Compromised - DDOS / Spam Server - help ?

Started by LandyVlad, May 09, 2020, 09:03 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

LandyVlad

May 09, 2020, 09:03 AM Last Edit: May 10, 2020, 05:30 AM by LandyVlad
So my account that my gsx1400owners.org ison has been suspended.

Email advice said concat the provider re suspended account.


chatbot:

QuoteIt does appear as though there is a command on your account which leads us to believe that the account is compromised. Due to this, we have had to suspend your account until such a time that you are ready to review, clean and secure your account.
Quotethere was a command running that was running the host command on the server.
Your account was suspended as it's heavily compromised and running DDoS/Spam scripts:


I logged a ticket and they have come back with:
QuoteHere is a virus scan I ran on your account, this list some (but not all of the potential issues):


edit: details removed as contained direct paths.


I'm not sure how to interpret that, and what I need to do?
I reject your reality, and substitute my own.

LandyVlad

May 09, 2020, 09:35 AM #1 Last Edit: May 09, 2020, 09:39 AM by LandyVlad
in cpanel I turned 'ModSecurity' on,. I have nbo idea what that does or is but it seemed like a good idea and the system says its recommended.

I went in and updated wordpress and all my plugins and themes.



Next is to look at SMF but no idea what I should be looking for !?

Error logs today have a heap of these
QuoteApply Filter: Only show the error messages of this URL
https://gsx1400owners.org/forum/index.php?topic=4767.msg62845Apply Filter: Only show the errors with the same message2: filemtime(): stat failed for /home/gsxowner/public_html/forum/attachments/17136_7050a59fa56a95f8ae03b6a2c338c4a728e3dde4Apply
Filter: Only show the errors from this fileFile: /home/gsxowner/public_html/forum/Sources/Display.php
Line: 1482
I reject your reality, and substitute my own.

Skhilled

Well, at least the site is back up... One thing is that you should never leave a file file like the following zip (a mod or forum software) on your server. That's the first thing a hacker will try to compromise.

Quote'/home/xxxxxxx/public_html/xxxxxx/Packages/SMFGalleryPro8.0.zip'

You should also never openly post the entire URL or path from your site. Block out any user account names, email addresses, etc. as I've done above.

Quote from: LandyVlad on May 09, 2020, 09:35 AMin cpanel I turned 'ModSecurity' on,. I have nbo idea what that does or is but it seemed like a good idea and the system says its recommended.

I went in and updated wordpress and all my plugins and themes.

Next is to look at SMF but no idea what I should be looking for !?

Error logs today have a heap of these
ModSecurity, in theory, is supposed to help with your site's security. But it can also block legit users and accounts. So, look out for that.

You must always keep your WP updated. Hackers love to try to hack into it. They prolly got in cause an admin didn't use a strong enough password for their account, site and db.

QuoteOnly show the error messages of this URL
https://gsx1400owners.org/forum/index.php?topic=4767.msg62845
Only show the errors with the same message2: filemtime(): stat failed for /home/gsxowner/public_html/forum/attachments/17136_7050a59fa56a95f8ae03b6a2c338c4a728e3dde4
Only show the errors from this fileFile: /home/gsxowner/public_html/forum/Sources/Display.php

That error points to your attachments folder. For the theme, it appears that your default SMF theme (the one you have set the forum to) has a bad link to it's folder or the theme's folder is missing. Run repair_settings.php or login and set it to another working theme.

My suggestion would be to delete the files and install a working backup and run it from there, if you have one. This way you should be sure to get all of the compromised files deleted. Unfortunately, hackers are hitting all of the servers cause of covid-19 and people are using the net more. They've been hitting our servers for over a month now.  >:(

Skhilled

I just realized...if you go to the main site:

https://www.gsx1400owners.org

Then click on the "Forum" menu button the theme is missing. But if you use either one of these links it works:

https://gsx1400owners.org/forum/index.php

OR

https://gsx1400owners.org/forum/index.php?action=forum

LandyVlad

May 10, 2020, 05:31 AM #4 Last Edit: May 10, 2020, 05:33 AM by LandyVlad
Quote from: Skhilled on May 09, 2020, 12:54 PMModSecurity, in theory, is supposed to help with your site's security. But it can also block legit users and accounts. So, look out for that.

Yep turns out it was causing all sorts of issues especially for mobile and apple devices. So I've turned it back off again.

Quote from: Skhilled on May 10, 2020, 12:37 AMI just realized...if you go to the main site:

https://www.gsx1400owners.org

Then click on the "Forum" menu button the theme is missing.

Well that is VERY odd. Any ideas on what might be causing that?
I reject your reality, and substitute my own.

LandyVlad

OK just did a repair settings and that theme issue seems to have resolved itself.
Thank you  :vcool
I reject your reality, and substitute my own.

lurkalot

@LandyVlad , I noticed you're a few versions behind with your TinyPortal version, we just released a security update version of TinyPortal 1.6.6 which I highly recommend you update to.  Same applies to @Bigguy for this site.

https://custom.simplemachines.org/mods/index.php?mod=97
https://www.tinyportal.net/index.php?action=tpmod;dl=item155

Skhilled

Quote from: LandyVlad on May 10, 2020, 05:41 AMOK just did a repair settings and that theme issue seems to have resolved itself.
Thank you  :vcool
You're welcome! Here's something that may help you and your users:

https://www.smfhelper.com/index.php?msg=5497

LandyVlad

@lurkalot  thanks but out of interest - package manager shows 'current version installed' for that (and all) my mods.

presumably that's not reliable then? Or does it draw data just from whats available in the mods section of the simplemachines site.


@Skhilled yeah you can tell people all you like but most peope just sue somethign super simple, if its too hard they dont botehr and just use faceache or something.

I reject your reality, and substitute my own.

LandyVlad

Unsure whether the main issue has resolved itself / whether the problem will recur.

Hasn't been turned off by the host yet so I suppose it must be OK.


Silly question but... how do I change my database password etc and still ensure the site is running afterwards ?   
I reject your reality, and substitute my own.

lurkalot

Quote from: LandyVlad on May 13, 2020, 04:40 AM@lurkalot  thanks but out of interest - package manager shows 'current version installed' for that (and all) my mods.

presumably that's not reliable then? Or does it draw data just from whats available in the mods section of the simplemachines site.

If you're referring to the red / green dots in the package manager denoting:  current version / older version, then correct, it's not reliable and the reason it was removed from 2.1

I can assure you though, TP 1.6.6 is now the Current version, and the one you should be using for security reasons.  Just make sure you un-install the older version before installing TP 1.6.6

LandyVlad

I reject your reality, and substitute my own.

Skhilled

Quote from: LandyVlad on May 13, 2020, 04:43 AMSilly question but... how do I change my database password etc and still ensure the site is running afterwards ?   
Sorry, missed that part. Just change the password in cPanel under MySQL Databases for the user of the database you are using. Then open Settings.php in your root forum's directory and change the password for this:

$db_passwd = '**********';
Remember to make a backup first. If you are not sure which database you are using look in Settings.php for this:

$db_name = '*****_*****';
You can also create a new db user and add it's password to Settings.php:

$db_user = '*******';
$db_passwd = '********';

LandyVlad

I reject your reality, and substitute my own.