Just been hacked :-(

[PioneeR]

Yeah.. that works...  

Once I have updated the members... will do a ickle update on the message table to point to the right memberid (after being deleted... it got reset to -1)

[andrea]

(after being deleted... it got reset to -1)

Got reset to -1 ? That is strange ...

[PioneeR]

yeah, it looks like when a member is deleted... what ever posts they have ever made.. the memberid on that post gets set to -1!?

Is this right??

[PioneeR]

I have restored all my members from a recentish backup.

All i have to do know is update the message table with the member_ids!

I am not very good as SQL at all...

How would I go about doing this...

updating yabbse_messages/ID_MEMBER with yabbse_members/ID_MEMBER using  (when yabbse_messages/posterName = yabbse_members/memberName)

if that makes sense?

[PioneeR]

This works works ok... just wondered if there was a quicker way to do all members automatically!?

update yabbse_messages set ID_MEMBER=24 where posterName="admin";

[PioneeR]

Have restored my board now..

What can i do to make it safer??

[andrea]

Have restored my board now..

What can i do to make it safer??

[*]First of all: change your passwords (probably you already did). And make sure the following 3 passwords are all *different*:
- ftp password
- phpmyadmin password
- db access password (the one that is in the file "Settings.php")
The most important is that the password that is written in the file "Settings.php" is *not* equal to either of your ftp password or your phpMyAdmin password.
Furthermore make sure that the passwords are hard to be guessed.
[*]backup frequently, make sure you know how to restore (db data and html data)
[*]check the file protections in your board, reduce them to the minimum that is required to keep the board running
[*]delete install files such as install.php, archive.ya, converter.php etc.
[*]make sure that your YaBB SE admin user password is hard to guess and again different from the passwords above. The same for other admin members in your board.
[*]clean the YaBB SE error log (in the admin menu) after each login failure with your YaBB SE admin user
[/list]

[andrea]

yeah, it looks like when a member is deleted... what ever posts they have ever made.. the memberid on that post gets set to -1!?

Is this right??

Question did you delete the "converter.php" after the installation ?  I believe to remember that somebody wrote that it is possible to create an admin account with that if it is not deleted. Not sure if it was referring to the installer or to the converter.

[Jeff Lewis]

Yes, when a member is deleted, their posts are assigned -1 which is a guest post.

[PioneeR]

Question did you delete the "converter.php" after the installation ?  I believe to remember that somebody wrote that it is possible to create an admin account with that if it is not deleted. Not sure if it was referring to the installer or to the converter.

I didnt delete it. But I 'thought' I had done a chmod on it to stop it being run. But I am not 100% sure one that.

My admin password to my board isnt a common word.. so they must have created an account some how (or at least overwritten my admin account)

I have deleted install.php/converter.php now though.

If this is a potential way to hack into a board.. maybe a warning to others to check their yabb directory and make sure they delete the install/setup and convert files.

Its not much fun restoring... took me 5-6 hours to get my board up and running. Luckily the hacker didnt delete the posts (all 27,000 of them!).

It seems quite a few hosts dont backup mysql server that often, they rely on RAID etc.

And with the added inconvience of a 30 second timeout on the execution of any script! I still cant backup my Message table (all others are ok though). The best I can do for the moment, is cope the Message table to another database, better that nothing.

So if you read this, please be aware of the dangers of leaving your install/setup files live on your server. Delete them now!!