# My SMF Forum's been Hacked



## aod (Apr 7, 2009)

http://www.dothedogforum.com/forum/

Think it's a script, but not sure how to fix as I can't access any of the forum admin. I've contacted the webhost, but if anyone here can beat them to it I'd appreciate the help!

The forum has been replaced by a scrolling page of text and images displaying:

'Mr.Computer Hacker

For GaZa ...........

Where Is Your.. Security ?'

and then some arabic, and hacker signatures...


----------



## [email protected] (Jan 28, 2009)

Are you using a CMS system like e107 ?


----------



## aod (Apr 7, 2009)

Nope, just smf installed on a web host/sql db, in a folder off the root


----------



## Guest (Oct 6, 2009)

Do you have FTP or dpanel (whatever) access to the actual forum files?

It is *probably* semi-automated, so I wouldn't worry too much in the meantime.


----------



## Guest (Oct 6, 2009)

aod said:


> Nope, just smf installed on a web host/sql db, in a folder off the root


go into the forum folder and look for the hacked file in question, change all your passwords to be on the safe side


----------



## Scotch (Jul 23, 2009)

When you load up the page have a look at the page source under the view menu. You get a few more details. May not help but you get another web page to follow.

Cheers


----------



## jamest (Apr 8, 2008)

It will likely just be your index.php file replaced.

This is NOT a targeted attack and your forum has NOT been hacked.

The hack was done at server level and everyone on the same server will have the same message. Your host will be able to sort it out, but you should ask questions about why your host was hacked, ie not keeping up with updates for the cPanel (or whatever they use) or if they are hosting a site on the same server that is being targetted and it was just easier to get the whole server.

Don't worry.


----------



## aod (Apr 7, 2009)

jamest said:


> It will likely just be your index.php file replaced.
> 
> This is NOT a targeted attack and your forum has NOT been hacked.
> 
> ...


Sounds logical, as the index.php looks clean. Hopefully if it's the host server, rather than my account, then it'll be fixed soon, and they'll patch it. It's a fairly cheap service, but they've been very reliable for the past 2 years, so as long as this is a one off, then I'm not too 

It's not a busy forum anyway, only a few hundred members, and handful of regulars. I just do the admin...


----------



## aod (Apr 7, 2009)

aod said:


> Sounds logical, as the index.php looks clean. Hopefully if it's the host server, rather than my account, then it'll be fixed soon, and they'll patch it. It's a fairly cheap service, but they've been very reliable for the past 2 years, so as long as this is a one off, then I'm not too
> 
> It's not a busy forum anyway, only a few hundred members, and handful of regulars. I just do the admin...


Actually, IS it at server level? The root is ok...

http://www.dothedogforum.com/

The /forum folder displays the hack message (where smf is installed)

http://www.dothedogforum.com/forum/

EDIT:

I'll check back tomorrow, no time to mess about now!


----------



## jamest (Apr 8, 2008)

You misunderstand server level.

The server you are on will host hundreds/thousands of sites. Yours is just one of these.

All of these will have a problem if it is a server attack.


----------



## aod (Apr 7, 2009)

jamest said:


> You misunderstand server level.
> 
> The server you are on will host hundreds/thousands of sites. Yours is just one of these.
> 
> All of these will have a problem if it is a server attack.


I understand what you mean, but if it's at server level would the script not effect all folders on all accounts on that server - what I'm getting at is that on my account, the hack message is only displayed within the /forum directory, where SMF is installed. All other folders (default, or ones I've created, including the root) work fine and don't display the message. It seems specific to the /forum folder on my account, and maybe an SMF attack, but don't know if it's just me or if they've somehow targeted all smf installations on the server somehow?


----------



## In a state (Mar 20, 2006)

What version of SMF were you running? 1.1.8? Or 2.0 RC1 as both of these have had recent security updates...

Latest versions are 1.1.9 and 2.0 RC1.2


----------



## jamest (Apr 8, 2008)

aod said:


> I understand what you mean, but if it's at server level would the script not effect all folders on all accounts on that server - what I'm getting at is that on my account, the hack message is only displayed within the /forum directory, where SMF is installed. All other folders (default, or ones I've created, including the root) work fine and don't display the message. It seems specific to the /forum folder on my account, and maybe an SMF attack, but don't know if it's just me or if they've somehow targeted all smf installations on the server somehow?


Searching for the SMF version number you can get sites who have the version number in the footer of the theme so you can quite easily get a list of URLs.

Also do take in to account your homepage uses index.html not index.php.


----------



## tompinney (Jan 29, 2006)

A forum install on our owners club got done in a similar way a couple of years ago (every index.php was changed to some lame hacker message), no idea if it was server or account specific. The fix for me then was just to log into the account cpanel section and change ALL the passwords. Then in the case of phpBB forum we were using I just re-uploaded the forum file structure from the archive downloaded from the phpBB site, deleted the install directory WITHOUT running the install scripts because the database was still present and intact, and we were up and running again. I subsequently had to reload some of the mods I had installed, but it got us functional again within minutes.

I don't know the ins and outs of SMF, but you may well be able to do something similar with it.


----------



## In a state (Mar 20, 2006)

They're probably just script kiddies...they cause havoc on some sites.

If your database is intact, just change all the passwords and reinstall all your forum from scratch but scan your database because they might have planted something in there.

Also make sure you get all the files CHMOD'd to the correct settings....these will be on the SMF forum.


----------



## aod (Apr 7, 2009)

Well the nice people at the webhost got back to me, fixed some security issues with my file permissions and have given me a choice of dates to restore a backup from. Hopefully that'll sort it! Thanks for all the help and advice


----------



## aod (Apr 7, 2009)

The backups they had were after the hack, so didn't fix it. Luckily I had an older backup which I ftp'd and they restored for me. Lost some posts etc but at least it's there. Just gotta fix some small theme problems...

Thanks for all the help :thumb:


----------

