Our site was hacked


We have a site hosted with Dreamhost. We run a fairly popular forum that got hacked yesterday. When users go to it there is a bunch of pop ups, redirects, etc… I notified Dreamhost and during my investigating i found several of the files that were uploaded, a phpremoteview file, and other items. I had a intrusion expert take a look at all the files I found and he said the server was comprimised and the hacker has elevated permission to the server and it should be taken off line ASAP. I got a response 20 hours later from Dreamhost and they are “looking into it”.
I believe the server is rexford, so if you are on it I would be safe.
Waiting on an update from Dreamhost


I’m sorry to hear about your site.

Ayy additional information you can provide about exactly what you found would be helpful.

WHat does he mean “server was compromised”? Are you saying someone logged into the server with your credentials, or that someone who should not have had permission to write files to your directories wrote files to your directories?

What did he mean by “elevated permission”? What permissions did you have set on your files/directories?

Have you used the “last” command to inspect your user’s recent login activity?

What forum software, and what version of that software, were you running?



This message implies that the entire server was compromised, which I would find astounding. I can’t ever recall an incident where root access on a server here was breached.

I more suspect that it was just the account, which happens relatively frequently around here. Let us know how it pans out.



Thank you for the reply. Sorry for the vagueness of the post, im a techie but this stuff is a little beyond my skill set.
The forum is Invision Power Board V 1.2 RC1, we were set to upgrade this weekend to the newest paid version, of course right.

Once I was notified there was an issue we locked the site, and as of right now passwords are changed and the site files are renamed so our users do not attempt to access it. When they were going there they were getting pop ups and there anti-virus was alerting them of trojans.

I looked through all the files and I found that the hacker had uploaded files to the archive_in directory on the server. These files were:
Then in the /html/emoticons/ directory there was a file called ACP_Delete.php

When I had a look through them it contained strange character sets, or it was in a different language. IT listed all sorts of commands this person must of been able to invoke when they wanted to. If I called the file acp_delete.php in my browser it opened phpremoteview and I could see all the folders all the server and the permissions that it said i had were root level, WRX.
That is where i stopped and had a friend of mine who does security consulting take a look. He sent me an email
saying he feels the server had been comprised because of some commands he was able to run… sorry , again it is a little above me, I just know it is not good.

Do you think DH would be so kind to send me a backup from a few days ago of my site and database?

I know, stupid for not doing them myself. I stink…


I would think so to, this is just what he told me when I showed him everything… I hope it is just the site and not the server. I just dont know what to do now. I created a new foldered and installed the same forum software and imported the database just to test and see if the database was where all the bad stuff was and when I did that the same pop ups and viruses happened. I could see the sites at the bottom of firefox trying to pop up. I since deleted and removed the database again. I have the new forum software ready to go, IPB newest version availible.

Im bummed…


what am I looking for when I run the last command?


See here for access to backups you can access:

And for database backups:
Can’t find the Wiki entry, but you can Restore DB from the Panel under Goodies -> Manage MySQL. Mine shows daily backups for the last 5 days.



Was that a typo, or is that actually the version you were running?

You should be able to obtain those yourself from your snapshot directories, but I wouldn’t do that and put the site back up till you have determined the attack vector that was used. :wink:



The ‘last’ command shows all the latest logins and may show you when unauthorized people logged into your account. You can type:

last | grep nepcw (or whatever your login name is)

And this will show you all the shell logins, though possibly not FTP logins. You may see logins from times you knew you weren’t logged in. I usually don’t bother, as it’s obvious you were hacked. Change your passwords and then dig up a good restore and try to find out how they got in in the mean time.

Edit: Certainly there’s no real harm in scanning the lastlog, but it might not give you an accurate picture of what actually happened. However, it may provide some indication of one vector of the attack.



Ha! I finally beat rlparker to a reply! Do I win a prize, or just the adulation of the forum community?



Ha ha ha! Scott, you have always had my adulation! :slight_smile:

What kind of a prize would you like?



I’d like to be promoted to DreamMaster. Is there some place that explains the ranking levels?



As far as I know, there is only this previous post by mattail, which was an “update” of one from years ago. :wink:

It looks like you will be a “DreamMaster” pretty soon!