In case it fails, see the instructions in the topic on how to do it, manually, or post in the support boards for assistance.
+
* '''[[Backup]] your database and your files''' (even the infected ones) and store it in a safe place.
 +
This is important. You need to have a copy of your database in case something goes wrong.  You need a backup of your attachment directory, since you cannot get those files back if you accidentally delete them. If you have any other custom file directoris, such as gallery or document storage, you must protect them too. You need to have copies of all the SMF files, so that you or someone else can figure out how you were hacked in the first place. Copy the backup files to a safe place. If you are using FTP to copy the backup files, make sure that you use binary mode.
  
* [http://wiki.simplemachines.org/smf/Backup Restore a recent backup] that you know to contain unaffected files.<br/>You may want to remove first, the affected files and directories, cleaning up your installation, to be sure there isn't any trace left of the malicious files.
+
* '''Tell your host''' that you have been hacked.
 +
Let them know about the problem.  Ask them to check log files to find out where the attack may have come from. Find out what they recommend to eliminate the infection. Ask them if the malware has left any shell processes running.
  
* Re-upload SMF files.
+
* '''File a security report''' with SMF.
** If you don't have a recent backup of your files, or to make sure you have a clean set of files, you can re-upload the standard SMF package files. Before you do, it's better to clean up your installation as completely as possible, removing almost all SMF files from your installation directory.
+
If you think the hacker got in by exploiting SMF, please report it right away at [http://www.simplemachines.org/about/security.php security reports]. Please be prepared to share information about your files and your account logs, so that the developers can determine whether a vulnerability in SMF was the cause, and how to fix SMF if it needs it.  
** You may want however to keep the attachments directory (eventually remove the index.php file from it), the Settings.php files, and the custom directories you may have, if any (i.e. if you have a gallery installed, you may want to keep the directory where the gallery pictures are).
 
** Check the Settings.php files to make sure there isn't any leftover hack line, and remove it if it's there.
 
** Download a ''Large Upgrade Pack'' ([http://download.simplemachines.org/ Go to the download site]) for the version of SMF that the user is running.  
 
** Upload every file in the package, except the files required for upgrading (usually just upgrade.php and a few SQL files), using FTP ([[How do I use FTP]]?, note that uploading may take a while). Now the user has fresh files and can use their forum safely again.
 
  
== I have cleared my hacked SMF installation, how can I prevent this from happening again? ==
+
* '''Delete all files'''  except for your attachments and custom avatars directories (be very cautious because infected files might be in there). Make sure your backup files are stored somewhere safe and that they do not get deleted. Ask for help if you are unsure. In addition to your SMF files, you should delete any "extra" php files, and you may need to delete .htaccess files, php.ini files, or other configuration files.  Talk to your host about this. If you cannot delete a file, talk to your host about how to fix the problem.
Using the [http://www.simplemachines.org/community/index.php?topic=313201.0 kb_scan.php tool] the user can keep their files safe by running the tool on a regular basis.
 
  
The user can also install a security [[modification]] ([http://custom.simplemachines.org/mods/index.php?action=search;type=13 Go to the modification site]) to enhance the forums security level. Depending on the modification's features this can be more or less active against hackers.
+
* '''Replace all your SMF files''' with uninfected files.
 +
** It is safest to use a fresh set of SMF files rather than a recent file backup.  Only use '''[[Backup#Restoring_your_forum_files|your file backup]]''' if you are 100% certain that it was not infected.
 +
** To get a fresh set of files for the same version of SMF you are already using,  '''[[How to upload a fresh set of files|follow these instructions]]'''.
 +
** If you have any custom directories (like a gallery mod directory), double check them now.
 +
** Get a copy of Settings.php from your recent file backup, edit it to correct the password you just changed, and place a copy in your SMF directory.
 +
** Check your SMF file permissions.  Make sure that they are secure.  Ask your host if you are not sure.
 +
** Patch or upgrade SMF to the most recent and most secure version.
 +
** Re-install your mods.  Use [[Repair settings.php|repair_settings]] if you run into any trouble.
 +
** Back up your files again.
  
Another measurement the user can take is applying some or all [http://wiki.simplemachines.org/smf/Security_Tips security tips]. These tips help the user protect his or her forum from any further attacks.
+
* '''Change all your passwords again.''' Now that the infection has been removed, changing all of your passwords again is recommended in case they were stolen again before you finished eliminating the infection.
  
Notify your host so they can make sure no other servers have been affected. When you report the hack to your host, ask them to check their logs to see who might have had access to your server, and get them to check your file permissions. With some hosts incorrect file permissions can leave files open for easier hacking.
+
* '''Get your website running again'''.
  
 +
== I Have Cleaned My Hacked SMF Installation. How Can I Prevent This from Happening Again? ==
 +
Keep your SMF software up-to-date by downloading new versions whenever security fixes are available.
 +
Apply some of the  [http://wiki.simplemachines.org/smf/Security_Tips security tips], which can help you to protect your forum from any further attacks.
 +
 +
==Tools You Can Use==
 +
===If Your Admin Password No Longer Works===
 +
See [[I_accidentally_lost_my_admin_account!_What_can_I_do#Resetting_an_admin_users_password|Resetting an admin user's password]] to find out how to set your password back to something you can use.  Login, change the password again, and double-check the email address.  Make sure that you had already changed your database password and the email password.  If the admin account no longer has administrator powers, or if the account has been deleted, read through [[I accidentally lost my admin account! What can I do]] for more helpful tips.
 +
 +
===Shutting Down Your Linux/Apache Site===
 +
If you can alter your .htaccess file and if your site uses the Apache web server with mod_rewrite installed, you can shut down your site using these two files.  First, make a copy of your .htaccess file and save it in a safe place.  Then replace it with the one below and create a file called maintenance.html in the same directory. If your site does not use the Apache web server, then this method will not work.  If you cannot find your .htaccess file, or if this change to your .htaccess file does not shut your site down, get support from your host.
 +
 +
'''.htaccess'''
 +
{{code|1=# Enables runtime rewriting engine
 +
RewriteEngine on
 +
 +
# Show maintenance page to visitors
 +
#RewriteCond %{REMOTE_ADDR} !^111\.111\.111\.111 # except if they come from this IP (commented out)
 +
RewriteCond %{REQUEST_URI} !/maintenance.html$
 +
RewriteRule $ /maintenance.html [R=503,L]}}
 +
'''maintenance.html'''
 +
{{code|1=<html>
 +
<head><title>This site is undergoing maintenance</title></head>
 +
<body>This site is undergoing maintenance</body>
 +
</html>}}
 +
 +
===Shutting Down Your Windows Site===
 +
If you are using the IIS webserver and have the [http://www.iis.net/configreference/system.webserver/security/ipsecurity ipsecurity restriction for IP Address and Domain Names] installed and enabled, save a copy of web.config, replace it with the one below and restart your IIS web server.
 +
{{code|1=<nowiki><?xml version="1.0" encoding="UTF-8"?>
 +
<configuration>
 +
    <system.web>
 +
        <identity impersonate="false" />
 +
    </system.web>
 +
    <system.webServer>
 +
        <security>
 +
            <ipSecurity allowUnlisted="false">
 +
                <clear/>
 +
<!--                <add ipAddress="111.111.111.111" allowed="true" /> --> <!-- Adding your own IP address would allow you to use the website, but might be dangerous to you... -->
 +
            </ipSecurity>
 +
        </security>
 +
    </system.webServer>
 +
</configuration></nowiki>}}
 
[[Category:FAQ]]
 
[[Category:FAQ]]

Latest revision as of 05:56, 23 April 2022

I Think I Have Been Hacked. How Do I Check?

If any of your php files start with anything other than <?php all by itself on the line, or if an expert advises that any of your executable files have been infected with malicious code, you should be very suspicious. If your site is unexpectedly sending users to another website or causing unexpected pop ups, if users report that your site causes malware warning or if any of your files has a more recent modified date than you expect it to have, consult an expert quickly.

I Am Sure I Have Been Hacked, What Do I Do Now?

First of all, keep calm. When the forum has been hacked, there are a few simple steps for the administrator to do. Most infections can be eliminated in just a few minutes.

  • If you can do it quickly and easily, Shut down your website temporarily to stop any bad things happening while you are fixing the problem. See instructions below for tips on how to do this. If you cannot shut down your site, skip this step and move on to getting rid of the problem.
  • Check your desktop computer for malware

A virus on your PC might have given the hacker your password, or uploaded a file to your website.

  • Change all your passwords

You do not know yet if any of them have been stolen. That includes all SMF admins, ftp accounts, telnet/ssh users, hosting control panel, database, and even email. If you cannot log into your SMF admin account, see below for how to fix the problem. If you do not know how to change your database password or any other passwords associated with your hosting account, get help from your host.

  • Backup your database and your files (even the infected ones) and store it in a safe place.

This is important. You need to have a copy of your database in case something goes wrong. You need a backup of your attachment directory, since you cannot get those files back if you accidentally delete them. If you have any other custom file directoris, such as gallery or document storage, you must protect them too. You need to have copies of all the SMF files, so that you or someone else can figure out how you were hacked in the first place. Copy the backup files to a safe place. If you are using FTP to copy the backup files, make sure that you use binary mode.

  • Tell your host that you have been hacked.

Let them know about the problem. Ask them to check log files to find out where the attack may have come from. Find out what they recommend to eliminate the infection. Ask them if the malware has left any shell processes running.

  • File a security report with SMF.

If you think the hacker got in by exploiting SMF, please report it right away at security reports. Please be prepared to share information about your files and your account logs, so that the developers can determine whether a vulnerability in SMF was the cause, and how to fix SMF if it needs it.

  • Delete all files except for your attachments and custom avatars directories (be very cautious because infected files might be in there). Make sure your backup files are stored somewhere safe and that they do not get deleted. Ask for help if you are unsure. In addition to your SMF files, you should delete any "extra" php files, and you may need to delete .htaccess files, php.ini files, or other configuration files. Talk to your host about this. If you cannot delete a file, talk to your host about how to fix the problem.
  • Replace all your SMF files with uninfected files.
    • It is safest to use a fresh set of SMF files rather than a recent file backup. Only use your file backup if you are 100% certain that it was not infected.
    • To get a fresh set of files for the same version of SMF you are already using, follow these instructions.
    • If you have any custom directories (like a gallery mod directory), double check them now.
    • Get a copy of Settings.php from your recent file backup, edit it to correct the password you just changed, and place a copy in your SMF directory.
    • Check your SMF file permissions. Make sure that they are secure. Ask your host if you are not sure.
    • Patch or upgrade SMF to the most recent and most secure version.
    • Re-install your mods. Use repair_settings if you run into any trouble.
    • Back up your files again.
  • Change all your passwords again. Now that the infection has been removed, changing all of your passwords again is recommended in case they were stolen again before you finished eliminating the infection.
  • Get your website running again.

I Have Cleaned My Hacked SMF Installation. How Can I Prevent This from Happening Again?

Keep your SMF software up-to-date by downloading new versions whenever security fixes are available. Apply some of the security tips, which can help you to protect your forum from any further attacks.

Tools You Can Use

If Your Admin Password No Longer Works

See Resetting an admin user's password to find out how to set your password back to something you can use. Login, change the password again, and double-check the email address. Make sure that you had already changed your database password and the email password. If the admin account no longer has administrator powers, or if the account has been deleted, read through I accidentally lost my admin account! What can I do for more helpful tips.

Shutting Down Your Linux/Apache Site

If you can alter your .htaccess file and if your site uses the Apache web server with mod_rewrite installed, you can shut down your site using these two files. First, make a copy of your .htaccess file and save it in a safe place. Then replace it with the one below and create a file called maintenance.html in the same directory. If your site does not use the Apache web server, then this method will not work. If you cannot find your .htaccess file, or if this change to your .htaccess file does not shut your site down, get support from your host.

.htaccess

# Enables runtime rewriting engine
RewriteEngine on

# Show maintenance page to visitors
#RewriteCond %{REMOTE_ADDR} !^111\.111\.111\.111 # except if they come from this IP (commented out)
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteRule $ /maintenance.html [R=503,L]

maintenance.html

<html>
<head><title>This site is undergoing maintenance</title></head>
<body>This site is undergoing maintenance</body>
</html>

Shutting Down Your Windows Site

If you are using the IIS webserver and have the ipsecurity restriction for IP Address and Domain Names installed and enabled, save a copy of web.config, replace it with the one below and restart your IIS web server.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <identity impersonate="false" />
    </system.web>
    <system.webServer>
        <security>
            <ipSecurity allowUnlisted="false">
                <clear/>
<!--                <add ipAddress="111.111.111.111" allowed="true" /> --> <!-- Adding your own IP address would allow you to use the website, but might be dangerous to you... -->
            </ipSecurity>
        </security>
    </system.webServer>
</configuration>