Announcement

Collapse
No announcement yet.

Yet another hacked site. Can't get rid of it!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Yet another hacked site. Can't get rid of it!

    Our site was hacked on Saturday afternoon. http://michiganvw.org/forum/forum.php .. However there's a work around on our site for users by going to http://michiganvw.org then "what's new" then "new posts". But unfortunately, the main forum/forum/php page is broke.

    So far, I've done the following:
    deleted 3 bogus admin accounts
    upgraded to 4.2.1 from 4.2.0 patch level 3
    deleted the install folder and all it's contents
    checked my notifications, templates etc.

    I'm missing something. Can someone please help?
    Tony - michiganvw.org

  • #2
    Replaced your files with default ones? Deleted any unknown plugins in the AdminCP? Deleted all suspect files from the system? Verified that your .htaccess file is correct?

    http://michiganvw.org/forum/activity.php works fine which is the entry point to your site. I would suspect it is either the FORUMHOME template or a replaced file. Open your FORUMHOME template and save it. Does that fix the issue?

    Please read the following two blog posts:
    http://www.vbulletin.com/forum/blogs...ve-been-hacked

    http://www.vbulletin.com/forum/blogs...vbulletin-site
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API - Full / Mobile
    Vote for your favorite feature requests and the bugs you want to see fixed.

    Comment


    • #3
      Thanks Wayne Luke! posting for others in case they miss this one too.. I went into [styles & templates > search in templates], did a search for "FORUMHOME", found it in both of my templates, and sure enough, it was edited with a javascript file. I then "reverted", and that reset/fixed it!
      Tony - michiganvw.org

      Comment


      • #4
        Its important to follow all of the steps, in that guide, not just some of them.

        Comment


        • #5
          I'm at the same bridge but having problems. The now deleted admin hacker tweaked my templates. Through the CP log I can see the template activity but I can't figure out how to revert to default.
          I also updated from 4.2 to 4.2.1 thinking that would re-write my template defaults but it didn't.

          Comment


          • #6
            For me the exploit was in the footer template

            Comment


            • #7
              How do you login to the admin control panel when you get redirected from both the direct url and footer link?

              Comment


              • #8
                If you put a .htaccess file in your admincp directory with this

                #order deny,allow
                deny from all
                # allow the admin
                allow from xx.xx.xx.xx (ip)
                # allow moderator:
                allow from xx.xx.xx.xx (ip)

                Then only the person with the ip on the .ht can access your admincp. You need a fixed ip to do this.

                If like me you have a dynamic ip that's different each time you sign in you can use a vps proxy, I got one for $10 year from low end box.

                Comment


                • #9
                  Originally posted by jrh369 View Post
                  How do you login to the admin control panel when you get redirected from both the direct url and footer link?
                  you should be able to go to: http://yourwebsitenamehere/forum/admincp/index.php
                  Tony - michiganvw.org

                  Comment


                  • #10
                    How do I completely delete all the templates and then get fresh Default templates from vBulletin? A hacker hit our site, I got his plug-ins out but we're still getting a PARSER error so I must disable hooks in config.php just to keep the basic forums running right.

                    Comment

                    widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                    Working...
                    X