No announcement yet.

Sites Been Hacked Back to Back

  • Filter
  • Time
  • Show
Clear All
new posts

  • Sites Been Hacked Back to Back

    My server has recently been compromised back to back within a few days! The site is and we have 5,000+ members and about 30,000+ page views a day.

    Recently the server had a root kit installed and it was wreaking havoc on all of the sites resources. At the time I was running 3.0.3 which I thought might have been my downfall with all of the Cross Site Scripting talk going on but I’m no expert. After the server got a clean OS (Linux) install I re-uploaded my site, DB, and updated to 3.5.3. Shortly after about 6 hours of turning the site back on (1/10/06) everyone including myself noticed very slow response times. I logged back into the server to see what’s up and sure enough the machine was infected again? Lots of scripts and apps running from the TMP directory. I had to have the box shut down it was so uncontrollable. I’m very paranoid at this point and was wondering if there is a possibility of some infection/bad code possibly in my DB that could be causing this?

    Any help on this would be greatly appreciated.
    Last edited by smestas; Tue 10 Jan '06, 4:50pm.

  • #2
    I would get a backup some days before they exploited the box, and restore that to a new database, update the config.php file to point to this database and then upgrade the forum to 3.5.3.

    Then change all the staff passwords to new harder to guess ones and add .htaccess to the admincp/ and modcp/ directories. You can also change these 2 dirs to something unique (harder to guess) ones.

    Of course, the htaccess user/pass combination must not be the same as the forums' one.

    Additionally, request your hosting provider to change all their staff passwords too and give you a new unique rendered pass for your ftp, web host, phpmyadmin, email, etc.

    And have them do a proper system check for rootkits, etc. Also make sure you are not runnig outdated software. Update them to the latest adviced versions.


    • #3
      we're you running any other scripts or products like awstats - older version of awstats are susecptible to root kits and hacking.


      • #4
        Thanks for the feedback guys.

        As of right now the server is still offline and I am having extra security steps added that apparently were not turned on originally (iptables/firewall). I will also htaccess the mentioned directories as Floris mentioned.

        At the time of the first compromise I was also running an outdated version of GALLERY and ADSERVER. Basically this was a recipe for disaster so I can understand how my box was worked over. The second time around after a fresh OS install running a rootkit check and upgrading to vb3.5.3 with no other software running on the box it was compromised in less then 6 hours which is why I ask if it is possible something already in my DB could be causing this. I do have older DB's to use prior to the original incident but who knows how far back I should go. Is it possible for something in the DB to leave an open door?

        I found a really interesting LINUX SECURITY read because of all this stuff that has happened. Just thought Id post the link for future readers going thru the same thing.
        Last edited by smestas; Wed 11 Jan '06, 1:55pm.


        • #5
          It really depends on what they have been using. And what it has done. We have no clue what this could have been or how to help you with that.


          • #6
            The last time around there was no rootkit found but there was malicious stuff found running in the /tmp directory. The machine was smart restored before I had a chance to pull the log files down from the last incident.

            The guys in dedicated support told me that it was for sure my forum and the only way to secure the box properly would be to remove the forum. Not exactly what I wanted to hear. They also said it was probably from some kind of "buffer overflow" exploit whatever that is.

            Im going to give it another try with a few more added things for security. My only worry is if its something in my DB Im sure Ill be having problems again. Is there a app or tool that can scan my DB for something fishy?


            • #7
              3.5.3 has no known security issues. Upgrade your site to it and you are fine. If your host believes there is a security issue with 3.5.3 we are more then happy to confirm this and provide a free patch.


              • #8

                My site was running 3.5.3 durring the last incident where apps were running from my /tmp directory. Could something in my DB be infected? If no, then I suspect that my server had been comprimised another way then via my forum despite what my dedicated server support team says.


                • #9
                  So I can rest easy and install my DB?

                  I've just been waiting to turn back on my site I'm still a bit paranoid.


                  widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.