Hack of the web site (31th May 2019)

Started by Stefan1200, June 01, 2019, 05:18:10 PM

Previous topic - Next topic

Stefan1200

Yesterday evening at 22:20 o'clock (CEST) my web site was hacked (even with an up to date web server and forum software). Today afternoon a forum user notified me, that my web site is down. I started analyzing the reason for this.

I found many manipulated PHP files (mostly advertising should be displayed while visiting the web site). But the manipulation created invalid PHP code, so in most cases the web server never delivered the web site.

First I changed the passwords for FTP and Database accounts. Then I restored a backup of all files from Thursday to Friday night, all manipulated files was overwritten by doing this. The database was not changed after comparing with an older backup. Forum posts are not lost, everything is back.

Only PHP files of my forum was changed. Currently I can only imagine two ways how my web site got attacked: My FTP password was known and used or an unknown security issue in my forum software was used. If my FTP account was used for the attack, my password is changed now.

I don't know, if any information was read from the database. If this was done, so user passwords are not in immediately danger, because they are saved hashed and salted in the database. But it could be possible that the attacker now has your mail address or JTS3ServerMod licence key. If you see an unknown IP address in the Licence Management, so send me a mail as soon as possible.

The licence system of the JTS3ServerMod was not manipulated, so there was only a downtime of around 2 minutes after changing the database password.

Contact me for further questions.