Jump to content

Fatal Error following Malware Attack


Go to solution Solved by Ninja Academy,

Recommended Posts

Posted

Hello, I recently had a malware attack on my site and I believe it has caused damage to the files of my community. When attempting to load into my forum I get the following error. I highly suspect that files were damaged in the malware attack and need to be replaced, but I want to know how to do this in the safest way possible as to ensure no data loss. My site was not on the absolute latest release, and without access to the ACP I am unsure how to check what version I am running.

Quote

Fatal error: Uncaught Error: Class 'IPS\Request' not found in /home/ninjaaca/public_html/forum/system/Log/Log.php:106 Stack trace: #0 /home/ninjaaca/public_html/forum/init.php(1029): IPS\_Log::log('Error: Class 'I...', 'uncaught_except...') #1 [internal function]: IPS\IPS::exceptionHandler(Object(Error)) #2 {main} thrown in /home/ninjaaca/public_html/forum/system/Log/Log.php on line 106

I am the only developer on this community, and it is a hobby of mine that I have been running for 15 years. I don't have a web admin to turn to for help since it is just me, so any help on how to start repairing the site will be greatly appreciated.

Posted

If you are unsure whether or not the malware existed in your backup of your files or if there is a backdoor, I would recommend replacing the files for good measure. Noting the version you're on, you will need to do an upgrade though. You can perform a manual upgrade to upload files which is detailed here:

 

Posted

All backups I have were manually created. I have backups of the data from January of this year (and I made a backup after the attacks with the thought that if the database was untouched I would want to back it up before doing any attempted fixes).

I do not have recent file backups. I have a local one but it would have been many versions ago as I've done a number of updates through the ACP since then. I am worried that restoring those might cause issues with the database for a more recent version. Am I over worrying?

 

@Jim M Thank you for the reply. Since I did not know the previous version I was on will that be a problem? I believe I was holding off because my hosting provider was unable to get me on a server that could be updated to PHP 8, so I am still on PHP 7.2 if that is relevant for this process. It looks like there is a compatibility checker that would handle this? 

It also looks like I can do all of this with a test installation. If my forum is at .../forum could I simply install at a .../forum_dev directory to test and move it if it works? Or would it be more prudent to move the old one to a .../forum2 and then install at .../forum ? Thank you in advance for the help.

Posted
4 minutes ago, Ninja Academy said:

That is what I was afraid of, I will see if I can get that resolved first then and return here once I have sorted that out. Thank you.

Try turning on a lower PHP version - it might not be an external attack, but the wrong PHP version for you.

Posted
10 minutes ago, Adlago said:

Try turning on a lower PHP version - it might not be an external attack, but the wrong PHP version for you.

He is running 4.7.3, it is compatible with PHP 7.2 and 8

Posted
4 minutes ago, Jim M said:

He is running 4.7.3, it is compatible with PHP 7.2 and 8

In this topic, the author reports that he does not know of a previous version. I.e. the fact that he is now with PHP 7.2 does not mean that he is using 4.7.3 - but that this is the version of PHP that is active on his server.
Where did you read that the author uses ips 4.7.3?

Posted

I do not know how to confirm what version of invision I was running now that I am getting the error in my first post and cannot access the forum or the ACP. Is there a way to find the version number in the files on the server?

Follow up to that, if I do find out what version I was on is there a place to download previous versions and try and install the one I previously had?

(I am still going to work with my provider to get php 8 in the meantime so that I can upgrade to the latest eventually)

Posted (edited)
1 hour ago, Ninja Academy said:

I highly suspect that files were damaged in the malware attack and need to be replaced, but I want to know how to do this in the safest way possible as to ensure no data loss.

The data, i..e the posts, topics, members etc of that nature are not stored in the files but in the database. So replacing/overwritting the forum files will not result in loss of that data. However, if you have done manual edits to the files, they will be gone.  You might want to make a backup of the edited files, if any.

45 minutes ago, Ninja Academy said:

All backups I have were manually created. I have backups of the data from January of this year (and I made a backup after the attacks with the thought that if the database was untouched I would want to back it up before doing any attempted fixes).

Maybe you lucked out and the database was not damaged or infected. In that case no database restoration is needed imo. A simple overwrite of your forum files will do as that will clean out any forum files that might have been infected.

45 minutes ago, Ninja Academy said:

I am worried that restoring those might cause issues with the database for a more recent version. Am I over worrying?

You are right to worry. The forum files should match those of the database version. In your case, after you sort out the php version, you can upgrade your forum to the latest version. The forum files backup that you have from last January, are they of the same version of the forum that you are currently running? If they are, you can use them to overwrite your main forum files and see how it will go. If the database has been damaged, you will need to revert to a previous backup as already mentioned above.

Who is your host? You can ask them if they have more recent backups. Most hosts make regular backups. Also, you might want to inform them about the attack on your forum so they can check the logs on their end and see what really happened and how it did happen. That will help in patching up the point of entry to prevent further attacks.

Last but certainly not least, a very thorough checkup of your server space is in order imo to make sure that there are no backdoors left behind by the hackers. Hope it helps. 

Edited by Miss_B
Posted

@Miss_B Thank you! I see some of my assumptions were right. As of now I am (as much as one can be) certain that my site is secure and clear of malware. Before coming here I went through a many day process with a third party professional and my hosting provider (Site5) to ensure that the malware was cleared out and all my access points were updated. 

What that means, is now I have a secured server, but with a bunch of holes blown in it from the malware passing through. The malware itself seemed to be overwriting php files. For instance, outside of my forum it was replacing the index.php and about.php in my main directory. It seemed to have crawled through the forum and done the same. So right now, I HOPE that I just need to repair the installation to solve the problem. 

The hurdles in front of me are two fold and represent two paths forward as I understand after everyone's helpful advice here.

  1. Option A: Get my hosting provider to help me get the necessary upgrades so that I can run PHP 8 and eventually upgrade my suite to the latest version with a manual install, hopefully repairing the installation in the process.
  2. Option B: Find out what version I was running (and thus my database would be compatible with) and install that version manually to repair the files.

Option A is the cleanest, but honestly Site5 has not been very good to me over time (they bought out my previous hosting service and they were not an upgrade). I may need to move to a new hosting provider before I can get PHP 8 based on the service I have gotten from them thus far. Option B, if it would work, I think would get me to a solution faster for my community.

Posted (edited)
19 minutes ago, Ninja Academy said:

What that means, is now I have a secured server, but with a bunch of holes blown in it from the malware passing through. The malware itself seemed to be overwriting php files. For instance, outside of my forum it was replacing the index.php and about.php in my main directory. It seemed to have crawled through the forum and done the same. So right now, I HOPE that I just need to repair the installation to solve the problem. 

Hence why a thorough checkup of your server space for any backdoors is very important imo. But the most important thing is to identify the point of entry and patch it up a.s.a.p.

19 minutes ago, Ninja Academy said:

Option A: Get my hosting provider to help me get the necessary upgrades so that I can run PHP 8 and eventually upgrade my suite to the latest version with a manual install, hopefully repairing the installation in the process.

Personally I would recommend Option A. From a security point of view, imo it is best to always run the latest versions of whatever software that you are running on your server space. The same goes for the php version as well.

19 minutes ago, Ninja Academy said:

Option B: Find out what version I was running (and thus my database would be compatible with) and install that version manually to repair the files.

This can be your backup option. If the database is not damaged, all you have to do is overwrite your forum files with those from the backup that you have, providing that they are both of the same version.

19 minutes ago, Ninja Academy said:

Option A is the cleanest, but honestly Site5 has not been very good to me over time (they bought out my previous hosting service and they were not an upgrade). I may need to move to a new hosting provider before I can get PHP 8 based on the service I have gotten from them thus far. Option B, if it would work, I think would get me to a solution faster for my community.

Invision does offer hosting services too, the cloud. You might want to look into that. They do provide super excellent service and if you move to the cloud, things like hacking and other issues will be a thing of the past. 

Edited by Miss_B
Posted
27 minutes ago, Ninja Academy said:

Is there a way to find the version number in the files on the server?

You are running 4.7.3 as mentioned in my post. This has been confirmed by the files on your server 🙂.

38 minutes ago, Adlago said:

In this topic, the author reports that he does not know of a previous version. I.e. the fact that he is now with PHP 7.2 does not mean that he is using 4.7.3 - but that this is the version of PHP that is active on his server.
Where did you read that the author uses ips 4.7.3?

Apologies, this was a statement, not an attempt to correct you. 

Posted
16 minutes ago, Ninja Academy said:

Option B: Find out what version I was running (and thus my database would be compatible with) and install that version manually to repair the files.

You can always check out a version like:

Open this database table with phpMyadmin
`core_applications`
In the app_version column you will see which version ips you are using

  • Solution
Posted

Hello all, I just wanted to report back that I have swapped hosting services and now have php 8, and while I am still waiting for DNS to propagate I have been able to update to 4.7.13 and everything seems to be fixed! I appreciate all the help, thank you again for the support!

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...