Announcement

Collapse
No announcement yet.

HELP! Forum Hacked

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • HELP! Forum Hacked

    vbulletin 3.8.5
    Just woken up and recieved and sms from one of my members saying that it's been hacked.
    Logged on to find the site's been turned into "gaypride queerworld usa" and everything turned into arabic.
    Can't log into the admin CP as it says (translated)
    Originally posted by Google Translate
    Sorry. The Department to ban IP address of your. To Contact Us Click here
    As it says to EVERYONE else.
    As far as I'm aware someone accessed one of my super mods accounts to change it as one of my members has messaged me saying he was online as it happened saying:
    "i forget to close out windows i checked in and it said i was banned then i kept refreshing for awhile watching it change" and only this mod was online.

    Anyways, my issue is restoring the site.
    My files seem intact on the server, but I've never gone about doing this before.
    Can someone help?
    Last edited by rase2; Fri 21 May '10, 8:54pm.

  • #2
    Your first problem is being banned; but maybe restoring a backup through your host is the best option to start with. *but* you'll need to find out where the security hole is.

    If you can restore your last known good backup, you can start from there by changing your passwords. If it *was* that mod's account, I'd disable that account immediately after the restore and advise your mod to have his PC checked for key-loggers or other browser hijacks that could have intercepted his log in information.

    Let us know if any of this makes sense, a number of people here can jump in and give you some advise on what further steps to take.
    To be updated...

    Comment


    • #3
      Yeah that was immediate thought, I've just never done it before so I'm not sure exactly how I would go about doing it.
      I'm on bluehost.
      I know it's a bit tedious but would you be able to give me a REALLY simple step by step or soemthing, anyone?

      I've got backups done through admin panel, through my server, and even of the whole forum downloaded, so wondering which would be the best move.

      Comment


      • #4
        Originally posted by rase2 View Post
        Yeah that was immediate thought, I've just never done it before so I'm not sure exactly how I would go about doing it.
        I'm on bluehost.
        I know it's a bit tedious but would you be able to give me a REALLY simple step by step or soemthing, anyone?

        I've got backups done through admin panel, through my server, and even of the whole forum downloaded, so wondering which would be the best move.
        Try first to unban your self. Go to phpmyadmin and run this query:

        Code:
        DELETE FROM userban WHERE userid = 1;
        If your db tables have a prefix, include that as well in your query. And if your uid is not 1, then enter the right uid.

        Now, if no damage is done at the database and if it is not infected, then no restore is necessary. Simply ban the hackers then run a thorough check up on all your files in your server space. Also, it would be best if you cleaned up all your forum files by replacing them all with a fresh set from the vb package, your forum version. Then, change all the passwords and scan your pc with an antivirus/antispyware program.

        And as last but not least, inform your host so they can check the access logs and see how exactly did the hackers gained access to your forum. Hope it helps.

        Comment


        • #5
          Any chance you can go simpler? Like, complete newbie level :/
          I literally have zero experience with phpmyadmin.
          Sorry guys, being a bit useless here.

          Comment


          • #6
            Originally posted by rase2 View Post
            Any chance you can go simpler? Like, complete newbie level :/
            I literally have zero experience with phpmyadmin.
            Sorry guys, being a bit useless here.
            Sure, all you have to do is copy/paste my query above and run it at the SQL tab at phpmyadmin in the CP of your host. That will unban your account at your forum. So you will be able to log in normally again to your Acp.

            Comment


            • #7
              When I do that I get the following answer:

              #1146 - Table 'forum.userban' doesn't exist
              Edit: Got it to work, slight change needed. However it achieved nada :/
              Apparently I'm still banned.
              Last edited by rase2; Fri 21 May '10, 8:53pm.

              Comment


              • #8
                Cab I suggest you spend a few$ and post a request over at www.vbulletin.org to pay someone to do this. I have done this in the past when I have had a problem like this, esp when it was techanically beyond me. It far less hassle to get someone who knows what they are doing to do it for you. I have never been disappointed with any of the people I hired via vb.org to do these one off jobs for my forums. It will be quicker and easier than a lot of back and forward in forum threads.

                Comment


                • #9
                  This is true, thanks, however for the time being, if I can get it fixed this way, save cash, and learn in the process, I figure it'll be more beneficial for me.
                  Thanks though.

                  Any chance anyone has any other ideas?
                  Last edited by rase2; Fri 21 May '10, 10:19pm.

                  Comment


                  • #10
                    Hi, PM me your phpmyadmin details and I will help unban you provided the database has not been corrupted. If it doesn't work you need to do as birdie suggested.
                    Owner: Oracle Forums - General Discussion Forums.

                    Comment


                    • #11
                      Originally posted by rase2 View Post
                      When I do that I get the following answer:



                      Edit: Got it to work, slight change needed. However it achieved nada :/
                      Apparently I'm still banned.
                      What is your userid? If it is not 1 then you should enter the right uid at the query. It works fine. I have used it on several occasions without a problem. or register a new account at your forum and then make that an admin at the phpmyadmin.

                      Comment


                      • #12
                        As is, I can't register because it's saying IP's are banned.
                        Also if I go direct to the register.php link it just takes me to a message saying that the site was "raped without no protection".
                        I feel it may also be worth mentioning that another forum in our "network" so to speak (shared members), got hacked by an arabic group as well (different one) about a week before us, which kinda sucks.
                        As for userid, it is 1. I ran that query and it's done nothing, except say:
                        0 row(s) deleted. ( Query took 0.0003 sec )
                        Which really baffles me.

                        Has anyone got any other ideas? Or have I missed something?

                        Comment


                        • #13
                          Originally posted by rase2 View Post
                          As is, I can't register because it's saying IP's are banned.
                          Also if I go direct to the register.php link it just takes me to a message saying that the site was "raped without no protection".
                          I feel it may also be worth mentioning that another forum in our "network" so to speak (shared members), got hacked by an arabic group as well (different one) about a week before us, which kinda sucks.
                          As for userid, it is 1. I ran that query and it's done nothing, except say:


                          Which really baffles me.

                          Has anyone got any other ideas? Or have I missed something?
                          In that case maybe it would be best to revert to your most recent backup from before of the hack.

                          Comment


                          • #14
                            ^Again, complete newb to this, so I'm not 100% sure how to, and don't wanna risk further damage.
                            Sorry, can I get a quick expo?

                            (On the plus side this may prove as a useful thread for further newbs lol)

                            Comment


                            • #15
                              Originally posted by rase2 View Post
                              ^Again, complete newb to this, so I'm not 100% sure how to, and don't wanna risk further damage.
                              Sorry, can I get a quick expo?

                              (On the plus side this may prove as a useful thread for further newbs lol)
                              Do you have a recent backup of your db from before you got hacked? If you are not sure, ask your host about it. If you do, restore it. There are several articles at the online manual on the subject. You might want to have a look there. Also, there are quite a lot of posts/threads on the matter so you might want to search the forums as well. Hope it helps

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X