Hi, my website has been hacked and taken down by the serever team. I have updated to 9.3.9 (not sure which php is in place) and am going through changing all the passwords, but Admin has defeated me. The re-set password routine at login reports that it has sent me an email about changing the password. The only trouble is that the email never arrives.
I would welcome your advice on this problem.
After you have used the forgotten password utility you should immediately login in to your server cpanel, go to phpMyAdmin and find the last entry in the âLogsâ table, copy the link url from that entry and paste it into your browser, if all goes well you will be able to change your password.
You should check if the hacker changed the admin email address.
You can check it by looking directly into the database (see the table named Users - field uEmail).
Also check whether theyâve set the mail method to use an SMTP relay that doesnât work.
If the admin email address had been changed you would get a
â * Invalid email address or password.â message at the login page.
Invalid email address or password, not Invalid email address alone).Yes, I was referring to my previous post about using the âForgotten Passwordâ utility on the login page.
Even in the âForgotten Passwordâ utility we donât tell visitors if an email address is valid or not: we show a message like this:
If there is an account associated with this email, instructions for resetting your password have been sent.
Thank you all for your advice and observations. Unfortunately I have been unable to put them into practice as the Server Team have suspended the service again. I am not sure yet what the problem is this time but I am tempted to uninstall, or to get them to uniinstall, Concrete to scupper the hacker. I would then hope to recover the site from a backup and quickly get in and change the Admin password.
Here is a great resource from a community member. Thereâs a list of different ways to change it
@jessicadunbar thanks for the referral 
If you use the information on that page, the absolute easiest solution is the very last one, but if the websiteâs cache is enabled it might interfere, so you should use it on a page that is not cached. For instance if you use the search block, using it from the search result page works fine.
Thanks to everybody who has contributed to this thread. I am pleased to report that the Server folk have found what the hacker did and deleted it. Thus I am now back in the site and am making an attempt to change the Admin password.
I have followed ConcreteOwlâs suggestion to dive into CPanel and goto phpMyAdmin. That has produced an interesting page full of stuff that is probably well above my pay grade. However, simple observation suggests that there is nothing on that page with the title âLogsâ. A bit of random menu choice selection still did not show up the magic word âLogâ. Thus I am bit stuck. I would be most grateful if some kind person could navigate me to the correct location.
Regards
Pete
In phpMyAdmin the list of database tables will be paginated. Logs table will likely be on page 2. Then you will want the last entry in the Logs table, so probably again need to go through pages.
Thanks John. Sadly I do not seem to have the right skills to find the pages to which you are referring. The attached picture is what I get and I have investigated each item to no avail.
However, within the site I have found that there is a log of emails sent. In that I found several sent to me (but never actually received) about password change. I copied the URL link in some of them but they always failed because something was invlid. My presumption is that it is the code at the end; eg. [.org.uk/index.php/login/callback/concrete/change_password/bb8a3e8d8d6dc]
I have tried requesting a new password on the login page and got the message that an email has been sent. I have then rushed to login and find the emails log page, but have found that it is not up to date. It shows several attempts I made this morning, but none of the ones this afternoon. My suspicion is that if I can get a copy of that link from the log as soon as it has been recorded the code should still be valid. However, no luck so far.
Regards
Pete
That phpMyAdmin page is the list of databases on your server. One of those will be the database for your site. You can find out which by looking at /application/config/database.php
If you then click on that database in phpMyAdmnin, you will see the list of tables I referred to previously.
What you describe with Logs not reflecting what you have just done, and the profusion of databases, suggests that maybe there are multiple copies of your site, or at least multiple sets of debris left over from your hacking recovery.
You need to talk to your host support about cleaning that up or get a concrete expert to spend some time tidying it up for you. Get rid of the excess and your path through these problems will be clearer. Its not the kind of thing that can be done by remote guidance through forum posts.
Good Morning Concrete Owl and fellow Users
Thank you for the suggestion and graphic. That certainly looked a nice simple way to get the password chaged.
However, the simple three box layout on your graphic did not appear. I got the option to change password and then a warning that it would force the user to change their password and then I was dropped into the login screen. I then used the old login details and got a message to say that my account was being upgraded and a new password was required. The only choice was âReset and Email Passwordâ. Choosing that takes me back to the well known âReset Instructions Sentâ message. Of course, such instructions are not sent, and effectively I have managed to lock myself into a re-set password loop and cannot even access the site now.
I will see if I can get into the site from CPanel and possibly avoid this âcircuit of deathâ. If not I seem to be in deeper trouble than before, but at least the spammer cannot get in either!
Regards
Pete
May I suggest you follow @jessicadunbar suggestion above and have a look at this tool I designed:
Iâs listed as step 6 in the article @jessicadunbar linked to.
It can take care of pretty much any admin-related password situation you might have. Iâm even ready to install it for you if you want. Feel free to contact me by PM.
Good Afternoon Nour, John and fellow Users
Thanks for your message and the kind offer Nour. I have read the article you wrote, especially step 6, although with some trepidation. I will have a go at it myself as I will learn more that way but you might well get a PM if I get in a mess.
Thanks also to John for the advice. I am pleased to report that I did persevere with phpMyAdmin and have examined all 7 databases listed. I spotted the Search box that I had missed first time so finding âlogâ suddenly became easier. However, I am slightly puzzled that all of them that email_log reported zero entries and 0 bytes when opened. When checking things in the site before I locked myself out, I noticed that the top database in the list was the one that was listed as âcurrentâ, so why no sign of the âchange passwordâ emails in it? There is so much more for me to learn about how Concrete works.
I will attack the problem again later this afternoon as there are other jobs on my list clamouring for attention.
Regards
Pete
my writing is not the most concise, so feel free to reach out if you need any explanation 
Good Evening Nour and fellow Concreters
Thank you for the script Nour. I have tried it out and it was not difficult to implement as your instruction are clear and logical. Just right for somebody with my skills level. I managed to get in as SuperUser mode and then headed off towards settings. However, I had, earlier in the evening set up a data backup for my PC. This always slows things down a bit and tonight it led to Concrete and something else I had open falling over. Very stupid of me as this is an old machine and none too powerful.
Tomorrow I will run the script again with nothing much else going on and then the problem should be solved.
Regards
Pete
