OptimusBain Posted May 20, 2023 Posted May 20, 2023 Hello, My commnity has been working perfectly well for a long time. I'm running the latest IPS version. All was working fine, but suddenly I've started to receive messages from members telling me that they cannot create any new topics, with or without attachments. Everyone is getting error 500 when the SUBMIT TOPIC button is clicked. I've not updated anything in my server for a long time and I've not installed a plugin/app for a long time as well. It just started to happen a few hours ago. I learned about it because a few members reported this issue. I've tried as an administrator and other users groups, it's a general thing. No new topic can be submitted. What could be the issue? I am lost 😞 I need your help. Thanks a lot.
Jim M Posted May 21, 2023 Posted May 21, 2023 A 500 Internal Server Error is very much like your check engine light. It says something is wrong but not exactly what or where. You will want to check your server error logs for further information. If you are unsure how to obtain this, please contact your hosting provider.
OptimusBain Posted May 21, 2023 Author Posted May 21, 2023 1 minute ago, Jim M said: A 500 Internal Server Error is very much like your check engine light. It says something is wrong but not exactly what or where. You will want to check your server error logs for further information. If you are unsure how to obtain this, please contact your hosting provider. Jim, It seems that my community has been hacked. A programmer I work with told me that it's been hacked. I am running the latest IPS version, and still, it seems that "someone" managed to introduce an exploit file uploaded in changepostdate plugin file. The programmer renamed that plugin, and now I can post new topics again. How can I make sure the community is protected? How do I know what happened and how?
Jim M Posted May 21, 2023 Posted May 21, 2023 Please ensure you change all your administrator accounts for your community, hosting, FTP, etc... immediately. The best recommendation afterwards would be to contact your hosting provider to see how they did this. Unless you uploaded the exploited file through an untrusted source, they likely gained access through your hosting panel, FTP, etc...
OptimusBain Posted May 22, 2023 Author Posted May 22, 2023 On 5/21/2023 at 8:44 AM, Jim M said: Please ensure you change all your administrator accounts for your community, hosting, FTP, etc... immediately. The best recommendation afterwards would be to contact your hosting provider to see how they did this. Unless you uploaded the exploited file through an untrusted source, they likely gained access through your hosting panel, FTP, etc... I've made those changes already. I am trying to learn what happened. Sometimes, when I refresh the community I will get an error (error loading) and at others, I am getting this URL loaded 😞 😞 😞 crazy! Is there a way to detect where that URL is coming from and from which file it's being injected? What could be causing this to happen? Where should I start looking?
Jim M Posted May 22, 2023 Posted May 22, 2023 4 hours ago, OptimusBain said: I've made those changes already. I am trying to learn what happened. Sometimes, when I refresh the community I will get an error (error loading) and at others, I am getting this URL loaded 😞 😞 😞 crazy! Is there a way to detect where that URL is coming from and from which file it's being injected? What could be causing this to happen? Where should I start looking? I would suggest disabling all third party applications and plugins then uploading a fresh set of files from our Client Area. Unfortunately, we would not be able to assist or know where things are being loaded from third party plugins.
Adlago Posted May 22, 2023 Posted May 22, 2023 4 hours ago, OptimusBain said: 've made those changes already. I am trying to learn what happened. Sometimes, when I refresh the community I will get an error (error loading) and at others, I am getting this URL loaded 😞 😞 😞 crazy! Is there a way to detect where that URL is coming from and from which file it's being injected? What could be causing this to happen? Where should I start looking? It might be a good idea to check your site for viruses, for example with this online tool https://online.drweb.com/result2/ And also check your site security https://securityheaders.com OptimusBain 1
OptimusBain Posted May 23, 2023 Author Posted May 23, 2023 On 5/22/2023 at 9:28 PM, Jim M said: I would suggest disabling all third party applications and plugins then uploading a fresh set of files from our Client Area. Unfortunately, we would not be able to assist or know where things are being loaded from third party plugins. That's the first thing I did, disabling everything, and I overwrote all the files which I downloaded from IPS. Again many files have been infected :( :( I've changed all passwords in CPANEL, the community, FTP. But all index.php files get infected :( Is it normal to see these files in the uploads folder? My webmaster told me it's not normal to have the uploads folder used that way to host images, CSS, and javascript. There is even an index.php file there which gets infected. This is what I see in my uploads folder.
Marc Posted May 24, 2023 Posted May 24, 2023 9 hours ago, OptimusBain said: Again many files have been infected 😞 😞 Could I ask how it is you are determining this? 9 hours ago, OptimusBain said: Is it normal to see these files in the uploads folder? My webmaster told me it's not normal to have the uploads folder used that way to host images, CSS, and javascript. There is even an index.php file there which gets infected. Your hosting company is incorrect. The uploads folder does indeed contain the javascript, CSS and images by default
Recommended Posts