Hacked Forum, now cannot delete or upload files
#1
Hello all
My private forum and associated website set up for a retired person's club was hacked on June 15th last. The external evidence was that visitors to the website home page saw a plain text screen with the words "Child Porn" just repeated line after line. No images, thankfully. I restored the index.html page for the website and this restored functionality. However I could not then access the forum (which is password protected for members only). I found that the index.php file on the \forums directory had also been attacked, so I replaced this and this seemed to clear the problem.
I then decided to migrate the website and forum to a new server with the cPanel user interface and SSL (which the old site did not have). When I went to back up the database I found I was locked out of the Admin CP (just got a blank page when I clicked on AdminCP). 
The hosting providers migrated the website and databases to the new server, and I set about restoring the forum. First, I backed up the old database, this went OK. Then I tried see what had been hacked on the forum. Using Filezilla and CoreFTP I could see all of the \forums directory. I could also see that most of the index.html files and some index.php files in the various directories and sub-directories of \forums had also been hacked, with the original contents replaced by the following text (this is just the first few lines and last lines of \forums\admin\index.php)
<?php
if (preg_match('/Google Web Preview|Googlebot/i', $_SERVER['HTTP_USER_AGENT'])) {
// snip - removed actual links
}
?>


The permissions for these hacked files show up as 0644. When I try to change the permissions or to delete the files or to upload a fresh file I get a message to say that I do not have permission to delete/modify etc. I get the same result if I try to change the file in cPanel's file manager.
I do not want to try any re-installation yet, because I am afraid that I might delete or corrupt the old database (which is only a couple of mB in size).
Forgot to say that prior to the migration, the forum seemed to be functioning perfectly apart from the fact that I could not access the Admin Control Panel.
I am completely new to this stuff, when I set up the forum April last it was my first time working with SQL databases etc. I am not a Unix user, I work exclusively through my windows system, so a lot of the suggestions on this forum for doing fancy stuff go completely over my head.
I would greatly appreciate advice on how to proceed. The objective is to restore the backed up database if at all possible.
Should I wipe the existing \forums directory (assuming this is possible)? I have simply renamed it for the present as a temporary precaution. (I was surprised that I didn't need additional permissions to do this).
As far as I can see from the MyBB installation guide, a fresh install will create new database structures and will presumably over-write the original. Am I correct?
Any other advice welcome!

Pat
Reply
#2
Take a look at https://docs.mybb.com/1.8/administration.../recovery/.

Generally, you should be able to get the board running again by copying the original MyBB package and restoring the configuration file with database connection details (https://docs.mybb.com/1.8/administration...tion-file/).

Database backups can be created and restored using e.g. phpMyAdmin: https://help.dreamhost.com/hc/en-us/arti...e-or-table, https://help.dreamhost.com/hc/en-us/arti...e-or-table.

Web host support may help with the chmod & permission issues.
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply
#3
Thanks for your guidance. I've had a quick look at the references and it's clear I need to do some homework to get to grips with all these factors.
You said that "Generally, you should be able to get the board running again by copying the original MyBB package and restoring the configuration file with database connection details" Can you clarify what you mean by copying the original MyBB package- do you mean a completely new install?
If not, I would have to replace all the index.*** files which have been hacked (assuming I can overcome the problem of finding out how to change the hacked file permissions so that they can be deleted or overwritten). Is this likely to be sufficient?

In the meantime I have been looking again through the forum and I see that the hack to replace index.*** files has been around for a number of years, although the only references to it I have found so far refer to version 1.6 of MyBB. One of these references said he had reinstalled MyBB and reimported the database, but the hack reappeared once more, suggesting that the problem may lie within the database. I have not yet found a definitive method to remove this hack and reinstall the database.
Anyone managed to successfully do this?
Reply
#4
(2020-06-29, 06:27 PM)PatTorpey Wrote: You said that "Generally, you should be able to get the board running again by copying the original MyBB package and restoring the configuration file with database connection details" Can you clarify what you mean by copying the original MyBB package- do you mean a completely new install?
Download the full package of MyBB for the version you were running and replace all files on your board with the ones in that package: http://mybb.com/download/

(2020-06-29, 06:27 PM)PatTorpey Wrote: If not, I would have to replace all the index.*** files which have been hacked (assuming I can overcome the problem of finding out how to change the hacked file permissions so that they can be deleted or overwritten). Is this likely to be sufficient?

You should remove any files that aren't part of the package you've uploaded (aside from legitimate user uploads).
You should run the file verification tool to identify changed files.
Admin CP -> Tools & Maintenance -> File Verification

Use the find orphaned attachments tool to see if there are any files in the attachments uploads that are not in the database.
Admin CP -> Forums & Posts -> Attachments -> Find Orphaned Attachments

(2020-06-29, 06:27 PM)PatTorpey Wrote: In the meantime I have been looking again through the forum and I see that the hack to replace index.*** files has been around for a number of years, although the only references to it I have found so far refer to version 1.6 of MyBB. One of these references said he had reinstalled MyBB and reimported the database, but the hack reappeared once more, suggesting that the problem may lie within the database.
I have not yet found a definitive method to remove this hack and reinstall the database.
Anyone managed to successfully do this?

What version of MyBB are you running? Do you have a backup of the database to use before the compromise?

You should consider also using DVZ Integrity Tools to identify any changes in database structure.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)