XF 1.1 Forum Hacked By Turk Grup

[Simon R]

Hi

Just had the forum hacked by the people mentioned here http://www.simplemachines.org/community/index.php?topic=352040.0

I found they had somehow replaced the forum index.php file ... so I had a copy of that and replaced it but I'm getting the following errors

Any help appreciated

 

[SneakyDave]

Well, that's a good suggestion to ask, to go to PHP 5.3, but it doesn't really answer the question. If one of your neighbors on your shared server is still compromised, PHP5.3 won't fix that.

You can take your chances, but you're at the mercy of all the other sites on that server.

 

[Adam Howard]

Sorry cross posted .... They investigated and could find no reason apparently why I was hacked

That's not an acceptable answer from any provider. Their logs should show the hackers actions.

So either they're incompetent or they don't want to admit the problem.

Time for a new host.

 

[Arty]

Hostgator

Definitely the host. I've moved 2 of my customers away from them because of their incompetence. They can't even fix basic things.

 

[Simon R]

Most shared host that I come over no longer use php 5.2

The average seems to be on php 5.3 or moving toward 5.4, as 5.5 is already at the RC (Release Candidate) stage ... ie ... It's due to come out soon.

So 5.2 is 3 versions behind (technically).

I would inquire with whatever provider you look into, that you ask if they offer 5.2 If the answer is yes, you should probably look else where.

Thanks - I've set a new package up that uses 5.3 onwards only

 

[Simon R]

These are the server details of the new host

 

[Simon R]

Oh and I must say a big thanks to all that are helping me with this !!!

 

[Adam Howard]

Thanks - I've set a new package up that uses 5.3 onwards only

Let's make sure Host Gator didn't just flip a switch. Because YOU maybe using php 5.3, but if they still have other people using php 5.2 on the same server, it doesn't matter what you're using.

In htaccess look for the following

AddType application/x-httpd-php53 .php

OR

AddHandler application/x-httpd-php53 .php

If you find either (or both), they did a switch on you. And you can verify this by changing php53 to php52


If you don't find this.

You can try adding one of these (see which one works)


AddType application/x-httpd-php52 .php

OR

AddHandler application/x-httpd-php52 .php

Then upload the attached and navigate your browser to it. It will tell you what version is now running for you.

 

[Luxus]

I wonder how many users are affected by the server compromise.

 

[Mike Edge]

For sure on Host Gators side. We have had several people switch to us lately that had this happen and I cleaned up their mess that Host Gator denied and refused to do.

 

[Simon R]

I've got the new server setup with a different company - not Hostgator

 

[Digital Doctor]

Sorry cross posted .... They investigated and could find no reason apparently why I was hacked

They never do.

 

[Digital Doctor]

Topic change: Webhost hacked by Turks.

 

[TPerry]

For sure on Host Gators side. We have had several people switch to us lately that had this happen and I cleaned up their mess that Host Gator denied and refused to do.

HostGator (as of the time that I left) told me that 5.3 would NOT be a default as it was not "tested for their environment". They further stated that I could use 5.3.x as an option via my .htaccess - but like I told them, that didn't prevent the attack vectors on 5.2 on OTHER sites hosted by them that used the default. They weren't that worried about it... and I wasn't that worried about them because it just strengthened my resolve to leave (and my reason of getting an unmanaged VPS). Was NOT happy with them and don't plan on using ANYTHING that they offer in the future (unless they'd like to donate a honking big server that I have full control over to me for free!).

 

[Simon R]

OK - As a final update ......

Everything moved - as I'm in the UK I chose Vidahost and they were brilliant ....

They assured me that no one on the server would be on anything before 5.3 and did seem quite clued up on the security issues older versions could cause.

Response times are better at the moment as well .... and I didn't loose any data !

Again a big thanks to everyone on here

 

[Celestia]

I know this thread is a little old but I'm having this same issue right now with Bluehost.

Someone got into the index.php files and added a link to some spam site which broke my javascript. The link attempted to add a css file for wordpress so I'm guess it is something elsewhere on my server that got comprimised (hoping). I changed my ftp and mysql passes, but otherwise now sure what I can do other than wait for Bluehost to get their act together and reply to my ticket.

 

[borbole]

I know this thread is a little old but I'm having this same issue right now with Bluehost.

Someone got into the index.php files and added a link to some spam site which broke my javascript. The link attempted to add a css file for wordpress so I'm guess it is something elsewhere on my server that got comprimised (hoping). I changed my ftp and mysql passes, but otherwise now sure what I can do other than wait for Bluehost to get their act together and reply to my ticket.

It would be better if you started a new topic about this.

 

[Celestia]

It would be better if you started a new topic about this.

Yeah I figured as much. I'll wait to hear back from my host company and gather more info, then start a new thread if problem persists.

I didn't want to make a new thread without having all my facts straight and details to provide.

 

[Brandon Sheley]

my bigger issue is how they got in to the forum to replace the index file

this was already posted above your reply

I'd suspect the whole hosting server has been comprised based on the index.php replacement via another account on there. What has the host said?

get a better host or upgrade to a vps