IMMEDIATE HELP needed (like, right NOW) restoring hacked site 3/8/12 6:45pm

Permalink
Hi, my client's site was hacked, inserted sql code into all php files. My background is graphic design, html & css, this is out of my range of expertise.

My client's site is down and needs to be back up right away. (Yesterday a targeted email went out to 15000 people referring to an upcoming event, this down time is probably costing her thousands.)

This happened a couple of weeks back but the guy who helped me restore it is out of town until next week.

What I've done so far... deleted the entire site, re-installed the original version of C5 that I installed last year 5.4.1.1. I restored the database to a version that was backed up about 5.5 days ago, (Saturday, when I last logged into the site & it was still good.) I went to the page to enter the database name & it says that c5 requires an empty database to install in. So, I've exported the database. Thought I'd delete it and then create a new one with the same exact name, install c5, then import into the database. However, whenever I create a new database I have to use a different name, it won't let me create one with the same name.

I don't know what else to do.

Can someone help.

I can pay.

TammyM
View Replies:
tallacman replied on at Permalink Reply
tallacman
whats the url? who's the hosting company?
DrStalker replied on at Permalink Reply
It sounds like you need to recreate the /config/site.php file... this is just a list of definitions so you should be able to quickly tell if you can reuse the one from the hacked site:

<?php
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'c5_dbuser');
define('DB_PASSWORD', 'reallystrongpassword');
define('DB_DATABASE', 'doug_c5_mysite');
define('PASSWORD_SALT', 'long string of characters');


Going from memory if that file is in place and defines the DB connection then C5 will assume it is already installed.

You might also have issues with themes, templates and customizations that are not part of the default C5 installation as well as the contents of the /files directory for uploaded images etc... this depends how much customization you have done. Do you have a good backup of the files that make up the sites?


Above all, if you restore the site perfectly it has a good chance of being hacked again using the same method... if this was a poorly chosen admin password that is easy to fix but there are many other ways it could have happened, especially if you had custom PHP code on the site that could have been exploited.

[edit]
> This happened a couple of weeks back
This definitely sounds like there is a security hole you need to fix, rather than just getting the site restored even if that is your short-term goal.
xaritas replied on at Permalink Reply
Before you deleted the site, did you happen to make a back up? If so you can probably just copy the config/site.php from the old site into the new site. If you didn't make a backup, well... now you have two problems.

If restoring site.php doesn't work, please post that here.

I assume you are on Dreamhost. It appears that a large number of their shared hosts have been rooted. So, this will keep happening until they fix the vulnerability, even if you get the site back up today. You should probably create a static 'down for maintenance' page with your essential event details.
TammyM replied on at Permalink Reply
TammyM
Thanks so much everyone.

Unfortunately the clean back-up of the site is with my developer, who is out of town. I was able to recreate the site.php file last night, which worked.

Next step, getting all of the addons, etc. in place, along with their customization. Then I was going to update the site to the most current version.

We were using wordpress for an event registration plugin, which is where I'm thinking the breech may have been.

But xaritas is correct, I'm on dreamhost. Do you recommend that I switch hosts?

Meanwhile, I'm going to take your suggestion, put up a page and wait for my developer with the clean code.

Thanks,
Tammy

p.s. I'm monitoring this post but it doesn't seem to be sending me emails.
xaritas replied on at Permalink Reply
Well, they had a huge breach a few months ago and evidently they didn't get it completely cleaned out. I'm not really in a charitable mood towards them.

If you don't want to go through the hassle of moving, I'm 99% certain that if you upgrade your service to VPS, you won't have these problems. They will do the migration and everything for you.

Also, just my opinion, but you should work with your dev to have your website in version control, and then have your dev teach you how to use it.
tciweb replied on at Permalink Reply
@xaritas, what is the version control thing your talking about?
mdzoidberg replied on at Permalink Reply
mdzoidberg
Anything like;

Subversion -http://subversion.apache.org/
Git -http://git-scm.com/
GitHub -http://github.com/
Bazaar (my favorite)http://bazaar-vcs.org/
TammyM replied on at Permalink Reply
TammyM
Thanks again for the feedback and recommendations. Deeply appreciated.