help needed. site was hacked bad today.

New Member Joined: Apr 10, 2005 Posts: 16

A site I am an admin/mod at was hacked terrible today. Basically what happened is someone got in through a backdoor exploit.

/admin disabled - admin pw's changed (they aren't changing pw's to hack the site - they are using our own pw's moments after they are changed). downloads; reviews; links directories and all other 'portal' directories are disabled, and they are still walking in the back door.

As we were trying to ban IP's etc. The person was still posting under our names, changing titles, getting into the private forums etc.
Is there anything we can do to stop him?
Even after everything was shut down he was still in.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

PM me your
Site url, godadminid/pass
FTP url, id/pass
cPanel url, id/pass
phpMyAdmin url, id/pass

or email to raven (*at*) ravenphpscripts (*dot*) com

Posted: Sun Apr 10, 2005 9:35 pm

will do. Thank you very much for answering.

Posted: Sun Apr 10, 2005 10:03 pm

To verify that they are hacking in through nuke or some other way, add this to your nuke root .htaccess file

Code:

<Files .staccess>


  deny from all


</Files>





<Files admin.php>


   <Limit GET POST PUT>


      require valid-user


   </Limit>


   AuthName "Restricted by NukeSentinel(tm)"


   AuthType Basic


   AuthUserFile /home/your_account_name/public_html/.staccess


</Files>

Then create an empty .staccess file and load it into the same folder as your .htaccess. Then see if they still get in. You will not be able to get to your admin panel until we set the .staccess file up, but that will tell us what we need to know. Also, make sure that you delete any admin records out of the authors table using phpmyadmin which don't belong there.

Posted: Sun Apr 10, 2005 10:41 pm

Thank you.

Posted: Sun Apr 10, 2005 10:56 pm

See also this new article [ Only registered users can see links on this board! Get registered or login! ]