Well awhile back I posted how some random member joined my forums and accessed my ACP and did nothing more.
Well today I was just looking through some files and to my surprise I found a txt. file in the root of my directory stating that
"./<hacker name> was here :D"
Honestly I was really pissed off when I saw this. It was the same hacker that infiltrated my forums awhile back.
Now I'm totally bummed out and thinking what can I do. The file was dated a month ago, which makes me feel more dumb :/
Since he probably accessed my cPanel, I can only imagine what he has probably done.
Any advice & suggestions?
What version is your MyBB forum? And who's your host?
I didn't update it, it was still 1.6.2
As for my host, it's hosted on Planet Net Services(Now known as SoftLayer). Honestly I'm really perplexed by this hacker, he had all the cards in place, yet he didn't go for a full on hack.
I'm no expert but the fact that they got into your FTP and left a file there saying "Hacker was here", seems to indicate it's a host/server exploit.
If you can, contact Softlayer and see if they can assist you to conduct a full investigation on how it all happened.
You should review your config/setting files and make sure there's no other "Administrator" account, change your password.
Personally, I'd move to a more secure host.
And get your MyBB upgraded to 1.6.3 ASAP.
(2011-06-26, 09:21 AM)iDude Wrote: [ -> ]I didn't update it, it was still 1.6.2
As for my host, it's hosted on Planet Net Services(Now known as SoftLayer). Honestly I'm really perplexed by this hacker, he had all the cards in place, yet he didn't go for a full on hack.
Not all hackers are malicious. I used to find exploits in people's hosting and plug them for them without them knowing when I was in high school.
(2011-06-26, 09:35 AM)weBex Wrote: [ -> ]I'm no expert but the fact that they got into your FTP and left a file there saying "Hacker was here", seems to indicate it's a host/server exploit.
If you can, contact Softlayer and see if they can assist you to conduct a full investigation on how it all happened.
You should review your config/setting files and make sure there's no other "Administrator" account, change your password.
Personally, I'd move to a more secure host.
And get your MyBB upgraded to 1.6.3 ASAP.
Will do weBex, I heard so many good reviews about Softlayer, that they're the best. Also I didn't make a FTP account for Public_html, I only kept accounts for specific directories but oh well-Huge corporations are getting hacked, I'm just small scale board owner.
(2011-06-26, 11:13 AM)KuJoe Wrote: [ -> ] (2011-06-26, 09:21 AM)iDude Wrote: [ -> ]I didn't update it, it was still 1.6.2
As for my host, it's hosted on Planet Net Services(Now known as SoftLayer). Honestly I'm really perplexed by this hacker, he had all the cards in place, yet he didn't go for a full on hack.
Not all hackers are malicious. I used to find exploits in people's hosting and plug them for them without them knowing when I was in high school.
You're really kind then I guess xD~
Could there be a chance that he executed some queries? Is there any way to check my SQL database for anything malicious? As I'll just do a fresh install.
On another way, he might have got into your Cpanel, accessed phpmyadmin and made his normal account as admin from there.
In that case, you should
1) Change your Cpanel, database, FTP and board passwords.
2) Ask your host to check whether their server is exploited.
3) Run a malware scan on your PC (He might have got your login info through keylogger or RAT).
(2011-06-26, 04:14 PM)kavin Wrote: [ -> ]On another way, he might have got into your Cpanel, accessed phpmyadmin and made his normal account as admin from there.
In that case, you should
1) Change your Cpanel, database, FTP and board passwords.
2) Ask your host to check whether their server is exploited.
3) Run a malware scan on your PC (He might have got your login info through keylogger or RAT).
Yes you're right, that explains why I saw him as the admin of my forums when I came back online after the weekend. It's definitely an issue on the host's end.
If he uploaded a file to your root directory, he was also able to read all relevant data from your config files. (very bad, because the db password is there in clear text).
And just so it's made explicit: make sure you use four different passwords for Cpanel, database, FTP and board passwords, and consider adding .htaccess/.htpasswd protection to your /admin (or whatever) folder.
(2011-06-27, 10:37 AM)linguist Wrote: [ -> ]If he uploaded a file to your root directory, he was also able to read all relevant data from your config files. (very bad, because the db password is there in clear text).
And just so it's made explicit: make sure you use four different passwords for Cpanel, database, FTP and board passwords, and consider adding .htaccess/.htpasswd protection to your /admin (or whatever) folder.
Yep, pretty much. I've changed everything and re-installed everything. Now I'm just searching for a secure host.