Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can I be infected and no program to detect it?


  • This topic is locked This topic is locked
7 replies to this topic

#1 sensey

sensey

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 13 February 2013 - 12:24 PM

Hi, a week ago, my website was defaced (smf forum) I asked for support to my server and smf community, smf support tell me that the problem should be in server, server tell me that the problem should be in smf or my computer... so, I scan my computer:

 

I have 4 OS in my computer (XP, 7x86, 7x64 and 8) in different partitions, but which more use is XP, so, I scan XP machine with combofix, malwarebytes and my antivirus (nod 32) and nothing found, then I went to another operating system (7x64) and scan all partitions with nod32, but nothing found, then I went to another SO (Win 8) and install karspersky 2013 and scan all partitions again, and again, nothing found...

 

actualy, my site is down because no one could give me an explanation of how the site was hacked or assure that will not happen again, so I came to ask if I might have a virus or something that is not detected.

 

Regards



BC AdBot (Login to Remove)

 


#2 niemiro

niemiro

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 AM

Posted 13 February 2013 - 12:59 PM

Hello :)

 

Out of interest, was your SMF forum software completely up to date when you got hacked? Were all of your plugins or addons up to date?

 

Richard


One of the very few people in the world who is truly enthused about Windows Update and how it works...

 

Yes, I'm a bit weird :P


#3 sensey

sensey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 13 February 2013 - 02:43 PM

The 1st time I get hacked my smf was out to date (2.0.3), then I assume the bug was in smf, I updated smf (2.0.4) but I get hacked again, so, I thought the problem was in some mods, so I erase all files an install a clean smf forum (no mods) but after a while I get hacked again... (was when I started asking support to the server and smf community)

 

Regards



#4 niemiro

niemiro

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:44 AM

Posted 13 February 2013 - 03:45 PM

The 1st time I get hacked my smf was out to date (2.0.3), then I assume the bug was in smf, I updated smf (2.0.4) but I get hacked again, so, I thought the problem was in some mods, so I erase all files an install a clean smf forum (no mods) but after a while I get hacked again... (was when I started asking support to the server and smf community)

 

Regards

 

Hmmmm. I have never used SMFs, unfortunately. My experience is with vBulletin.

 

Do you have access to server logs? They should help you to identify how you got hacked.

 

Other than that, ensure file permissions are as tight as possible. Most php files can be 644, although some will probably need to be 755. Directories will also need to be 775.

 

Next, don't reuse passwords from your old installations. Although the chances are that this is an automated attack, change your phpMyAdmin, database, FTP, and admin passwords, just to be sure. And make sure they are all different, and not guessable.

 

Ensure you delete all backup files, or at the very least make sure their extension is .php. There is likely to be some configuration file which holds your database password. A backup file will expose this.

 

You could add additional security such as .htaccess protect your adminCP dir, in addition to file permissions.

 

I am sorry that this is all quite general. I don't know SMF, and nor do I know your forum.

 

Richard


One of the very few people in the world who is truly enthused about Windows Update and how it works...

 

Yes, I'm a bit weird :P


#5 sensey

sensey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 13 February 2013 - 04:06 PM

Do you have access to server logs? They should help you to identify how you got hacked.

 

yes I already check that and smf support to, but they told me there are nothing strange...

 

Other than that, ensure file permissions are as tight as possible. Most
php files can be 644, although some will probably need to be 755.
Directories will also need to be 775.

 

all files has 644 access flag.

 

Next, don't reuse passwords from your old installations. Although the
chances are that this is an automated attack, change your phpMyAdmin,
database, FTP, and admin passwords, just to be sure. And make sure they
are all different, and not guessable.

 

yes, everytime I reinstalled I change all passwords... but hacker get new passwords again.

 

Ensure you delete all backup files, or at the very least make sure their
extension is .php. There is likely to be some configuration file which
holds your database password. A backup file will expose this.

 

I do that to... (I also give access to a smf support user and he do a clean install)

 

Is for that I come here, because I do all things smf and my server tell me to do, so, I thought I have no more that my PC is the problem...

 

Regards



#6 sensey

sensey
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 14 February 2013 - 02:50 PM

anyone? You need that I upload logs or something?

 

Regards



#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:44 AM

Posted 17 February 2013 - 10:13 PM

I am going to suggest..we should get a deeper look. Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:10:44 PM

Posted 20 February 2013 - 11:24 AM

Now that your log is properly posted here, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the logs you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Removal Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users