Need EMERGENCY help please

Regular Joined: Nov 27, 2005 Posts: 58

My site is up to date, patched out th wazooo. 7.6 2.3.1 patch 2.0.0.18 forums, and 2.4.2 sentinel

I just now found how my forums were being deleted. Somehow, a someone I made a moderator a few years ago still had moderator powers. I have not seen this person on in 2 years. I never saw them in the moderator groups anymore and thought I had long since removed them.

I banned the IP's

207.172.238.74
207.42.94.135
I do remember this person having AOL, so a problem there.

and deleted the username. IP tracker showed them doing lots of things like this:

/phpnuke/modules.php?sid=80fa6d4a98c63828d3b0fd0dca32241a&mode=delete&f=28&topic_id_list=Array&confirm=Yes

Now I have a small problem. I need to make sure ALL moderators and admins except myself are definitely gone. And I need to restore my database without RE-Allowing this person back.

I was literally watching my forum posts disappear a few minutes ago.

Could use some fast help ??? Please ?

Posted: Sun Nov 27, 2005 4:50 pm

Normally it´s better to change the password and the email instead of deleting the username. But I´m wondering when you delete his uname how he is able to log in ? The only reason I can imagine is that he used an old session, but he would get something like "I don´t like you". However, I quess you only have to check the database and all the settings for admin,mods and groupmods.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Use NukeSentinel to shut your site down, for starters. I'll post more in a following post.

Posted: Sun Nov 27, 2005 5:00 pm

Now, with your site locked down, you should be able to do your restore. The moment it is restored, make sure that NukeSentinel still has it locked.

Then, use phpMyAdmin and edit his user record and change his user_active to 0 (ZERO), his user_level to 1, and his email to your email address or a bogus email. Make sure he is not in your nuke_authors table. Make sure he is not in your NukeSentinel admin table. Under Forum Admin User Management, make sure his username does not have any individual permissions. And, make sure that the username is not a member of any special forum groups.

Posted: Sun Nov 27, 2005 5:02 pm

Also, use phpMyAdmin and run this query

Code:

SELECT username, user_id, user_active, user_level FROM nuke_users WHERE user_level NOT IN(0,1)

That will give you a list of anyone with special user levels.

Posted: Sun Nov 27, 2005 5:04 pm

k, its disabled. Thats a nice feature hehe. The name deletion and IP banning came within minutes of this post, and so far, nothing further has been disturbed, but they managed to delete approx. 3/4 of all the posts.

I downloaded a backup immediately after I made all updates earlier today securing the site. How difficult would it be to restore only forum posts ? I would like to keep all IP bans, user dletions I made etc.

THANKS !

Posted: Sun Nov 27, 2005 6:02 pm

Thanks for the help - I restored the entire site, and also restored current Sentinel files with all blocks, then made user changes to that user. Now that user who uses the same name on many many sites, will be infamous.

You can view their eulogy here: ginnypotter.com

Thanks for the help - at least through all of this, I secured my site against outside hackers. I have no idea how this legacy moderator remained, or how they had previously been able to remove all other mods but myself before all the updates.

Posted: Sun Nov 27, 2005 6:29 pm

You could try replacing all your forum files with your latest backup to see if it retains the posts. You'd probably want to restore users also to keep the posts count in tact.