someone hacked our site and it getting real old

[fredrc]

You may have seen my post in the upgrade thread. Our site was bringing one of Jag's servers down, so we go shut off. We tried a quick fix - deleting a file that showed up in the logs as opening up thousands of connections and creating traffic. We didn't need it so deleted it.

Well after using the MediaWiki site for a few minutes, the file re-appeared. (a php file)
We thought about our svn updates and made sure it wasn't doing anything automatic. Nope.

So, suspected a trojan or some hacked process creating the file.

So, we tried having Jag restore from a backup. Didn't work, the file wouldn't stay deleted - and we cause some more server downtime and got shut off again of course.

So, we asked Jag to wipe our account clean. Delete everything. They said they close the account and opened a brand new one. Hmmmm,, we open up ssh and what do we find??? a whole bunch of our files. ????? not all of them, but a large number of them.

The Jag support guy said > Please note that we completely terminated your account and then recreate it.The account was empty.Please check with the developer of your scripts to find out the root cause of the issue.
>

Hmmm.. if that is true, then someone inside Jag is hacking our site, because we didn't put the files there. So I suspect that the Jag support guy just didn't do a good job of deleting our files.

ARGGGHHH site down for 6 days now. This is really getting old.
For the moment we are giving up on Jag support deleting the files and we are starting to
rm -Rf * everything. I hope it works.

Sorry, I am partly venting here. But this is some weird stuff going on. Is it possible that the hacker got some process installed that wouldn't go away when our account got deleted? and made it start creating files when our account got created again??? I just don't see how that is possible.

note: when our site got re-created the password was brand new from Jag.

[Daniel_DBS]

Hmmmm! That is VERY strange!

Did support recreate your account on the SAME server with the SAME username???

I am not sure if for some reason some files may linger if you recreate a terminated account.

If they used the same username, try requesting them to recreate the account again, and this time specify a NEW username!

Not sure!

[fredrc]

they did use the same username on the same server. That may be the cause. Thanks

ps. you did to do it!

[Daniel_DBS]

Let me know if you have Jag recreate the account with a new username if that solves the problem!

This is very very strange!

I swear I remember you mentioning before that you were actually running an 'alternative' mediawiki install or something... When i say alternative I mean, not the stock straight from MW but some fork or something... Maybe I am imagining things...

I've been playing around with Dokuwiki A LOT lately and it is AWESOME! I am using it for the documentation for a project I am working on...

But anyway... GOOD LUCK! Let me know how it goes!

[fredrc]

yes, we were using the latest build of svn, instead of the latest release. They don't release all their latest builds as a download. You have to be using svn updates to get the latest. I don't think that is the reason we are down - we had the same version the wikipedia has http://en.wikipedia.org/wiki/Special:Version

We did just try to set up our wiki from scratch (as much as possible) and we used 1.11 this time. As soon as we went to a page on the wiki and tried posting an edit, the mysql server went down again. Very similar problem as what we were having earlier. But not the original problem where we had some weird DoS.

So, we are still down with no end to this madness in sight. Next I am going to see if we can be assigned a dedicated tech at Jag. We have been getting inconsistent results submitting trouble tickets. They don't always know what is going on and make little mistakes here and there.

[Daniel_DBS]

Get Edward or Smith to help you...

Just request in the ticket that you want that specific tech, it may take longer to get the issue resolved if they are not currently on the clock...

Just a warning though: Keep your hands off Smith! Vin already claimed him!

[Vin DSL]

Thanks for reminding me...

St. Valentine's Day is coming up!

[Daniel_DBS]

lmao... whatcha gonna send him vin?

[Frank Broughton]

no don't tell us Vinnie! Noooooooooooo...