Troll 'Hacking'

[triforceguy1]

Okay, so for the past several years, we've had this one guy (or several claiming to be the same person) who come on from time to time to stir up trouble. Earlier in the year, he went a bit further and 'hacked' into a Admin account and basically trashed the forum, which meant we had to back it up (unfortunately the only backup was from several months before).

I think it was a case of guessing the password correctly, but it still scared the members a lot. It seems that he has returned after the move, but now he's gone for several normal members. The problem is that this guy is always using an anonymous proxy, so there is no way of permanently getting rid of him.

I am going to try and get everyone to enable two-step, and my host does a weekly backup, but was wondering if anyone else had any advice, or if they have had similar issues? It's frustrating because I spent quite a bit of money on this but I don't one one idiot ruining it.

Leon

 

[Steve F]

Only word of advice I have is don't depend on your host's backups, take some of your own too.

 

[triforceguy1]

Only word of advice I have is don't depend on your host's backups, take some of your own too.

Thing is, I can't, it's a shared server... unless you mean to just download the backups they make, in which case, I do

 

[Steve F]

You can usually do your own through CPanel if that is what you use.

 

[triforceguy1]

You can usually do your own through CPanel if that is what you use.

Ah yes, that's the weekly automated backups they do. Which I download as soon as they become available

 

[whynot]

Ah yes, that's the weekly automated backups they do.

No, Steve did not mean that.
He meant that you should do your own backups in cPanel.

 

[triforceguy1]

No, Steve did not mean that.
He meant that you should do your own backups in cPanel.

The only option the cPanel gives me regarding backups it to download the ones they automatically make. I am unable to backup the databases manually due to how big they are and the fact that I am unable to perform a MySQL dump

 

[whynot]

I am unable to backup the databases manually due to how big they are and the fact that I am unable to perform a MySQL dump

Install Mysqldumper and backup your database with it.
Compress your forum's folder in cPanel.
Download those two files with your FTP client or straight from cPanel.

 

[triforceguy1]

Install Mysqldumper and backup your database with it.
Compress your forum's folder in cPanel.
Download those two files with your FTP client or straight from cPanel.

Shared accounts on Host Gator are not allowed to do that

 

[whynot]

Shared accounts on Host Gator are not allowed to do that

Have a look in your cPanel.
Click on file manager > Choose your forum's folder > Compress > Zip Archive
After a while you will find a fresh zip file.
That contains all your forum's files. Download it to your computer.

Download MySQLDumper.
Upload it with your FTP client(such as FileZilla)
Install it.
You will be able to backup your databases with it then download them to your computer.

 

[James]

Make sure that you force two-step verification to access the Admin CP:
admin.php?options/list/acp#_adminRequireTfa

Make sure your staff usergroups have the "require two-step verification" option under General Permissions.

 

[Anthony Parsons]

Earlier in the year, he went a bit further and 'hacked' into a Admin account and basically trashed the forum

I don't even understand how this could happen, unless you use password as your password. A six digit password using a capital, figure and punctuation, is near impenetrable. i.e. hI&X<3

Let alone 8 digit password. All mod accounts should have two factor required.

You can also use something as simple as https://xenforo.com/community/threads/backup-entire-xenforo-install-database-to-amazon-s3.40343/ to backup directly to Amazon S3, which solves many issues to begin with.

 

[triforceguy1]

I don't even understand how this could happen, unless you use password as your password. A six digit password using a capital, figure and punctuation, is near impenetrable. i.e. hI&X<3

Let alone 8 digit password. All mod accounts should have two factor required.

You can also use something as simple as https://xenforo.com/community/threads/backup-entire-xenforo-install-database-to-amazon-s3.40343/ to backup directly to Amazon S3, which solves many issues to begin with.

The forum used to be on 1.2.2 before I took over, and I think the admin's password was something like the type of car he had or something, which is information that can be obtained pretty easily for a lot of people.

Have a look in your cPanel.
Click on file manager > Choose your forum's folder > Compress > Zip Archive
After a while you will find a fresh zip file.
That contains all your forum's files. Download it to your computer.

Download MySQLDumper.
Upload it with your FTP client(such as FileZilla)
Install it.
You will be able to backup your databases with it then download them to your computer.

I already do the first thing you said
And ah, my mistake, for some reason I thought you were talking about shell access haha
Installing it as I type, thank you

Make sure that you force two-step verification to access the Admin CP:
admin.php?options/list/acp#_adminRequireTfa

Make sure your staff usergroups have the "require two-step verification" option under General Permissions.

That's something I'm encouraging member to do. In the past, it wasn't an option as, before I took over, we were on 1.2.2 which is before Two Step was implemented

 

[triforceguy1]

Okay, so I have installed the dumper, and I've created a directory protection.
But when I go to access the MySQL dumper, I get a Forbidden error, any help? (I'm likely putting in something wrong on the url)

 

[whynot]

Okay, so I have installed the dumper, and I've created a directory protection.
But when I go to access the MySQL dumper, I get a Forbidden error, any help? (I'm likely putting in something wrong on the url)

Temporarily disable the protection.
Any luck with accessing the dumper?

 

[triforceguy1]

Temporarily disable the protection.
Any luck with accessing the dumper?

Yes that's better
Would you not recommend that I use directory protection?

 

[whynot]

Would you not recommend that I use directory protection?

Just use it.
(On the beginning for a while save the user and password in your browser, will be easier to use it.)

 

[triforceguy1]

Just use it.
(On the beginning for a while save the user and password in your browser, will be easier to use it.)

thing is, it doesn't even ask me for a username or password
Am I right in putting .htaccess at the end of the url?

Also, I get the following error when I click the backup tab:

A backup of the system database `information_schema` is not possible! Nevermind fixed the error

 

[gwordz]

Thing is, I can't, it's a shared server... unless you mean to just download the backups they make, in which case, I do

I too have an old Hostgator shared account and manually make backups through cpanel. Are you saying you don't see the backup wizard option or it is giving you an error? (see pics)
Another option is The ForumBackup add-on by @SneakyDave.

 

[triforceguy1]

I too have an old Hostgator shared account and manually make backups through cpanel. Are you saying you don't see the backup wizard option or it is giving you an error? (see pics)
Another option is The ForumBackup add-on by @SneakyDave.
View attachment 136287 View attachment 136288

We are talking about making manual backups (not the ones which HostGator make on a weekly basis) I thought the dumper wasn't allowed, but it can be installed on the server and I'm using it now

And I don't really want to rely on automated backups too much as I have a fairly large database, which if there is any time out during export, the structure can get ruined (it's about 800mb)