Forum Hacked

[olds]

The forum (SMF) index page looked like this.
I took out the text and it looks like all the files for the forums are still there.
What do I need to do to point the index page back to the forums? There is a file there named index.php~
What's the tilde for?
http://www.narrcc.net/forums

He didn't touch the front page but the photo page is corrupt:
http://www.narrcc.net/photos/main.php

Total noob here.
TIA

 

[tfinch2]

Tilde after a file extension usually signifies that it's a backup.

 

[olds]

Thanks.
I tried to just re-install the forums but I get the following message:

Fantastico is unable to connect to your MySQL server at this time. Please contact your host for assistance.

 

[SunnyD]

Sounds like a SQL attack on your account or maybe the server. Odds are they changed the username/password or something and your account can't log into SQL anymore.

 

[olds]

Originally posted by: SunnyD
Sounds like a SQL attack on your account or maybe the server. Odds are they changed the username/password or something and your account can't log into SQL anymore.

I can log into cPanel. I did and changed my password. My host (RossMAN) is in hiding.

 

[tfinch2]

Originally posted by: oldsmoboat

Originally posted by: SunnyD
Sounds like a SQL attack on your account or maybe the server. Odds are they changed the username/password or something and your account can't log into SQL anymore.

I can log into cPanel. I did and changed my password. My host (RossMAN) is in hiding.

cPanel and MySQL (I assume) have two different username/password combos, unless you set them the same. Try to log into MySQLAdmin.

 

[olds]

Originally posted by: tfinch2

Originally posted by: oldsmoboat

Originally posted by: SunnyD
Sounds like a SQL attack on your account or maybe the server. Odds are they changed the username/password or something and your account can't log into SQL anymore.

I can log into cPanel. I did and changed my password. My host (RossMAN) is in hiding.

cPanel and MySQL (I assume) have two different username/password combos, unless you set them the same. Try to log into MySQLAdmin.

I think you have to log in or restart sql from the server side. i don't have access to it.

I do have "MySQL® Databases" which i have run the repair on to no avail.
There are these "users" whatever that means:
xxxxxx_gllr1
xxxxxx_smf1 <--- forums?
xxxxxx_wcln1
xxxxxx_wrdp1

 

[olds]

phpMyAdmin - Error

#2002 - The server is not responding (or the local MySQL server's socket is not correctly configured)

 

[tfinch2]

RossMAN may be your host, but he surely isn't your sysadmin. I would contact support.

 

[olds]

Originally posted by: tfinch2
RossMAN may be your host, but he surely isn't your sysadmin. I would contact support.

He's a reseller and the account is his. I am wondering if all his accounts were hacked or just my friend's.

 

[olds]

I am just going to move the domain over to my server (didn't have it when RossMAN hosted it) and install the forums. If I can save anything from the hack, I'll try to restore it once I move it. I am downloading the pics that were on there now.

 

[olds]

Just wanted to update this thread.
I set up the site for a friend with another friend (RossMAN) hosting it.
I just got an email from Ross. He was contacted by his reseller host. The person that hacked the site was using it to send spam.
I had planned to use my reseller account to host it but I think I will let my friend take care of his domain himself. He never updated SMF and this whole problem may have been averted if he had. I did save his photos from Gallery but he can start over on the forums. I'd be worried that if we moved it over, we'd just bring the exploit with it. He's a bigger noob that I am (not saying much) and this is a good place for him to start learning.

Thanks again for the help.

 

[jjones]

Was the exploit determined to be definately through the SMF software? I'm just curious because I am considering using SMF for a forum but if it's exploitable like this then I'll have to consider other options.

 

[olds]

Originally posted by: jjones
Was the exploit determined to be definately through the SMF software? I'm just curious because I am considering using SMF for a forum but if it's exploitable like this then I'll have to consider other options.

Yes. It was a line of script in the calendar tools.

 

[jjones]

Thanks. I think in the end I'm going to write my own forum code (most likely a very heavily modified/rewritten and stripped down version of something already coded). It won't be as feature rich as some forums but keeping it simple will make security and sanitation a lot easier.