1 gjensen Mar 28, 2007 06:13
3 edb Mar 28, 2007 16:23
If conf/_config.php was hacked then the noskin file wouldn't work, so it's probably only a replaced index.php file. Maybe more though, so who can say?
You're running an extremely obsolete version. Now you've learned to not do that I hope. Especially someone selling stuff online!!! When was the last time you backed up your database? I hope it was some time recently soon! It's possible your database isn't hacked. I'd say probable because your blog seems to work via noskin, but I can't say for sure so I won't even pretend to.
You need your database and you need it clean. The files are just stuff. The database is your content. Oh and KEEP CONTROL OVER YOUR PASSWORDS AND DON'T HAVE SIMPLE PASSWORDS! Someone got your domain password and uploaded their own index.php file. Whatever else they did is not obvious from the outside, but files are now junk. Fortunately you don't need them anymore. At least, not the ones for your obsolete version of b2evolution.
Delete all the files from your server. Actually, delete all of them that b2evolution made. The only thing you need a backup of is your media directory, and the file called _config.php in your conf folder. It has your database connection info, your baseurl value, your admin email addy (not to be confused with the one in your admin profile), and a variable called "config_is_done" that starts as a 0 and needs to be a 1 when you're done configing.
Anyway delete everything else. If you see something in your media folder that doesn't seem familiar figure it's junk. Did you have a nice robots.txt file, or maybe a custom .htaccess? Did you have backup copies on your PC? Compare everything, trust nothing.
Now download 1.9.3 from the download tab above. Now unzip it. Now you can either upload everything to the server and chmod the conf/_basic_config.php file to 666 and edit it during your upgrade OR edit the file before you upload. You'll find the answers to the important values in the conf/_config.php file you backed up prior to purging your server of it's junk.
Now run the installer, and yes it's the installer for an upgrade. It'll be at yourdomain.com/b2evolution/install/index.php and tell it you are upgrading. If you did not edit your _basic_config.php file prior to uploading it'll ask you for some important info. You won't be able to tell it the info it you did not chmod the file to 666 prior to running the installer. Anyway tell it you're upgrading and watch it do it's thing.
OMG backup your database before you do anything about upgrading! Always have a nice fresh copy of your database backed up just in case something funky happens.
Anyway watch it do it's thing and feel cool about having the latest and greatest release running your blog.
Now delete your install folder. I keep mine on my servers, but I delete all the files in it except for index.html and phpinfo.php because I like the second file and like to know where to find it.
Oh and get with your host first. Your password to your webspace has been compromised. You need to change it if you haven't already done so.
4 xangelusx Mar 28, 2007 19:07
Good post, Ed.
I'd also add: Any files uploaded by a hacker may have been chmod'd and won't be deletable by you (either via ftp or control panel access). If that's the case, contact your host and ask them to delete them for you (they have or can get root access).
Also, the replaced index page contains lots of information about the (supposed) hacker. You may want to forward a copy of it to your web host in case they want to take any action against the hack.
Finally, check your log files - they may point to a week point of entry, or at least give you an idea of what was hacked, when it happened, and where it came from.
5 edb Mar 28, 2007 19:36
Thanks for the additional info xangelusx! Being assaulted by a thousand spammers a day is nothing compared to having one hacker actually deface your blog. Good point on keeping a copy of the replacement file too.
Get your host involved in both damage control and restoration early. You've no idea what might be valuable to a professional, so save everything. It's a crime scene, so treat it that way. If you found a friend dead on the floor would you start trying to clean up yourself? Document everything you can, bring it all to your host, thank them for any help they can give, THEN bring your blog back to life.
6 gjensen Mar 30, 2007 05:00
Thank you all for all the good input, advice and assistance. The defacer put something in so I can't edit, delte files... I am working with my web host to get the files deleted so I can start over.......
You have had an unwanted visitor. Possible cause: they cracked the file ../blogs/conf/_config.php (might be _basic_conf.php) and added their own url as base url. That gets the index.php redirected to their site. Search for this line:
I am not an expert on 0.9.x so I might be totally wrong with this (disclaimer). Anyway, you should upgrade to version 1.9.3. The recent version have a good hack and spam protection.
Good luck