Need help - got attacked!!

[fenris_w0lf]

This is what the previous webmaster wrote after the attack:

<nameofsite> was using a version of Simple Machines Forums that was three versions behind and had some security holes. The site was attacked and knocked offline on 29 July 2009. I attempted to correct the problem by loading new files that were updated and connecting them to the old database. This didnt work very well and the threads were unreadable due to the database not being updated too. I tried running the upgrade script to fix the database and that also didnt work.

The previous webmaster do not wish to continue the forum. I'm the only one close to taking it over and trying to restore several years of posts and articles.

He has a "phpMyAdmin SQL Dump" backup of the database which starts like this:

Code Select Expand


-- phpMyAdmin SQL Dump
-- version 2.11.9.5
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Aug 19, 2009 at 06:55 PM
-- Server version: 5.0.81
-- PHP Version: 5.2.6

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";


/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;

--
-- Database: `evanss_smf`
--

-- --------------------------------------------------------

--
-- Table structure for table `smf_attachments`


In addition to this I have a file-based backup of the files on his host:

Code Select Expand


25.08.2009  23:46    <DIR>          afk photos
25.08.2009  23:46    <DIR>          aok
25.08.2009  23:46    <DIR>          AplosRTE
25.08.2009  23:46    <DIR>          attachments
25.08.2009  23:46    <DIR>          avatars
25.08.2009  23:46    <DIR>          db
25.08.2009  23:46    <DIR>          downloads
25.08.2009  23:46    <DIR>          FCKeditor
25.08.2009  23:47    <DIR>          files
25.08.2009  23:48    <DIR>          images
25.08.2009  23:48    <DIR>          Packages
25.08.2009  23:48    <DIR>          pjirc
25.08.2009  23:48    <DIR>          Smileys
25.08.2009  23:48    <DIR>          Sources
25.08.2009  23:48    <DIR>          Themes
25.08.2009  23:48    <DIR>          tp-downloads
25.08.2009  23:48    <DIR>          tp-images
25.08.2009  23:48    <DIR>          wysiwyg
06.10.2007  08:52             3.554 agreement.txt
05.10.2007  23:23           446.758 changelog.txt
29.04.2008  13:17           154.486 error_log
29.10.2005  01:14             1.406 favicon.ico
19.08.2009  18:55        32.914.340 federationofkings.sql
23.01.2006  06:22               225 fenssi.php
14.10.2007  16:07            15.972 index.php
05.10.2007  23:33            14.732 index.php~
30.01.2006  21:27            14.960 index_pre_afkmlist_fix.php
19.01.2006  18:33            14.920 index_pre_irc_fix.php
05.10.2007  23:23             4.001 license.txt
30.01.2006  20:16            12.753 memberlist.php
30.01.2006  20:16            15.427 memberlist2.php
05.10.2007  23:23             2.646 news_readme.html
31.10.2005  11:01                19 phpinfo.php
05.10.2007  23:23             8.663 readme.html
24.02.2008  22:25             3.606 Settings.php
05.10.2007  23:27             3.606 Settings_bak.php
05.10.2007  23:33            59.288 SSI.php
05.10.2007  23:33            57.681 SSI.php~
05.10.2007  23:23             5.692 ssi_examples.php
05.10.2007  23:23             5.391 ssi_examples.shtml
30.01.2006  14:38            40.536 status.php


I have good experience (10+ years) and knowledge with Sybase and Microsoft SQL, but not so much MySQL. It does however look fairly similar to what I'm used to.

I've been thinking about this for a few days, and I figure I have to start with determining what version of SMF and TinyPortal he was running at the time of the hack and then install these on a new host (that has php and mysql) I've asked him, but I'm not sure if he recalls. Is there any files somewhere in the directory-structure above telling what versions he was running, or perhaps inside of the phpMyAdmin SQL Dump?

Any help would be appreciated!!

[IchBin]

Version number "should" be at the top of the files. Although, some files can still have older version numbers in them if they don't get updated. However, you can search that database dump in the settings table and you can find the version there. TinyPortal shouldn't matter really. If you get your SMF running, then you can just install the latest version, and it will update everything necessary if you're running an old version.

[fenris_w0lf]

Thanks for your reply IchBin, is there a spesific "search string" I could use to search through the sql-dump? (Its fairly big)

Edit: seems the php files vary a lot as to what version it really was running...

[IchBin]

Meh, never mind. That version number in the database is not reliable. I just checked mine, and it says 1.1.4. However, my forum version is 1.1.10. IF I were you I would just look at the top of the files. It should show you a version. If your files show that it is 1.1.x , then I would just upload the latest 1.1.10. If you have problems, upload the large upgrade package, and then run the upgrade.php file in your browser. http://yoursite.com/forum/upgrade.php

[fenris_w0lf]

Ok, thank you IchBin...

I looked at the top of these files:

status.php Software Version: SMF 1.1 RC1
SSI.php Software Version: SMF 1.1
Settings.php Software Version: SMF 1.1 RC1
index.php * Software Version: SMF 1.1.4

Am I safe to assume I can continue with the install of SMF 1.1.4 ? (I tried to find it but didnt find it anywhere)

[IchBin]

Maybe I wasn't clear enough. Now that you at least know you are using SMF 1.1.4, I would suggest you install 1.1.10. Upload the "large upgrade" package of SMF 1.1.10. Then, run the upgrade.php on the database you just imported. It should upgrade and bring your forum back online. If you need more details feel free to post back.

[G6Cad]

Cant recist in asking why SMF support is given on TP