HELP! Hacked :(

[DarkRider]

Hi Guys,

My IPS based site was recently hacked and they've made a nice mess for us to clean up by injecting .php files and editing existing .php files. By default, the datastore folder is empty in the IPS suite, so Im assuming all the php files in our install were generated over time by our community. Some of these appear to be injected but we're having a hard time picking out the needles from the actual hay. Can anyone tell me what these php files in datastore are for? For example there's one called administrators.2d044d0767.php or this one template_1_3db53200833e95cf9ba7ee49cd491e3c_trees.2d044d0767.php Are these normal? Is this data we should not keep? I could do a fresh install of the suite but I dont know how much of this datastore file needs to be cleaned/migrated.

Any help is appreciated as we've been down for 3 days already

[Colonel_mortis]

If you delete everything in the datastore it will be regenerated automatically - it's just a cache.

[DarkRider]

Brilliant thanks!

[TAMAN]

Remove everything in your ips suite directory except for the Uploads folder and conf_global.php 

also Downloads/screenshots if you have downloads addon

then download a fresh new IPS suite folder and extract the files

[.hi]

We paid for IPS 175$ and we are getting hacked by some kids. Good deal... more to come.

[MADMAN32395]

6 hours ago, .hi said:

We paid for IPS 175$ and we are getting hacked by some kids. Good deal... more to come.

What's going on? How you know theyre kids? If there's a security issue, IPS is pretty good at patching them up. 

[Ilya Hoilik]

7 hours ago, .hi said:

We paid for IPS 175$ and we are getting hacked by some kids. Good deal... more to come.

It's not possible to develop completely secured software that other people cannot get hacked. You can build as many walls as you want, but anyway someone will find a solution how to get around it. So, if you got hacked it is good time to submit a support ticket.

[GriefCode]

8 hours ago, .hi said:

We paid for IPS 175$ and we are getting hacked by some kids. Good deal... more to come.

 

1 hour ago, MADMAN32395 said:

What's going on? How you know theyre kids? If there's a security issue, IPS is pretty good at patching them up. 

 

1 hour ago, Ilya Hoilik said:

It's not possible to develop completely secured software that other people cannot get hacked. You can build as many walls as you want, but anyway someone will find a solution how to get around it. So, if you got hacked it is good time to submit a support ticket.

 

Sorry, I need to comment this, no offense but creating a support ticket is not what is the solution here.
IPS is definitly not causing a security hole that can reflect the named issues. If it would be, it would not have happen in this relation. When someone found a huge security issue on a forum would he attack a small forum? Why do not attack one of the forums that are huge under IPS. The idea of hacking is that someone want to reach something:

1. Damage anything, which happend here
2. Earn money, with blackmailing

So the issue that has happend here is, if it is self hosted, not related to IPS except that their software was modified. I do not know how they can and would be able to provide any support here, except on the backup case.

@.hi I assume it was a gaming community from your reply and your anger behind that, and i know as it best the issues behind it being constantly insecure against ddos or scriptings. But the idea of claiming its a security lack on IPS side is as stupid as posting this (no offence here).

I also think that just reinstalling it as @DarkRider is doing will not help if you really got "hacked".
f you had any selfprogrammed 3rd-party-applications you may wanna check the code against security issues, things like "exec" on consoles can mostly cause it.
I do not know why people are so naiv. These suggestions sounds like they were never ever hacked...

Make a local backup of all the data, create a fresh server installation and then install IPS based on your backups. Someone found a backdoor to your system, if he was smart enough, he can constantly access it again and this is not secure. As long as you continue using the same VPS/Container/Server or whatever you are in constant danger that someone can break into your system. As next point you should consider reading through a lot articles how to make a server secure on first hand. Not all things are required that are suggested but some are very effective. If you are unsure about that, do not hesitate to contact me and I will provide you some information when i have the free time.

If you have a good hoster he might have even backups for the Container/VPS/Server and could reset the server, but this does commonly cause a data loss.

Greetings

[Daddy]

Revert to a backup and export posts and whatever else you want to retain from the database.

[RevengeFNF]

99% of the hacks happens because of a hole in server configurations and not because of the software you are using(if its updated to the last version).

[Faqole]

Do you have a copy of the database from before the hack? If you do, you can restore it and also do a replace of your forum files with a fresh set from a copy that you can download from your Client Area. Then go thorugh your server space and look for any files that should not be there. 

You can also ask your host to check their access logs around the time of the hack and see if there is any useful info in there pertaining how the security was breached. Do you have WordPress installed by any chance? Do you have any other script running in your server besides Ipb? If you do, are you using their latest versions?