Welcome, Guest. Please Login or Register.
November 22, 2024, 02:36:33 AM
Home Help Search Log in Register
News: If you are still using YaBB SE, please consider upgrading to SMF as soon as possible.

YaBB SE Community  |  English User Help  |  English Help  |  Just been hacked :-( « previous next »
Pages: [1] 2 Reply Ignore Print
Author Topic: Just been hacked :-(  (Read 10769 times)
PioneeR
Llama Hunter
YaBB God
*****
Posts: 767


Just been hacked :-(
« on: June 20, 2002, 12:43:10 PM »
Reply with quote

I wonder if someone could help.

My board has just been hacked, they logged on as admin and it looks like just deleted all the member info.

I have been in to have a look via PHPADMIN.. everything else seems to be there (apart from member/ims)

The member table still has data in it (I assume it will do until optimize or something similar is run).

My question is.. is it possible to UNDELETE or ROLLBACK a MYSQL database??

All my posts seem to be intact.. I do have a back up of the database (about a week old though :-( )

Any suggestions?? Best way to get me up and running?

Any help or pointers very grateful..

Thanks

Logged
Jeff Lewis
Global Moderator
YaBB God
*****
Posts: 10149


I'm a llama!

WWW
Re:Just been hacked :-(
« Reply #1 on: June 20, 2002, 12:45:48 PM »
Reply with quote

First...you should find out WHAT was hacked and HOW. SE still has yet to be hacked so you want to find out how they got admin access. Did they get into phpmyadmin or something similar and change themselves to admin etc? Do you have access to server logs? No there is no way to rollback mySQL, you're best to restore the database.

Now, have you logged in via phpmyadmin and seen if the tables are there? Are they locked?
Logged

PioneeR
Llama Hunter
YaBB God
*****
Posts: 767


Re:Just been hacked :-(
« Reply #2 on: June 20, 2002, 01:07:57 PM »
Reply with quote

I am just waiting for the info from the server people..

But from what i gather.. they got hold of the admin password (when I phpadmin'ed into the database.. I can see the logs).. they changed the password to "itsmeagain"

They then deleted all the members (which I assume zaps the instant messages too).

They didnt get into phpadmin.. otherwise that would have been zapped too.

Because the admin password was the same as the ftp password.. they ftp'ed  in.. and then deleted all the website too.

Will I be able to just restore my member table????

Thanks for any help/info...


Logged
Jeff Lewis
Global Moderator
YaBB God
*****
Posts: 10149


I'm a llama!

WWW
Re:Just been hacked :-(
« Reply #3 on: June 20, 2002, 01:19:10 PM »
Reply with quote

Um, what did they change the password for? Like itsmeagain, what was that for? it's encrypted in the database for YaBB...
Logged

PioneeR
Llama Hunter
YaBB God
*****
Posts: 767


Re:Just been hacked :-(
« Reply #4 on: June 20, 2002, 01:30:52 PM »
Reply with quote

I think they changed it to something like "itsmeagain" because that was in the error log..

they tried to log on as admin with the password itsmeagain (which was wrong hence the entry in the error log)...

Then must have got in and zapped the members... because after, the error log is full of "member doesnt exist"

Logged
Jeff Lewis
Global Moderator
YaBB God
*****
Posts: 10149


I'm a llama!

WWW
Re:Just been hacked :-(
« Reply #5 on: June 20, 2002, 01:36:11 PM »
Reply with quote

So in the forum error log there are lots of failed guesses at the admin password?
Logged

PioneeR
Llama Hunter
YaBB God
*****
Posts: 767


Re:Just been hacked :-(
« Reply #6 on: June 20, 2002, 02:46:07 PM »
Reply with quote

There are 3 errors where that hacker has not been logged on as admin - reporting not allowed access to this area..

then 5 or 6 password errors... non of the guesses are close the original password.. all "itsme420" "itsmeagain"

so it looks like they have gained access then when they came back forgot the password!?

you are very welcome to have a look at my phpadmin if you have time?! maybe you could throw some light on this?

is this possible...

could i somehow generate a new member table using the message table?? even if it just sets up the username and password.. would be a start?

Logged
Jeff Lewis
Global Moderator
YaBB God
*****
Posts: 10149


I'm a llama!

WWW
Re:Just been hacked :-(
« Reply #7 on: June 20, 2002, 02:54:39 PM »
Reply with quote

Well you should grep your log files to find out exactly what happened. It seems like they didn't hack in but got a guessed password somewhere.

Also, I'm not a good candidate to look through logs, I'm very unfamiliar with them :)

As for your member table, you could just restore it but since some of the newer topics and messages are still there, you may have some problems with them being changed to guest.
Logged

andrea
Global Moderator
YaBB God
*****
Posts: 4400


Peace on Earth

WWW
Re:Just been hacked :-(
« Reply #8 on: June 20, 2002, 03:18:42 PM »
Reply with quote

Quote from: PioneeR on June 20, 2002, 02:46:07 PMcould i somehow generate a new member table using the message table?? even if it just sets up the username and password.. would be a start?
Do you have a db dump? If yes you can edit with a text editor and copy the members table dump to a new sql file. You can then import this member dump only file. By this you would have a correct member table.
Logged

PioneeR
Llama Hunter
YaBB God
*****
Posts: 767


Re:Just been hacked :-(
« Reply #9 on: June 20, 2002, 03:40:05 PM »
Reply with quote

I have a complete dump of the database from a week ago.

I was planning restore the member table from my backup ... then change the member_id on the message table to match that on the member table.

Does that sound possible??

The only problem I would have are those users that had joined since my backup but not posted.

I would really like to keep the posts if possible!
Logged
PioneeR
Llama Hunter
YaBB God
*****
Posts: 767


Re:Just been hacked :-(
« Reply #10 on: June 20, 2002, 05:34:57 PM »
Reply with quote

This is a snip from the backup i have.. how do i re add these entries into my members table?? I do have access to phpadmin..



YSE SET TABLE yabbse_members

'1','zippy','zippy','encrytedpassword','emailaccount','1011798960','I luv da Levs','Levellers','','0000-00-00','','','','','','','1','','','0','0','blank.gif',NULL,'0','0','1022670998','0','1','','','1','1','','194.117.133.180','','','',''
'2','zanne','zanne','encryptedpassword','emailaccount','1011545711','I love YaBB 1G - SP1!','','','0000-00-00','Dutch levellers site','','','','','','1',NULL,'','0','0','blank.gif',NULL,'0','0',NULL,'0','6',NULL,NULL,'1','1',NULL,NULL,'','','',''

Logged
andrea
Global Moderator
YaBB God
*****
Posts: 4400


Peace on Earth

WWW
Re:Just been hacked :-(
« Reply #11 on: June 20, 2002, 05:54:10 PM »
Reply with quote

How did you create this backup? Does not look like a database dump made with phpMyAdmin. In my phpMyAdmin backup the members data look like this:

INSERT INTO yabbse_members VALUES (1, 'aleinad', 'Aleinad', 'xxxxxxxxxxxxx', '[email protected]', 1003442680, '', '', 'Female', '0000-00-00', '', '', '8074 Zürich', '', '', '', 1, NULL, 'DS', 0, '0', 'smiley.gif', NULL, 1, 0, 0, NULL, NULL, NULL, 0, 0, NULL, NULL, '', '');
INSERT INTO yabbse_members VALUES (2, 'adriana', 'adriana', 'ad2*******', '[email protected]', 997820630, '', 'Mailingliste', 'Female', '2001-12-30', '', '', '', '', '', '', 1, NULL, 'Adriana', 0, '0', 'blank.gif', NULL, 1, 0, 0, NULL, NULL, NULL, 0, 0, NULL, NULL, '', '');


I miss the "INSERT INTO" statement in your backup excerpt.
Logged

PioneeR
Llama Hunter
YaBB God
*****
Posts: 767


Re:Just been hacked :-(
« Reply #12 on: June 20, 2002, 06:03:19 PM »
Reply with quote

I remember now. Used the backup script on here..

YaBB SE Backup/Restore System
Version 1.0.0 BETA

looks like I the data i have is nearly what I need to just do an insert with phpadmin

Just need to add INSERT INTO yabbse_members VALUE( to the start .. and add ); to the end of the line....

does this down as if it may work??

Logged
andrea
Global Moderator
YaBB God
*****
Posts: 4400


Peace on Earth

WWW
Re:Just been hacked :-(
« Reply #13 on: June 20, 2002, 06:18:39 PM »
Reply with quote

Yes, this might work. You could try with one member.
Logged

PioneeR
Llama Hunter
YaBB God
*****
Posts: 767


Re:Just been hacked :-(
« Reply #14 on: June 20, 2002, 06:24:53 PM »
Reply with quote

It cant get any worse i suppose  ;D
Logged
Pages: [1] 2 Reply Ignore Print 
YaBB SE Community  |  English User Help  |  English Help  |  Just been hacked :-( « previous - next »
 


Powered by MySQL Powered by PHP YaBB SE Community | Powered by YaBB SE
© 2001-2003, YaBB SE Dev Team. All Rights Reserved.
SMF 2.1.4 © 2023, Simple Machines
Valid XHTML 1.0! Valid CSS

Page created in 0.042 seconds with 20 queries.