Difference between revisions of "Hacking - I think I have been hacked" From Online Manual

Jump to: navigation, search
m (Reverted edits by AngelinaBelle (talk) to last revision by Illori)
Line 5: Line 5:
 
Search through your php files.  Start with Settings.php and index.php.  If the first line isn't  "<?php" and absolutely nothing else, you've almost certainly been hacked.  If you find the function <code>base64_decode</code> anywhere in your files, you have almost certainly been hacked.  After you check Settings.php and index.php, check the files in Sources, and in any mod subdirectories.  Check the php files in your themes.
 
Search through your php files.  Start with Settings.php and index.php.  If the first line isn't  "<?php" and absolutely nothing else, you've almost certainly been hacked.  If you find the function <code>base64_decode</code> anywhere in your files, you have almost certainly been hacked.  After you check Settings.php and index.php, check the files in Sources, and in any mod subdirectories.  Check the php files in your themes.
  
Check the datestamps on your files. See which have been altered most recently.  If you haven't installed mods or themes or edited your files, but some of them have recent timestamps, then someone other than you has modified them. Check for any "extra" files that shouldn't be there.
+
Check the datestamps on your files. See which have been altered most recently.  If you haven't installed mods or themes or edited your files, but some of them have recent timestamps, then someone other than you has modified them.
  
 
== I am sure I have been hacked...what do I do now? ==
 
== I am sure I have been hacked...what do I do now? ==
 
First of all, keep calm. When the forum has been hacked, there are a few simple steps the administrator can perform.
 
First of all, keep calm. When the forum has been hacked, there are a few simple steps the administrator can perform.
* [[Backup]] your database.<br/> Your files might be bad, but your database might still be good. If you had added <code>$maintenance = 2;</code> line to the bottom of your Settings.php file, remove it first.  
+
* Backup your database.<br/>One of the most critical steps is to make backups of the whole SMF system, including the database. If the user has not yet made a backup of the database, he/she should do right now. If something goes wrong, you always have a backup at hand.
  
* '''[http://www.simplemachines.org/about/security.php File a security report with SMF]'''.<br/>If the hacker got in via a security weakness in SMF or an SMF mod and please report it to the SMF developers, so that the issue can be investigated and, if confirmed, patched. Please report Security issues [http://www.simplemachines.org/about/security.php here].<br/>To help the developers understand and solve the problem, please provide your webserver logs, and/or FTP logs. Usually, you can find these logs in your host's control panel, or in a directory called /logs in your account.
+
* File a security report with SMF.<br/>If your forum was breached via a security weakness within SMF, or an SMF mod and not via a weakness in a non-SMF script, please report it to the SMF developers, so that the issue can be investigated and, if confirmed, patched. Please report Security issues [http://www.simplemachines.org/about/security.php here].<br/><br/>For security reports to be more useful and to help in discovering what the problem really is, please provide your webserver logs, and/or FTP logs. Usually, you can find these logs in your host's control panel, or in a directory called /logs in your account.
  
* Replace your SMF files. You will do this either from a recent backup, or else you will get a fresh set of files.
+
* [http://wiki.simplemachines.org/smf/Backup Restore a recent backup] that you know to contain unaffected files.<br/>You may want to remove the affected files and directories, first, then clean up your installation, to be sure there isn't any trace left of the malicious files.
** To be on the safe side, remove practically all of your SMF files
+
 
***Make careful notes on any special customizations you have made to your php files.
+
* Re-upload SMF files.
***Keep the attachements directory
+
** If you do not have a recent backup of your files, or you want to make sure that you have a clean set of files, you can re-upload the standard SMF package files. Before you do that, it's better to clean up your installation as completely as possible, removing almost all SMF files from your installation directory.
***Keep Settings.php
+
** You may want however to keep the attachments directory (eventually remove the index.php file from it), the Settings.php files, and the custom directories you may have, if any (i.e. if you have a gallery installed, you may want to keep the directory where the gallery pictures are).
***Keep any directories where you have stored other images or documents (such as the directory for a galley mod)
+
** Check the Settings.php file, to make sure there isn't any leftover hack line. If there is, you'll need to remove the malcious code.
** '''[http://wiki.simplemachines.org/smf/Backup Restore a recent backup] of your SMF files'''.  But first, remove any "extra" files that are not part of SMF. To be on the safe side, you can remove practically all your SMF files, leaving only Settings.php, Settings_bak.php, and your attachments/avatars directory. If you have trouble removing any files, this could be related to running malware. Talk to your host about how to remove those files.
+
** Download a ''Large Upgrade Pack'' ([http://download.simplemachines.org/ Go to the download site]) for the version of SMF that you're using.  
**If you don't have a recent backup, or if you just want to start fresh, re-upload fresh SMF files.
+
** Upload every file in the package, except the files required for upgrading (usually just upgrade.php and a few SQL files), using FTP ([[How do I use FTP]]?, note that uploading may take a while). Once done, you'll have fresh files and can use your forum safely, again.
*** Download a ''Large Upgrade Pack'' ([http://download.simplemachines.org/ Go to the download site]) for the version of SMF that you're using.  
 
*** Upload every file in the package, except the files required for upgrading (usually just upgrade.php and a few SQL files), using '''[[How do I use FTP|FTP]]'''; uploading may take a while. Once done, you'll have fresh files and can use your forum safely again.
 
  
 
== I have cleared my hacked SMF installation, how can I prevent this from happening again? ==
 
== I have cleared my hacked SMF installation, how can I prevent this from happening again? ==
This depends on how the hacker got in. Change your SMF administrator passwords. Change your FTP passwords. Change your
+
You can also install a security [[modification]] ([http://custom.simplemachines.org/mods/index.php?action=search;type=13 Go to the modification site]) to enhance the forums security level. Depending on the modification's features, this can be more or less active against hackers.
account control panel password. Ask your host to check if any other websites on your server have been affected. Ask them to check the logs to see if they can figure out who might have had access to your server. Ask your host to check your file permissions. With some hosts, incorrect file permissions can leave files open for easier hacking. Find out if the hacker got in through your account, through your SMF forum, or some other way.
+
 
 +
Another measure that you can take, is to apply some or all of these [http://wiki.simplemachines.org/smf/Security_Tips security tips]. These tips help you to protect your forum from any further attacks.
  
You can install a security [[modification]] ([http://custom.simplemachines.org/mods/index.php?action=search;type=13 Go to the modification site]) to enhance the forums security level. Depending on the modification's features, this can be more or less active against hackers.
+
Notify your host so that they can make sure no other servers have been affected. When you report the hack to your host, ask them to check their logs to see who might have had access to your server and, also, get them to check your file permissions. With some hosts, incorrect file permissions can leave files open for easier hacking.
  
Another measure that you can take is to apply some or all of these [http://wiki.simplemachines.org/smf/Security_Tips security tips]. These tips help you to protect your forum from any further attacks.
 
 
[[Category:FAQ]]
 
[[Category:FAQ]]

Revision as of 05:09, 4 May 2014

I think I have been hacked, I'm not sure, how do I check?

If your website is unexpectedly sending users to another website or causing a lot of popup windows, you would suspect it has been hacked. Now you want to know how the hacker "got in". Was it a flaw in SMF or in an SMF mod, was it a weak or leaked SMF password, or did they get in some other way that had nothing to do with SMF?

This could be difficult to figure out. First, put your SMF forum in maintenance mode -- at the bottom of Settings.php, add the line $maintenance = 2;. Later, when you are done checking things, you can remove that line. Search through your php files. Start with Settings.php and index.php. If the first line isn't "<?php" and absolutely nothing else, you've almost certainly been hacked. If you find the function base64_decode anywhere in your files, you have almost certainly been hacked. After you check Settings.php and index.php, check the files in Sources, and in any mod subdirectories. Check the php files in your themes.

Check the datestamps on your files. See which have been altered most recently. If you haven't installed mods or themes or edited your files, but some of them have recent timestamps, then someone other than you has modified them.

I am sure I have been hacked...what do I do now?

First of all, keep calm. When the forum has been hacked, there are a few simple steps the administrator can perform.

  • Backup your database.
    One of the most critical steps is to make backups of the whole SMF system, including the database. If the user has not yet made a backup of the database, he/she should do right now. If something goes wrong, you always have a backup at hand.
  • File a security report with SMF.
    If your forum was breached via a security weakness within SMF, or an SMF mod and not via a weakness in a non-SMF script, please report it to the SMF developers, so that the issue can be investigated and, if confirmed, patched. Please report Security issues here.

    For security reports to be more useful and to help in discovering what the problem really is, please provide your webserver logs, and/or FTP logs. Usually, you can find these logs in your host's control panel, or in a directory called /logs in your account.
  • Restore a recent backup that you know to contain unaffected files.
    You may want to remove the affected files and directories, first, then clean up your installation, to be sure there isn't any trace left of the malicious files.
  • Re-upload SMF files.
    • If you do not have a recent backup of your files, or you want to make sure that you have a clean set of files, you can re-upload the standard SMF package files. Before you do that, it's better to clean up your installation as completely as possible, removing almost all SMF files from your installation directory.
    • You may want however to keep the attachments directory (eventually remove the index.php file from it), the Settings.php files, and the custom directories you may have, if any (i.e. if you have a gallery installed, you may want to keep the directory where the gallery pictures are).
    • Check the Settings.php file, to make sure there isn't any leftover hack line. If there is, you'll need to remove the malcious code.
    • Download a Large Upgrade Pack (Go to the download site) for the version of SMF that you're using.
    • Upload every file in the package, except the files required for upgrading (usually just upgrade.php and a few SQL files), using FTP (How do I use FTP?, note that uploading may take a while). Once done, you'll have fresh files and can use your forum safely, again.

I have cleared my hacked SMF installation, how can I prevent this from happening again?

You can also install a security modification (Go to the modification site) to enhance the forums security level. Depending on the modification's features, this can be more or less active against hackers.

Another measure that you can take, is to apply some or all of these security tips. These tips help you to protect your forum from any further attacks.

Notify your host so that they can make sure no other servers have been affected. When you report the hack to your host, ask them to check their logs to see who might have had access to your server and, also, get them to check your file permissions. With some hosts, incorrect file permissions can leave files open for easier hacking.