Hacked again :(

hi

Ok someone has kindly accessed my Dolphin admin and changed my passwords yet again. This happened on dolphin 7.09 and I had to delete my entire dolphin to gain control again. I do not wish to have to do this again on dolphin 7.1, i have put effort into modifying this template which is hard to modify as it is. Also have also forked out money to buy modules and I have difficulty installing them :(

Is there a way to change my password at the back end in file manager? a file i can change? because this is getting ridiculous to be honest. I manage to stop the spammers joining and they do this instead, whats the point?

I have tried to use the 'forgot password' function but it says email not recognized or something to that effect.

any help would be greatly appriciated

This will tell you how to do it.

http://www.boonex.com/forums/topic/Reset-Admin-Password.htm

I've tried to do that, but its not working. i'm not even sure i'm doing it right. I put 

UPDATE `Profiles` SET `Salt` = CONV(FLOOR(RAND()*99999999999999), 10, 36) WHERE `ID`='1';

UPDATE `Profiles` SET `Password` = SHA1(CONCAT(md5('New Admin Password'), `Salt`)) WHERE `ID`='1';

into 'submit query'

it asks for 'You have to choose at least one column to display'

what does that mean? one column of what? i tried to click submit but it does nothing :(  i'm not able to do this

When you go into phpmyadmin. use the SQL tab at the top. Not the QUERY tab.

UPDATE `Profiles` SET `Salt` = CONV(FLOOR(RAND()*99999999999999), 10, 36) WHERE `ID`='1';# MySQL returned an empty result set (i.e. zero rows).

# MySQL returned an empty result set (i.e. zero rows).

UPDATE `Profiles` SET `Password` = SHA1(CONCAT(md5('my new password'), `Salt`)) WHERE `ID`='1';# MySQL returned an empty result set (i.e. zero rows).

still not working. I also noticed my .htaccess file is missing from cashe is that meant to be missing?

also i had some sample accounts i used to check my site from the other side and they have been deleted, the ones that are left have had their details changed. This isn't a very secure platform is it? my site is only tiny, i lost all my members last time this happened, not sure why someone would find this funny to do but it seems pointless putting in hard work into a site, buying modules ect for this this keep happening

It has never happened to me, and i have never heard of anyone else having problems.

You are either careless with your passwords which should be changed every time you provide access to anyone you let work on your site, or your password is to easy and someone is guessing it.

The sql querys would only fail if the ID of 1 which is normally the admin account id has been removed and is no longer there.

You need to find the proper ID to use. Look for the admin account in the Profiles table to find out the proper ID number for it. That number 1 in the query is meant to be replaced with the proper ID number.

Once you get control Install this app its free. There are ways around this app but it will help stop hackers from accessing your website/administration page.

http://www.boonex.com/m/admin-protection

I've looked in the profiles table, the admin profile is not there...... just a few spam accounts all with the same profile  tags. Is there a way to remake the admin account? 

I agree this is most likely the case ... it's rare that a site would be hacked unless it holds something of value to the hackers ...

I would suggest making 'strong' passwords consisting of characters, numbers and symbols ... This is make any hack attempts 100% more difficult when trying to achieve access

and i have never given out this password and i also made it very difficult to guess also with letters and numbers.

I have never given out my password, ever. because some hoon thinks its ok to do this is not my fault. Is it possible to remake the admin account because it seems it is this that has been deleted. could someone have gone in through my file manager and deleted it from the profiles table and done it that way?? can it be re-made?

I have set up my cpanel to do daily backups - if you have a backup of your database, you can just recover using that, I would think.

Other than restoring a backup as already mentioned, you can't recreate the original admin account but you can create a new one.

If you have another user account then edit it in the database Profiles table. Change the value in the Role field from 1 to 3.

Or register a new account from the join form, find it in the database and make it admin by changing the role from 1 to 3.

Now. You may not have been hacked. You may have accidentally deleted the admin account yourself when you were deleting other accounts like spam accounts. The admin account can be deleted like any other account, and there is no confirmation. It happens more often then you would think.

could someone have gone in through my file manager and deleted it from the profiles table and done it that way??

Not without knowing your password.

just another thought - have you given anyone remote access to your database. Make sure that all ips are blocked except for your own. You should be able to find this in your cpanel.

Yeah but unfortunately i haven't logged on for a few days and haven't had any spammers since i changed the login forms into two pieces. so there was no spammers to delete until now of course.  

I can't understand why people who have had an issue come here and post blaming the script. Far more likely your server is insecure. And why do you not have a backup? Despite this happening before?

Advice for the future... Set a nightly backup job and download the backup every night. This can all be automated, easily.

A couple of years ago I had a total hard disc failure on a dedicated server. I had all 23 customers back up and running within 8 hours, well inside my SLA of 99%. 

BACKUP BACKUP BACKUP, BACKUP your BACKUP and then back that up too!

ok guys i deleted my entire dolphin site and reinstalled and guess what? password incorrect. how is that actually possible? did i remake the site and suddenly forget the password i used? Something else is going on here

When you decided to trash your site and reinstall, did you create/use a new database too? Its possible that your database was somehow corrupt from the get-go.

i wiped everything, started afresh and the same thing is happening 'password incorrect'. I have the mail here the instillation sent me, copied and pasted the password to make sure it was right and low behold exactly the same thing is happening. This is all brandnew and the same thing is happening.

Unless you are accidentally hitting caps lock or something, I am not sure how this could be possible. Oh and don't copy/paste passwords. Its too easy to get 'whitespace' during the copy.

Type in your password.

Edit: BTW, I have never received an email telling me the installation was complete. Let me guess, you are installing from softaculous??

yes sofilicious thingy. its the correct password i'm at a loss :(

Dont use that crap. Upload the script and install it yourself. There has been many discussions regarding using softaculous to install Dolphin.

Thankyou for all your help guys, i think perhaps i am way to blonde for all this technical stuff. I reinstalled yet again and it now works, now its back to rebuilding again. Thankyou all very much for your efforts.

 Did you use softaculous to delete your former site? If you use file manager to delete it it will leave the inc folder behind not sure if that is even an issue. I would go to cpanel use softaculous to delete the site, make sure that remove directory, remove database and remove database user are all checked then uninstall. Go and delete your cron job then go and use softaculous to install dolphin again.

i just clicked the red X on the softilicious and it did everything. i saved my template I made tho so i guess i'll be up and running again minus a few spam accounts. I guess I will be backing up stuff in Cpanal from now on :)

 check your cronjob you will have two versions running if you did not delete one.

 If this has happened on other version i would look more deeply into checking to see if your hosting account/server has not been compromised.  just my 2cent as looking at this from a hosts eyes

 If her password isn't working on a fresh install it isn't an insecure server. Well her server might insecure for all I know but that isn't what's causing her problems. I've seen lots of people post here about being hacked and worked with a few of them... none of them have had their admin passwords changed. Most hacks are a generic script that is adding or changing files and aren't Dolphin specific.

 if her server has been compromised with an exploit script then doing 1000 fresh installs may not work if the exploit script randomly changes passwords.  Thats why i suggested looking deeping to swee if their hosting account/server has been compromised, i have been a host since 1999 and seen many cases like this on many forums.  Mostly when peopel go for the cheap unlimited hosating plans where the host offers non or little support and does not spend money to make sure their server is secure from hacks etc.  also if a clients have outdated scripts like wordpress etc. on their server this can also allow hackers to exploit servers.

 Why.  i have the opposite. i had to do a fresh from scratch, removed account from server and then installed from the download from boonex and it would not work, so i again removed the account from the server and then did an install from softaculous and everything is working 100%

 It wasn't her account password that didn't work, it was the Dolphin admin password. There isn't an exploit that randomly changes Dolphin admin passwords WHILE it's being installed.  If she's a victim of anything it's Softaculous. It might be great for all the other scrips but it seems to have a few bugs when it comes to Dolphin.

well, it wasn't just the admin password that was changed. After last time i put 6 sample accounts on my site, all had password changed and the 'Description' bit of all of these accounts had 'i am a yoga teacher from the usa looking for friendship / chat. visit my site' or something to that effect and the admin account password wasn't changed it was deleted. I am thinking the problem lies with my sever, I have contacted them and a/w reply. my host is ukhost4u I have no idea if this is a secure server or not, how would I even know that, the prices seemed same as every other server and they respond to my mails quite quickly. So i don't know.

I am just a newbie when it comes to a lot of things, but I have also been hacked. Not as bad as yourself, but bad enough to have to start from scratch. Well, I learned a few things after that experience.

As already mentioned, backups can be your biggest friend. I personally have daily backups by default, but I also do a backup if I make any changes to the site itself.

Another thing is the remote access to your database. In your cpanel should be a section for remote database access. I had mine set to allow remote access from anywhere (%). I changed that to only allow access from my ip address. I periodically have to change this ip address as I am always traveling.

Also, I am running a dedicated server, so remote access to anything on my server is restricted to just my ip address alone. Plus, I installed a mysql database encryption software on my server.

And the last thing. I originally had custom php pages that I created in which my connection string to the database is at the top of the page. Normally this does not display if a user views the source code, BUT, if the person is smart enough, they can just download the actual file. (I have actually had someone do this to me to prove to me it can be done) In which case all of your database info is right there on the page. Now they can send sql scripts of their own. So, I am moving all of those connection codes to another file and placing that file one level above my public_html folder.

Again, I am new to this, and persons such as Deano can give you more and better info than I can. I just thought I would post what I did after I got hacked. since then I have not had any issues.

Odd.

The normal default of cpanel for database remote access is empty. No remote access at all.

Remote access should not be needed. You should be accessing your database from phpMyAdmin within cPanel. Not directly from you home computer.

If you do have remote access enabled it should be removed. Your own server is the only thing that should have access to the database. Outside remote access is not required and should not be allowed.

i agree totally deano. in my case i have grown accustomed to the mysql connection program and since i have several sites to look after it is easiest for me to have them all in one place as they are not all on the same server.

Yes never allow or give remote access to your server.

apart from our IP, we have our server providers IP ( incase we need their help) along with the cPanel tech IPS, but these do not remote access the server then will use FTP/SSH.  but our server provider would have access to the server anyway through their system.