Hello peepz.
My forum just got hacked today, thank god I backed up all my files before it was hacked. I just changed hosting for security purposes now, and know that there is a shell in my forum.
http://intnews.org/webmasterconvo-com-ha...he-did-it/, a friend's site of the hacker, told us how he hacked it.
How do I identify a shell? How do I remove it?
Look for anything that you haven't placed in your files, although I doubt you have shell access you can't really go through the processes to look at see which ones are and aren't yours etc.
(2013-02-14, 07:31 AM)Known Wrote: [ -> ]Look for anything that you haven't placed in your files, although I doubt you have shell access you can't really go through the processes to look at see which ones are and aren't yours etc.
Exactly. I can't know if something's changed.
FYI, by reading this you can see they somehow got my ACP login, which was a very complicated and long password, and then they put an upload code in my template.
After that, they probably have uploaded the shell.
Prob is, even if I remove the uploading code now, the shell's still in my files.
(2013-02-14, 07:31 AM)Known Wrote: [ -> ]Look for anything that you haven't placed in your files, although I doubt you have shell access you can't really go through the processes to look at see which ones are and aren't yours etc.
Shell access and shells are completely different things. Shells are just PHP files with specifically crafted functions.
OP, although they are saying they've uploaded a shell, I wouldn't advise you accept that. For a start they've hacked your forum - There's no trust.
Secondly you should stop talking to them immediately. They want the attention. Most of the time that's their motive. You shouldn't satisfy that.
I advise you take a look at this plugin to detect what new files are in your installation, and see if the attacker has modified any others.
http://www.communityplugins.com/forum/my...own&did=15
As I previously mentioned, you shouldn't have reason to trust what they're saying so I also advise you read this thread carefully:
http://community.mybb.com/thread-110890.html
Thank you for the help.
What do you suggest I do now?
Plus, the plugin is only downloadable for members -_-
If you actually accept my Skype request ill tell you the exact location. I've already offered you this a few times and you keep demanding that tell you the name of the hacker instead of just listening.
It is a full shell uploaded with the theme Uploader. Check your /inc folder immediately.
The hacker made a secondary admin account, gained access to everything, set a shell, removed the admin account and removed the logs.
He used Tor to access one of your staffs account.
Well the theme uploaded gained Him access and then he changed a bit. But honestly check the inc folder mate.
(2013-02-14, 03:06 PM)Geekpath Wrote: [ -> ]If you actually accept my Skype request ill tell you the exact location. I've already offered you this a few times and you keep demanding that tell you the name of the hacker instead of just listening.
It is a full shell uploaded with the theme Uploader. Check your /inc folder immediately.
The hacker made a secondary admin account, gained access to everything, set a shell, removed the admin account and removed the logs.
He used Tor to access one of your staffs account.
Well the theme uploaded gained Him access and then he changed a bit. But honestly check the inc folder mate.
I'd like to introduce you guys to the guy which got me hacked by someone else.
Well Ghost, why not tell me that immediately, instead of trying to have my skype? I'm really curious about that.
Thank you Ghost, we know who the hacker is now.
I'm gonna be in contact with the team.