1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.0 I have been Hacked..???????? HELP

Discussion in 'Troubleshooting and Problems' started by wickedstangs, Oct 12, 2011.

  1. wickedstangs

    wickedstangs Well-Known Member

  2. Brogan

    Brogan XenForo Moderator Staff Member

    Managed server, shared or dedicated?

    Are there any other server administrators?
    Is it possible the account details have been compromised in some way, via email, a file, etc?

    Change all passwords.
    Contact your host and inform them.
    Log in and remove any uploaded files.
    Restore from a backup if necessary - ensure there is no malicious code in the server files or DB.
     
  3. dutchbb

    dutchbb Well-Known Member

    Take the server offline first, then if possible restore from a backup. Also change all passwords and contact your host. You should make sure your server is secure, as well as all computers connecting to it. It's possible they hacked/infected your PC first to get to your server login info.
     
  4. wickedstangs

    wickedstangs Well-Known Member

    contacting my hosting company now.. It is a reseller account... I am the only administrator.
     
  5. RvG

    RvG Active Member

  6. wickedstangs

    wickedstangs Well-Known Member

    hosting company is looking into it. I have a reseller account and it looks like all my sites are hacked:(
     
  7. ENF

    ENF Well-Known Member

    I have to laugh though, the 'hacker' put his page up and inside I saw...

    Code:
    <META content="Microsoft FrontPage 6.0" name=GENERATOR>
    
    Hope you get everything sorted...
     
    D.O.A., Hoffi and Darkimmortal like this.
  8. MGSteve

    MGSteve Well-Known Member

    Either they cracked your password into the reseller account and got into all the sites that way, or the hosting provider has had a problem somewhere..... Is there a forum for this hosting provider, perhaps others have also been hacked?
     
  9. CyclingTribe

    CyclingTribe Well-Known Member

    Good luck with getting back to normal. It's horrible when stuff like this happens.
     
  10. borbole

    borbole Well-Known Member

    Also, ask hem to check their access logs around the time tht that hack occurred so they can see what exactly happened.

    Can you check the db, is it intact? If it is and it is not infected then all you have to do is clean up your index and all the other forum files by overwritting them with a fresh set from the package of your version. If you already have not upgraded to the latest version, then do so a.s.a.p. This goes for any other script that you have installed in your server.

    Then do a thorough check up of your server space for any suspicious file/s that shouldn''t be there. Another thing to consider is to scan your pc with an antivirus program and then change all your passwords.
     
  11. wickedstangs

    wickedstangs Well-Known Member

    this is what my hosting company sent me..
    Results for 79.173.192.244 :



    % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '79.173.192.0 - 79.173.210.255' inetnum: 79.173.192.0 - 79.173.210.255 netname: ADSL-3 descr: Assigned for ADSL customers descr: ORANGE-JORDAN remarks: ===For abuse contact mailbox abuse@go.com.jo === country: JO admin-c: NI146-RIPE tech-c: NI146-RIPE status: ASSIGNED PA mnt-by: GO-JOR source: RIPE # Filtered person: Nazik Irshead address: Orange - Jordan phone: +962 6 5805205 fax-no: +962 6 5850102 mnt-by: GO-JOR nic-hdl: NI146-RIPE source: RIPE # Filtered % Information related to '79.173.192.0/18AS8376' route: 79.173.192.0/18 descr: Jordan Telecom Group ( Orange) descr: City Center Building, 1st circle, Jbal Amman descr: P.O. 941477 Amman - 11194 descr: jordan descr: Tel: +962 6 5805205 descr: Fax: +962 6 5850100 remarks: =============================== remarks: Jordan Telecom Group -Amman/Jordan remarks: Route 1 remarks: ================================= origin: AS8376 mnt-by: GO-JOR source: RIPE # Filtered
     
  12. CyclingTribe

    CyclingTribe Well-Known Member

    Was your data trashed or just your homepages hijacked?
     
  13. MGSteve

    MGSteve Well-Known Member

    So, if the hacker didn't hide behind any servers, that's where he hacked you from, although I expect that's simply a compromised computer anyway.
     
  14. wickedstangs

    wickedstangs Well-Known Member

    Not sure they are uploading a backup now... I will ask..
     
  15. wickedstangs

    wickedstangs Well-Known Member

    Hello,


    waiting for my backup to complete...
     
  16. Deebs

    Deebs Well-Known Member

    Hmm, if the other customers on the same hosting company were not running the same software packages this then smells of a compromised server(s) itself. Good news that they have backups.
     
  17. wickedstangs

    wickedstangs Well-Known Member

    Yes, they have backups daily.. Now how to explain to my other customers on my reseller accounts:(
     
  18. Dodgeboard

    Dodgeboard Well-Known Member

    The biggest question I would have, is why it has taken 6 hours for you to do a restore? :eek:
     
  19. Deebs

    Deebs Well-Known Member

    It is not wickedstangs doing the restore but the hosting Company.
     
  20. wickedstangs

    wickedstangs Well-Known Member

    I am thinking if the whole server got hit, they are doing a complete restore of the server? Depending on how big the accounts are on that server could take awhile... Don't know..
     

Share This Page