Hacking - I think I have been hacked: Difference between revisions From Online Manual

Jump to: navigation, search
mNo edit summary
Line 10: Line 10:
* Backup your database.<br/>One of the most critical steps is to make backups of the whole SMF system, including the database. If the user has not yet made a backup of the database, he/she should do right now. If something goes wrong, you always have a backup at hand.
* Backup your database.<br/>One of the most critical steps is to make backups of the whole SMF system, including the database. If the user has not yet made a backup of the database, he/she should do right now. If something goes wrong, you always have a backup at hand.


* File a security report with SMF.<br/>If your forum was breached via a security weakness within SMF or an SMF mod, and not via a weakness in a non-SMF script, please report it to the SMF developers so the issue can be investigated and, if confirmed, patched. Please report Security issues [http://www.simplemachines.org/about/security.php here].<br/><br/>For security reports to be more useful, and help discovering what the problem really is, please provide your webserver logs, and/or FTP logs. Usually, you can find these logs in your host's control panel, or in a directory called /logs in your account.
* File a security report with SMF.<br/>If your forum was breached via a security weakness within SMF, or an SMF mod and not via a weakness in a non-SMF script, please report it to the SMF developers, so that the issue can be investigated and, if confirmed, patched. Please report Security issues [http://www.simplemachines.org/about/security.php here].<br/><br/>For security reports to be more useful and to help in discovering what the problem really is, please provide your webserver logs, and/or FTP logs. Usually, you can find these logs in your host's control panel, or in a directory called /logs in your account.


* Run the [http://www.simplemachines.org/community/index.php?topic=313201.0 kb_scan.php tool].<br/>Simply upload the tool, attached to the topic, to the forum directory (the directory where SMF is located) via FTP (File Transfer Protocol, [[How do I use FTP]]?), and run it in the browser of the user's preference. The kb_scan utility may find infected files, and in case it does, it will also try to clean them up and recover them.<br/><br/>Please pay attention, in this case, to your database. A hack that can be found by the kb_scan.php tool may have malicious insertions in the database, which kb_scan tries to remove. In case it fails, see the instructions in the topic on how to do it, manually, or post in the support boards for assistance.
* Run the [http://www.simplemachines.org/community/index.php?topic=313201.0 kb_scan.php tool].<br/>Simply upload the tool, attached to the topic, to the forum directory (the directory where SMF is located) via FTP (File Transfer Protocol, [[How do I use FTP]]?), and run it in the browser of the user's preference. The kb_scan utility may find infected files and, if it does, it will also try to clean them up and recover them.<br/><br/>Please pay attention, in this case, to your database. A hack that can be found by the kb_scan.php tool may have malicious insertions in the database, which kb_scan tries to remove. In case it fails, see the instructions in the topic on how to do it, manually, or post in the support boards for assistance.


* [http://wiki.simplemachines.org/smf/Backup Restore a recent backup] that you know to contain unaffected files.<br/>You may want to remove first, the affected files and directories, cleaning up your installation, to be sure there isn't any trace left of the malicious files.
* [http://wiki.simplemachines.org/smf/Backup Restore a recent backup] that you know to contain unaffected files.<br/>You may want to remove the affected files and directories, first, then clean up your installation, to be sure there isn't any trace left of the malicious files.


* Re-upload SMF files.
* Re-upload SMF files.
** If you don't have a recent backup of your files, or to make sure you have a clean set of files, you can re-upload the standard SMF package files. Before you do, it's better to clean up your installation as completely as possible, removing almost all SMF files from your installation directory.
** If you don't have a recent backup of your files, or want to make sure that you have a clean set of files, you can re-upload the standard SMF package files. Before you do that, it's better to clean up your installation as completely as possible, removing almost all SMF files from your installation directory.
** You may want however to keep the attachments directory (eventually remove the index.php file from it), the Settings.php files, and the custom directories you may have, if any (i.e. if you have a gallery installed, you may want to keep the directory where the gallery pictures are).
** You may want however to keep the attachments directory (eventually remove the index.php file from it), the Settings.php files, and the custom directories you may have, if any (i.e. if you have a gallery installed, you may want to keep the directory where the gallery pictures are).
** Check the Settings.php files to make sure there isn't any leftover hack line, and remove it if it's there.
** Check the Settings.php file, to make sure there isn't any leftover hack line. If there is, you'll need to remove the malcious code.
** Download a ''Large Upgrade Pack'' ([http://download.simplemachines.org/ Go to the download site]) for the version of SMF that the user is running.  
** Download a ''Large Upgrade Pack'' ([http://download.simplemachines.org/ Go to the download site]) for the version of SMF that you're using.  
** Upload every file in the package, except the files required for upgrading (usually just upgrade.php and a few SQL files), using FTP ([[How do I use FTP]]?, note that uploading may take a while). Now the user has fresh files and can use their forum safely again.
** Upload every file in the package, except the files required for upgrading (usually just upgrade.php and a few SQL files), using FTP ([[How do I use FTP]]?, note that uploading may take a while). Once done, you'll have fresh files and can use your forum safely, again.


== I have cleared my hacked SMF installation, how can I prevent this from happening again? ==
== I have cleared my hacked SMF installation, how can I prevent this from happening again? ==
Using the [http://www.simplemachines.org/community/index.php?topic=313201.0 kb_scan.php tool] the user can keep their files safe by running the tool on a regular basis.
Using the [http://www.simplemachines.org/community/index.php?topic=313201.0 kb_scan.php tool] you can keep your files safe by running the tool on a regular basis. It's a good idea, too, to make regular, frequent backups.


The user can also install a security [[modification]] ([http://custom.simplemachines.org/mods/index.php?action=search;type=13 Go to the modification site]) to enhance the forums security level. Depending on the modification's features this can be more or less active against hackers.
You can, also, install a security [[modification]] ([http://custom.simplemachines.org/mods/index.php?action=search;type=13 Go to the modification site]) to enhance the forums security level. Depending on the modification's features, this can be more or less active against hackers.


Another measurement the user can take is applying some or all [http://wiki.simplemachines.org/smf/Security_Tips security tips]. These tips help the user protect his or her forum from any further attacks.
Another measure that you can take, is to apply some or all of these [http://wiki.simplemachines.org/smf/Security_Tips security tips]. These tips help you to protect your forum from any further attacks.


Notify your host so they can make sure no other servers have been affected. When you report the hack to your host, ask them to check their logs to see who might have had access to your server, and get them to check your file permissions. With some hosts incorrect file permissions can leave files open for easier hacking.
Notify your host so that they can make sure no other servers have been affected. When you report the hack to your host, ask them to check their logs to see who might have had access to your server and, also, get them to check your file permissions. With some hosts, incorrect file permissions can leave files open for easier hacking.


[[Category:FAQ]]
[[Category:FAQ]]

Revision as of 13:19, 12 June 2013

I think I have been hacked, I'm not sure, how do I check?

This is a difficult question, since it depends on the type of the hack. As an indication, you can open up a few of the Source files (the files located in ./Sources) and see if there is any trace of base64_decode. If there is, there are chances that your forum has been hacked, and there are a few utilities and steps that help users to recover their SMF installation. This code is usually put on the first line of code. So, if the first line isn't "<?php" and absolutely nothing else, you've almost certainly been hacked.

Another way of checking, although it's far less thorough, is to look at the datestamps on your files. If you haven't installed any mods/themes, recently, yet some of your files show as being edited, recently, chances are that they've been modified by someone who shouldn't be able to.

Another method is to use the kb_scan.php tool. Please check the topic and follow its instructions.

I am sure I have been hacked...what do I do now?

First of all, keep calm. When the forum has been hacked, there are a few simple steps the administrator can perform.

  • Backup your database.
    One of the most critical steps is to make backups of the whole SMF system, including the database. If the user has not yet made a backup of the database, he/she should do right now. If something goes wrong, you always have a backup at hand.
  • File a security report with SMF.
    If your forum was breached via a security weakness within SMF, or an SMF mod and not via a weakness in a non-SMF script, please report it to the SMF developers, so that the issue can be investigated and, if confirmed, patched. Please report Security issues here.

    For security reports to be more useful and to help in discovering what the problem really is, please provide your webserver logs, and/or FTP logs. Usually, you can find these logs in your host's control panel, or in a directory called /logs in your account.
  • Run the kb_scan.php tool.
    Simply upload the tool, attached to the topic, to the forum directory (the directory where SMF is located) via FTP (File Transfer Protocol, How do I use FTP?), and run it in the browser of the user's preference. The kb_scan utility may find infected files and, if it does, it will also try to clean them up and recover them.

    Please pay attention, in this case, to your database. A hack that can be found by the kb_scan.php tool may have malicious insertions in the database, which kb_scan tries to remove. In case it fails, see the instructions in the topic on how to do it, manually, or post in the support boards for assistance.
  • Restore a recent backup that you know to contain unaffected files.
    You may want to remove the affected files and directories, first, then clean up your installation, to be sure there isn't any trace left of the malicious files.
  • Re-upload SMF files.
    • If you don't have a recent backup of your files, or want to make sure that you have a clean set of files, you can re-upload the standard SMF package files. Before you do that, it's better to clean up your installation as completely as possible, removing almost all SMF files from your installation directory.
    • You may want however to keep the attachments directory (eventually remove the index.php file from it), the Settings.php files, and the custom directories you may have, if any (i.e. if you have a gallery installed, you may want to keep the directory where the gallery pictures are).
    • Check the Settings.php file, to make sure there isn't any leftover hack line. If there is, you'll need to remove the malcious code.
    • Download a Large Upgrade Pack (Go to the download site) for the version of SMF that you're using.
    • Upload every file in the package, except the files required for upgrading (usually just upgrade.php and a few SQL files), using FTP (How do I use FTP?, note that uploading may take a while). Once done, you'll have fresh files and can use your forum safely, again.

I have cleared my hacked SMF installation, how can I prevent this from happening again?

Using the kb_scan.php tool you can keep your files safe by running the tool on a regular basis. It's a good idea, too, to make regular, frequent backups.

You can, also, install a security modification (Go to the modification site) to enhance the forums security level. Depending on the modification's features, this can be more or less active against hackers.

Another measure that you can take, is to apply some or all of these security tips. These tips help you to protect your forum from any further attacks.

Notify your host so that they can make sure no other servers have been affected. When you report the hack to your host, ask them to check their logs to see who might have had access to your server and, also, get them to check your file permissions. With some hosts, incorrect file permissions can leave files open for easier hacking.



Advertisement: