Thread

First, forgive me and take it easy on me for I am only mildly familiar with ExpressionEngine and MySQL.

Our company website was put together by an employee long gone and now I’m trying to figure out how this all works. We are using ExpressionEngine v1.6.8 and as far as I know that’s exactly what was installed when he set it up many moons ago. I don’t know that anybody’s ever run any updates as it has always “just worked.”

...until yesterday.

I logged in and made a simple content update with no problems. Just a few hours later, another employee tried to log in but she got this error: The username you submitted was not found in the database

We have only ever set up 2 user accounts: one full access admin account, and one normal user account that our employees can log in with to update content and manage our blog and such. Neither of those account logins work. Both return the same error.

The site itself, however, is still functioning just fine.

A bit of Googling with that error message lead me to think that it might be something that happened at our webhost, but I asked and they claim that they have not made any recent changes to PHP or MySQL on our server. Other search results suggested database corruption, and that’s something I know nothing about. Never one to back down from a challenge, I figured out how to access the database directly with phpMyAdmin and was immediately confused. The best I could hope to do was to try to find the list of members to see if our users really were not in the database.

I poked around and saw the table exp_members, which seemed promising. Within that table I see only one record and this is where I’ve become very concerned. That record has a gobeldygook username and screen name that I do not recognize and the email and url point to 163.com. That seems like trouble. At this point, I know my best option is to ask for help.

Is this as serious as it seems? If I’m looking in the right place and my admin and user accounts have been replaced by one that I do not recognize, I fear the worst. Especially having started this post by saying that nobody’s ever run any updates, which must also include security updates. Blerg.

-Don

[EDIT: Also worth noting, I tried the ExpressionEngine Server Wizard and it reported everything was A-OK.

Ah! My host was able to restore my database from yesterday. I logged in just fine a immediately changed my passwords. Now I suppose I should run some updates or something.

-D

It looks like you’ve been hacked. First step to recovery is to get a backup of your db using phpMyAdmin, and download all of your files off of the server.

The suspicious part is that it happened right after you logged in. Maybe someone was sniffing your connection and got the acct/pwd and then logged in with that, setup the chinese acct (163.com is a chinese company), and deleted the other ones. Another way you can get hacked is for an XSS script to have injected an account into your MySQL, and deleted all others.

So when you get access, you’re going to have to figure out how to maintain security, and working with your hosting service is a good place to start. You can modify the password and account by following this screencast by Mark Bowen for editing the exp_members table with phpMyAdmin:

http://f.cl.ly/items/0v1J3J051u1q2C0e3p2k/Changing_Password.mov

good luck
-jim