Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Help Groups for Snitz Forums 2000 Users
 Help: General / Classic ASP versions(v3.4.XX)
 Hacked Web Site
 New Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Richlizard
Starting Member

16 Posts

Posted - 17 June 2017 :  11:19:59  Show Profile  Reply with Quote
Hi all.

We are in a bit of a pickle over at www . krackedkings . com

Our web site has been hacked and a virus put in place. We cannot access our site and the host has told us our best option is to wipe the server clean and start again - after 12 years of running the forum within our site, so thereby losing all our threads and memories of trips all around the world!!

We are now really clutching at straws and almost as a last resort we were wondering if our actual forum would remain intact within our web site? In other words, as we are using a Snitz forum is there a chance we could access it outside of our actual site which contains many other things outside of the forum.

I appreciate I may be sounding daft with this request, but we are getting really desperate.

Thanks in advance for any help.
Richard

HuwR
Forum Admin

United Kingdom
20577 Posts

Posted - 17 June 2017 :  16:59:17  Show Profile  Visit HuwR's Homepage
do you know what the virus is, and how you were hacked?

MVC .net dev/test site | MVC .net running on Raspberry Pi
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20577 Posts

Posted - 17 June 2017 :  17:02:55  Show Profile  Visit HuwR's Homepage
do you have ftp access to the site?
what type of database were you running it on?

It is very unlikely that the forum code/database has been infected with a virus, so can probably be recovered if you have access to the files.

Please don't panic and do anything rash like wipe everything. My server was compromised a few weeks ago and all the files encrypted but I managed to recover everything

MVC .net dev/test site | MVC .net running on Raspberry Pi
Go to Top of Page

Richlizard
Starting Member

16 Posts

Posted - 18 June 2017 :  06:42:48  Show Profile
quote:
Originally posted by HuwR

do you have ftp access to the site?
what type of database were you running it on?

It is very unlikely that the forum code/database has been infected with a virus, so can probably be recovered if you have access to the files.

Please don't panic and do anything rash like wipe everything. My server was compromised a few weeks ago and all the files encrypted but I managed to recover everything




Hi Huw and thanks for the reply.

The virus was the same one that got to the NHS - Wannacry. Our hosts - Fasthosts - say it is nothing to do with them. They said it was our fault for not having a backup service with them. Strangely they attempted to use a backup they had but when it failed, they deleted it!!!

I managed to log in to the server initially and appeared to remove the virus, but it had to be restarted. Once it restarted, I could no longer log in due to a group policy issue. Fasthosts told us this was due to there being multiple accounts including one called IISUSER_ACCOUTXX. They told us our 'simplest' option was to wipe the server clean and start again... losing 12 years of threads and memories. They said this was because they could not get into the server any other way.

I of course questioned how on earth they knew of this rogue account if they could not get into the server and why we would want the 'simplest' option if this meant us losing everything. In addition of course, why would we wipe everything clean and then remain with them if they are open to attack and do nothing to help us!!!

Unfortunately, I am not too experienced with servers and databases as it was set up by my partner who left years ago. So no idea if we can gain FTP access and as Fasthosts have given up on it, no idea if I did or did not remove the virus.

So I am sure you can see why coming here was a last resort in a thin hope that the forum might be accessible outside of our site which included many other things.

Sorry if that is a little long-winded but this has now been going on for weeks.
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20577 Posts

Posted - 18 June 2017 :  11:23:31  Show Profile  Visit HuwR's Homepage
If it has been several weeks and had a reboot then it is probably too late I'm afraid, and without access to the server itself there isn't really anyway to check if/what can be saved.
Unfortunately your attempt to remove it probably failed (they are notoriously difficult to get rid of) and then rebooting almost certainly made the situation worse.

There are some tools available that can decrypt the wannacry encryption, but obviously that requires access to the files.

Fasthosts are not unique in not offering backup services unless you pay extra I'm afraid.

I backup my own server since the cost of having it done by my hosts would almost double what I currently pay for the server, it is ridiculous I know, but really not much that cane be done about it, you will find pretty much all hosts are the same.

Sorry I can't be anymore helpful, but without access to the files there is nothing that can be done.



MVC .net dev/test site | MVC .net running on Raspberry Pi
Go to Top of Page

Richlizard
Starting Member

16 Posts

Posted - 18 June 2017 :  13:44:03  Show Profile
Thanks anyway
Go to Top of Page

Davio
Development Team Member

Jamaica
12217 Posts

Posted - 22 June 2017 :  19:47:49  Show Profile
So the files got encrypted, but what about the database? It encrypted that too?

Support Snitz Forums
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20577 Posts

Posted - 23 June 2017 :  03:25:54  Show Profile  Visit HuwR's Homepage
quote:
Originally posted by Davio

So the files got encrypted, but what about the database? It encrypted that too?



If it is an access database then yes probably, if it was SQL then unlikely as it will have been locked out by sql processes, however if you can't get on the machine there is no way of retrieving the database.

When this server got hacked and the files encrypted (not by wannacry) the sql databases were fine, just everything else was encrypted, but I was able to access the machine and brute force the encryption key which allowed me to then decrypt all the files.


MVC .net dev/test site | MVC .net running on Raspberry Pi
Go to Top of Page

golfmann
Junior Member

United States
450 Posts

Posted - 23 June 2017 :  12:15:59  Show Profile  Visit golfmann's Homepage
You should write an article on how to beat ramsomeware...
Could come in handy :)
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20577 Posts

Posted - 23 June 2017 :  15:29:01  Show Profile  Visit HuwR's Homepage
mostly thanks to this site https://decrypter.emsisoft.com/ they have decryption tools for most ransomware encryptions its just a long process, plus most decent AV sites will have instructions on how to find and remove the encryptor that does the damage, just don't reboot until you are sure you have got rid of it

MVC .net dev/test site | MVC .net running on Raspberry Pi
Go to Top of Page

golfmann
Junior Member

United States
450 Posts

Posted - 23 June 2017 :  17:21:53  Show Profile  Visit golfmann's Homepage
That's why I ended up buying a whole new rig...
I figured there was SOMETHING lurking somewhere.
Superstitious, I guess...
(Plus, it was a good excuse to upgrade) :)
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.23 seconds. Powered By: Snitz Forums 2000 Version 3.4.07