IntegraMOD

[monkey]

Your phpBB Version: 2.0.
phpBB Type: Standard phpBB
MODs: No
Your knowledge: Beginner
Board URL: http://www.twitchythumbs.co.uk/integra

PHP Version:
MySQL Version:


What was done before the problem appeared?
Nothing


What was done to try to solve the problem?
renamed "index.php" in my root. Uploads "auth.php" from the integra download, to the /integra folder.



De.scription and Message

Help!

I've been hacked, somehow.

I've no further information, can anyone help please?

I'm a complete and utter newbie with things like this, so please be gentle with me, and put any instructions into the same language as you'd use for a 5 year-old.

Thanks!

[CaNNon]

Do you have a backup of your files?

Looks like they have injected something to display that message. In this case if thats found and removed from the code you have a really good chance everything will still work.

You need to check the files, was index.php still working when you renamed it?
If so and you can you get into admin, the file checksum feature in CT will tell you witch files have been changed if you have been keeping that up to date. Also the CT logs you may find what files have had attempts at them good chance that could help you find what was changed too.

Also most sites have for error logs and tracking logs in the root of the site they can tell you what files they accessed too.

If you can't find it pm me if you don't mind allowing me access I can spare a little time tonight to help you.

[monkey]

Nope, the index file was changed also.

I can't get into the admin console as /integra/admin also doesn't work....

[found it]

Has your config file changed ..... if it has upload a new one with your database details etc and chmod it to 644....

if it was left at 666 that is how they got in... did it to me a year ago... upload a new index.php file as well then go from there...

let us know

[Helter]

also, add this to your forum root. If you already have an htaccess in your forum root, just copy the code to your current one

Code: Select all

 <Files>Order Allow,DenyDeny from All</Files><Files>Order Allow,DenyDeny from All</Files>

[CaNNon]

Zip's empty

[monkey]

Hi Helter,

I've added the.htaccess file to the root of the integra folder as you've mentioned, the only difference that I could see that this is made is the following, when you go to http://www.twitchythumbs.co.uk/integra you now get an Error 500 -Internal Server message. I've had a look at the config.php file and it looks like the Hacker was using this as his 'Hacker Screen' as this contains the text that loaded up initially with his stupid hacker message.

Unfortunately the only access we have too our site currently is via FTP, there is no method for us to login to the site as normal, what can we do?

One other thing too, the usual URL for our website is http://www.twitchythumbs.co.uk which is coming up with Error 403 - Forbidden, it was only when we stuck integra on the end of the URL (so http://www.twitchythumbs.co.uk/integra) that the hacker screen appeared, but as mentioned above this now shows a Error 500 Screen.

Any help and advice greatly appreciated.

[found it]

replace your config file with a new one with your database details as shown below...

Code: Select all

<php>

once this id done you should be able to see your site and login.... make sure you set the file to 644


if you make a file called index.php and add this into it.. upload to your root unless you have info at [url=http]http://www.twitchythumbs.co.uk[/url] then please ignore

Code: Select all

<phpheader>

this will redirect anyuser who types in http://www.twitchythumbs.co.uk ----www.twitchythumbs.co.uk/integra

let us know

[CaNNon]

Did you save a copy of that config.php?
I would like to have a look at it.

[monkey]

@CaNNon, no sorry I deleted it as I was that fuming about this stupid hacker and his stupid screen.

@found it Thanks for these files, however the index.php that I have is massive, where does this entry need to go, anywhere in particular.

Also with regard to the config.php file where this entry is listed:

$table_prefix = 'phpbb_';

do i need to add anything to it?

[found it]

@found it Thanks for these files, however the index.php that I have is massive, where does this entry need to go, anywhere in particular.

this is only to be used at the root of your site if you want to redirect your site to your integramod folder..

Also with regard to the config.php file where this entry is listed:

$table_prefix = 'phpbb_';

do i need to add anything to it?

This is for your database tables if you installed integramod as normal then there is no need to change these tables...

[monkey]

Still not having any joy unfortunately. I was just wondering if my config.php file needed any mention of the URL at all for the site?

[CaNNon]

config.php stores info to connect to the db. shouldn't need any site paths but the info must be correct.

[JohnnyTheOne]

you can limit connections to the integra part of your site by adding an ".htaccess" file with the following contents in the integra directory:

<Limit>
order deny,allow
deny from all
allow from 127.0.0.1
</Limit>

You will need to replace the "127.0.0.1" with your IP address. If you do not know your IP address go to:

http://www.dslreports.com/whois

You may add an additional "allow from..." line to specify the IP address for every user authorized to access the integra pages.

Because most ISPs assign dynamic IP addresses, you will need to update the ".htaccess" file whenever you find you can no longer access the integra part of your site. You will also need to change it using your FTP client or ISP file manager interface when accessing your site on the road or from a borrowed computer.

[Helter]

your htaccess was incomplete

changed post to [solved] Let us know if you have any more troubles

[monkey]

Hi HelterSkelter,

Many thanks for this you're a star. Just a few things I'd like your advice on please.

Firstly, typing in http://www.twitchythumbs.co.uk takes me to an error screen, but typing in http://www.twitchythumbs.co.uk/integra takes me not to the home page, but to the Forum page, could you please let me know what changes I would need to make in order for users to use http://www.twitchythumbs.co.uk to take them to the main portal page?

Secondly and more importantly, how can I check to ensure that we are 'secure' against any further hacks?

Lastly, is there an easy way to make a backup of all the files, without having to manually copy and them all from the FTP site to my drive incase of any future hacking attemps?

Thank you once again for your help, most appreciated.

Steve

[Stevey1976]

Hi HelterSkelter,

Many thanks for this you're a star. Just a few things I'd like your advice on please.

Firstly, typing in http://www.twitchythumbs.co.uk takes me to an error screen, but typing in http://www.twitchythumbs.co.uk/integra takes me not to the home page, but to the Forum page, could you please let me know what changes I would need to make in order for users to use http://www.twitchythumbs.co.uk to take them to the main portal page?

Secondly and more importantly, how can I check to ensure that we are 'secure' against any further hacks?

Lastly, is there an easy way to make a backup of all the files, without having to manually copy and them all from the FTP site to my drive incase of any future hacking attemps?

Thank you once again for your help, most appreciated.

Steve

Hi HelterSkelter,

Please don't worry about my first point, I'd forgotten this had been answered by FoundIt earlier in the post, so I've put an index file in the root of the ftp site and pointed it too http://www.twitchythumbs.co.uk/integra/portal.php, however if you could still point me in the right direction with regard to the other queries that would be fab.

[Stevey1976]

Has your config file changed ..... if it has upload a new one with your database details etc and chmod it to 644....

if it was left at 666 that is how they got in... did it to me a year ago... upload a new index.php file as well then go from there...

let us know

Hi FoundIt,

Please can you provide me with info on this chmod 644, namely what it is and how I do it?

Thank you.

[found it]

Has your config file changed ..... if it has upload a new one with your database details etc and chmod it to 644....

if it was left at 666 that is how they got in... did it to me a year ago... upload a new index.php file as well then go from there...

let us know

Hi FoundIt,

Please can you provide me with info on this chmod 644, namely what it is and how I do it?

Thank you.

Hi

When ever you upload files to a server (apache not windows) certain files need to have write permissions set so the file or folder can change with information that you place on your site...

When installing IntegraMOD there is an install guide that explains which files need chmodding....

I use ftp to upload my files using ipswitch software to do it..... for me I right click the folder or file and select properties there I am able to change the chmod for it....

Also in file manager on cpanel you are able to change the write permissions for files and folders...

after installing an Integramod site or phpBB the config file should be changed from 666 to 644 so then it is secure from being written over....

I hope that helps a bit...

[Stevey1976]

Hi FoundIt,

Many thanks, I've checked the config.php file and the one currently there is set to 644, I cannot say if that was the same for the original config.php which got hacked but hopefully that should be okay. Are there any security checks that I can make to ensure the site is fully protected?