Announcement

Collapse
No announcement yet.

Needs big help

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Needs big help

    I'm hoping that someone can help with this problem I'm having.

    Basically my forum got hacked today.

    Symptom(s):
    - any new threads/posts seemed to have displayed the hacker's advertising message
    - if any post was made in older threads have also infected other posts in the same thread in multiple pages. Mostly all posts in an infected thread got the same message.
    + these messages displayed don't seem to be searchable.. good thing is that the content of each post can be edited back to original post. I believe I have thousands of posts infected with this hack and i can't go ahead and edit/save each post manually. (if i click on edit button on an infected post I can see original content so I can save it to get the original post back..)

    I'm in need of help to make this process automated somehow..

    Please help.

  • #2
    The message in the post is not searchable.. I have no knowledge of mysql or php..

    How can I query these messages? then plug in original content?

    Cheers.

    Comment


    • #3
      Is HTML on in your forums someone could be posting meta refresh code? Do you have a live link?

      Comment


      • #4
        it sounds like your newpost file or template has been changed to output the hackers code. I would try to restore these from backups or remove the affected code. To mass fix all the posts you will need a custom script similar to cleaner.php included with vBulletin.

        Comment


        • #5
          hi there.

          My webhost has removed suspected files in home directory and new posts are not displaying the advertising message anymore. However the threads are still displaying the same messages. I think you are right about template has been modified.

          I have switched to a default template and the posts display fine.

          Which template do you think has been modified? postbit? i'm using legacy. I looked in 'postbit legacy' but didn't find the advertising code in it.

          Regards,
          D

          Comment


          • #6
            I think they probably changed 'newreply' / 'newthread' but it may not be a template hack.

            I would run suspect file versions and see if they changed the newreply.php or newthread.php files

            Comment


            • #7
              Hi Rolla thank you.

              Where would I find an option 'suspect file versions'?

              Comment


              • #8
                maintenance > diagnostics > suspect file versions

                Comment


                • #9
                  cheers Rolla.

                  Comment


                  • #10
                    A couple more questions.

                    When an xml(template) is imported via admin panel where are the template files stored..?

                    I looked in postbit legacy template but the code seems healthy.
                    <!-- message -->
                    <div id="post_message_$post[postid]">
                    $post[message]
                    </div>
                    <!-- / message -->
                    This is the advertising code(i have modified it)..
                    <!-- message -->
                    <div id="post_message_168378">
                    blahblah <span id=sivu><a href=example.html>blah</a></span><script>blahblah</script>
                    blah blah. (as delivered by Google)<br />
                    <br />
                    </div>
                    <!-- / message -->
                    where do you think I can find the bug that is causing to display this msg..? It's only happening in one template.
                    Last edited by K4L; Thu 22nd Jul '10, 2:01am.

                    Comment


                    • #12
                      Originally posted by Trevor Hannant View Post
                      Templates are stored in the database
                      Hi Trevor.

                      What do you think I can to get my template back to normal?

                      Comment


                      • #13
                        May I ask how to duplicate a style? I could not find the option..

                        Thanks!

                        Comment


                        • #14
                          Re-download the ZIP file from the Members Area and re-upload all files (except install/install.php and includes/config.php.new) making sure you overwrite all files currently on your server. Then go to http://www.yoursite.com/forumdirecto...nalupgrade.php. This will re-import the default phrases and templates to the database.

                          Next, go to AdminCP > Styles & Templates > Style Manager and add a new style - this will use the restored default templates.

                          Does this resolve the problem?
                          Vote for:

                          - *Admin Settable Paid Subscription Reminder Timeframe*
                          -
                          *PM - Add ability to reply to originator only*
                          - Add Admin ability to auto-subscribe users to specific channel(s)
                          - Highlight the correct navigation tab when you are on a custom page
                          - "Quick Route" Interface...
                          - Allow to use custom icons for individual forums

                          Comment


                          • #15
                            Hi Trevor that fixed it thanks!

                            Comment

                            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                            Working...
                            X