2020-06-28, 04:57 PM
Hello all
My private forum and associated website set up for a retired person's club was hacked on June 15th last. The external evidence was that visitors to the website home page saw a plain text screen with the words "Child Porn" just repeated line after line. No images, thankfully. I restored the index.html page for the website and this restored functionality. However I could not then access the forum (which is password protected for members only). I found that the index.php file on the \forums directory had also been attacked, so I replaced this and this seemed to clear the problem.
I then decided to migrate the website and forum to a new server with the cPanel user interface and SSL (which the old site did not have). When I went to back up the database I found I was locked out of the Admin CP (just got a blank page when I clicked on AdminCP).
The hosting providers migrated the website and databases to the new server, and I set about restoring the forum. First, I backed up the old database, this went OK. Then I tried see what had been hacked on the forum. Using Filezilla and CoreFTP I could see all of the \forums directory. I could also see that most of the index.html files and some index.php files in the various directories and sub-directories of \forums had also been hacked, with the original contents replaced by the following text (this is just the first few lines and last lines of \forums\admin\index.php)
The permissions for these hacked files show up as 0644. When I try to change the permissions or to delete the files or to upload a fresh file I get a message to say that I do not have permission to delete/modify etc. I get the same result if I try to change the file in cPanel's file manager.
I do not want to try any re-installation yet, because I am afraid that I might delete or corrupt the old database (which is only a couple of mB in size).
Forgot to say that prior to the migration, the forum seemed to be functioning perfectly apart from the fact that I could not access the Admin Control Panel.
I am completely new to this stuff, when I set up the forum April last it was my first time working with SQL databases etc. I am not a Unix user, I work exclusively through my windows system, so a lot of the suggestions on this forum for doing fancy stuff go completely over my head.
I would greatly appreciate advice on how to proceed. The objective is to restore the backed up database if at all possible.
Should I wipe the existing \forums directory (assuming this is possible)? I have simply renamed it for the present as a temporary precaution. (I was surprised that I didn't need additional permissions to do this).
As far as I can see from the MyBB installation guide, a fresh install will create new database structures and will presumably over-write the original. Am I correct?
Any other advice welcome!
Pat
My private forum and associated website set up for a retired person's club was hacked on June 15th last. The external evidence was that visitors to the website home page saw a plain text screen with the words "Child Porn" just repeated line after line. No images, thankfully. I restored the index.html page for the website and this restored functionality. However I could not then access the forum (which is password protected for members only). I found that the index.php file on the \forums directory had also been attacked, so I replaced this and this seemed to clear the problem.
I then decided to migrate the website and forum to a new server with the cPanel user interface and SSL (which the old site did not have). When I went to back up the database I found I was locked out of the Admin CP (just got a blank page when I clicked on AdminCP).
The hosting providers migrated the website and databases to the new server, and I set about restoring the forum. First, I backed up the old database, this went OK. Then I tried see what had been hacked on the forum. Using Filezilla and CoreFTP I could see all of the \forums directory. I could also see that most of the index.html files and some index.php files in the various directories and sub-directories of \forums had also been hacked, with the original contents replaced by the following text (this is just the first few lines and last lines of \forums\admin\index.php)
<?php
if (preg_match('/Google Web Preview|Googlebot/i', $_SERVER['HTTP_USER_AGENT'])) {
// snip - removed actual links
}
?>
The permissions for these hacked files show up as 0644. When I try to change the permissions or to delete the files or to upload a fresh file I get a message to say that I do not have permission to delete/modify etc. I get the same result if I try to change the file in cPanel's file manager.
I do not want to try any re-installation yet, because I am afraid that I might delete or corrupt the old database (which is only a couple of mB in size).
Forgot to say that prior to the migration, the forum seemed to be functioning perfectly apart from the fact that I could not access the Admin Control Panel.
I am completely new to this stuff, when I set up the forum April last it was my first time working with SQL databases etc. I am not a Unix user, I work exclusively through my windows system, so a lot of the suggestions on this forum for doing fancy stuff go completely over my head.
I would greatly appreciate advice on how to proceed. The objective is to restore the backed up database if at all possible.
Should I wipe the existing \forums directory (assuming this is possible)? I have simply renamed it for the present as a temporary precaution. (I was surprised that I didn't need additional permissions to do this).
As far as I can see from the MyBB installation guide, a fresh install will create new database structures and will presumably over-write the original. Am I correct?
Any other advice welcome!
Pat