• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.0 I have been Hacked..???????? HELP

Brogan

XenForo moderator
Staff member
#2
Managed server, shared or dedicated?

Are there any other server administrators?
Is it possible the account details have been compromised in some way, via email, a file, etc?

Change all passwords.
Contact your host and inform them.
Log in and remove any uploaded files.
Restore from a backup if necessary - ensure there is no malicious code in the server files or DB.
 

dutchbb

Well-known member
#3
Take the server offline first, then if possible restore from a backup. Also change all passwords and contact your host. You should make sure your server is secure, as well as all computers connecting to it. It's possible they hacked/infected your PC first to get to your server login info.
 

MGSteve

Well-known member
#8
hosting company is looking into it. I have a reseller account and it looks like all my sites are hacked:(
Either they cracked your password into the reseller account and got into all the sites that way, or the hosting provider has had a problem somewhere..... Is there a forum for this hosting provider, perhaps others have also been hacked?
 

borbole

Well-known member
#10
contacting my hosting company now.. It is a reseller account... I am the only administrator.
Also, ask hem to check their access logs around the time tht that hack occurred so they can see what exactly happened.

Can you check the db, is it intact? If it is and it is not infected then all you have to do is clean up your index and all the other forum files by overwritting them with a fresh set from the package of your version. If you already have not upgraded to the latest version, then do so a.s.a.p. This goes for any other script that you have installed in your server.

Then do a thorough check up of your server space for any suspicious file/s that shouldn''t be there. Another thing to consider is to scan your pc with an antivirus program and then change all your passwords.
 

wickedstangs

Well-known member
#11
this is what my hosting company sent me..
Results for 79.173.192.244 :



% This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '79.173.192.0 - 79.173.210.255' inetnum: 79.173.192.0 - 79.173.210.255 netname: ADSL-3 descr: Assigned for ADSL customers descr: ORANGE-JORDAN remarks: ===For abuse contact mailbox abuse@go.com.jo === country: JO admin-c: NI146-RIPE tech-c: NI146-RIPE status: ASSIGNED PA mnt-by: GO-JOR source: RIPE # Filtered person: Nazik Irshead address: Orange - Jordan phone: +962 6 5805205 fax-no: +962 6 5850102 mnt-by: GO-JOR nic-hdl: NI146-RIPE source: RIPE # Filtered % Information related to '79.173.192.0/18AS8376' route: 79.173.192.0/18 descr: Jordan Telecom Group ( Orange) descr: City Center Building, 1st circle, Jbal Amman descr: P.O. 941477 Amman - 11194 descr: jordan descr: Tel: +962 6 5805205 descr: Fax: +962 6 5850100 remarks: =============================== remarks: Jordan Telecom Group -Amman/Jordan remarks: Route 1 remarks: ================================= origin: AS8376 mnt-by: GO-JOR source: RIPE # Filtered
 

MGSteve

Well-known member
#13
So, if the hacker didn't hide behind any servers, that's where he hacked you from, although I expect that's simply a compromised computer anyway.
 

wickedstangs

Well-known member
#15
So, if the hacker didn't hide behind any servers, that's where he hacked you from, although I expect that's simply a compromised computer anyway.
Hello,


It was not just you, and we're currently looking into what could have been the source of this. Backups are restoring now, so everything should be back to normal shortly. We'll keep you updated.
waiting for my backup to complete...
 

wickedstangs

Well-known member
#17
Hmm, if the other customers on the same hosting company were not running the same software packages this then smells of a compromised server(s) itself. Good news that they have backups.
Yes, they have backups daily.. Now how to explain to my other customers on my reseller accounts:(
 

wickedstangs

Well-known member
#20
I am thinking if the whole server got hit, they are doing a complete restore of the server? Depending on how big the accounts are on that server could take awhile... Don't know..