Announcement

Collapse
No announcement yet.

Site Hacked

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Do you by chance have frontpage enabled on the server? If so try disabling it. PM me if you feel comfortable and need more help tomorrow.
    Last edited by whitey10tc; Sat 14 Jan '12, 6:14pm.
    www.cdmagurus.com
    www.cellphone-gurus.com

    Comment


    • #32
      Also is this on a cpanel server? Shared, VPS, or dedicated?
      www.cdmagurus.com
      www.cellphone-gurus.com

      Comment


      • #33
        Originally posted by Lynne View Post
        Steps 3,4,5,6,& 7 which involve 'looking' in the templates or plugins for things mean you need to look at these things in the database. Run a query in your template table looking for 'iframe' or in your plugins looking for 'base64'. You may want to consider hiring someone to do this if you aren't wanting to learn (google is a BIG help here!) how to do this yourself.

        OK I have never ran a query in my templates, don't know how to search for these tags

        Easiest thing would have been to upload a database backup from before you were hacked (which you seem to have never made). Please do yourself a favor and spend the time right now that you would normal spend on your forum and learn how to make database backups and how to import them into a new database. It will be time well spent for the next time this may happen.

        Lost my backup copy, and my hosts lost my data with a server file transfer, basically I'm screwed. I know...


        Originally posted by whitey10tc View Post
        Do you by chance have frontpage enabled on the server? If so try disabling it. PM me if you feel comfortable and need more help tomorrow.

        Don't have front page running on this server.

        this is on a cpanel server? not sure if its shared vps or dedicated, assuming dedicated?

        www.coloradoevo.com

        Comment


        • #34
          Originally posted by sdfontanini View Post
          I believe they used Perl to overwrite or mask my pages forum directory

          I deleted a few directories that weren't originally in the root folder including

          perl
          perl5



          Now I have the following additional folders

          .cpan - deleted
          .HttpRequest
          .MirrorSearch
          Then you have much bigger problems that vBulletin. You'll need to check the server for compromises including root kits.
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud demonstration site.
          vBulletin 5 API

          Comment


          • #35
            Originally posted by sdfontanini View Post

            Lost my backup copy, and my hosts lost my data with a server file transfer, basically I'm screwed. I know...




            Don't have front page running on this server.

            this is on a cpanel server? not sure if its shared vps or dedicated, assuming dedicated?

            OK assuming it's a dedicated service. (you should know) you'll be looking for a file like home.htm (/html/php/etc,) or index.htm (/html/php/etc.) could also be a simple htaccess redirect. I don't think anything in your DB has been altered, it looks like a defacement.
            www.cdmagurus.com
            www.cellphone-gurus.com

            Comment


            • #36
              Originally posted by sdfontanini View Post

              this is on a cpanel server? not sure if its shared vps or dedicated, assuming dedicated?
              cPanel has nothing to do with whether is it is shared, vps or dedicated. It is a control panel frequently used by hosting providers.

              If you're not qualified to run the queries listed above in an app like phpMyAdmin (it is copy and paste really) then you'll need to ask your host to run them or purchase ticket support. Those steps above however will tell you if your compromise is within vBulletin though.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API

              Comment


              • #37
                3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type


                editor-ie.css
                vbcms.css
                vbulletin.css

                are missing in my iframe query

                screenshot:
                Click image for larger version

Name:	iframe.jpg
Views:	1
Size:	47.7 KB
ID:	3686448
                Last edited by sdfontanini; Sat 14 Jan '12, 7:18pm.
                www.coloradoevo.com

                Comment


                • #38
                  Originally posted by Wayne Luke View Post
                  Then you have much bigger problems that vBulletin. You'll need to check the server for compromises including root kits.
                  Only my vBulletin site is messed up, I have a few other HTML, php and various other sites on this same server, only vBulletin is getting masked.

                  Where do I go from here...?
                  www.coloradoevo.com

                  Comment


                  • #39
                    What are the htm/html files that are in your forum folder?
                    www.cdmagurus.com
                    www.cellphone-gurus.com

                    Comment


                    • #40
                      the folders I deleted off the root folder are now back... is this a root kit???

                      screenshot:


                      Click image for larger version

Name:	root folder .jpg
Views:	1
Size:	54.7 KB
ID:	3686449
                      www.coloradoevo.com

                      Comment


                      • #41
                        You'll need to scan for a rootkit. If you have access to whm it's in the security area. If not ask you host to. But I'm still thinking it's a basic defacement and a simple html file that needs to be removed.
                        www.cdmagurus.com
                        www.cellphone-gurus.com

                        Comment


                        • #42
                          Originally posted by whitey10tc View Post
                          What are the htm/html files that are in your forum folder?
                          no html files in my public html folder, nothing redirecting anything... wish it was that easy... ugh
                          www.coloradoevo.com

                          Comment


                          • #43
                            Originally posted by sdfontanini View Post
                            no html files in my public html folder, nothing redirecting anything... wish it was that easy... ugh
                            PM me the contents of index, home, or default .htm, html, or php from your forum folder.
                            Or anything that might look like any of these.

                            index.html index.htm index.shtml index.php index.php5 index.php4 index.php3 index.cgi default.html default.htm home.html home.htm Index.html Index.htm Index.shtml Index.php Index.cgi Default.html Default.htm Home.html Home.htm placeholder.html


                            I'll also PM you my email to see if I can help.
                            www.cdmagurus.com
                            www.cellphone-gurus.com

                            Comment


                            • #44
                              I have got a feeling that somebody has tried to hack into mine and has taken it offline.

                              The emails I am getting are from a sook who I banned because I didn't give him a second chance. He was a known bully anyway. He would have been banned as soon as he started posting because he is a racist idiot.
                              Aussiefootyforums

                              New Site New forum
                              Come and talk sports all day long


                              Comment


                              • #45
                                Originally posted by sdfontanini View Post
                                3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type


                                editor-ie.css
                                vbcms.css
                                vbulletin.css

                                are missing in my iframe query

                                screenshot:
                                [ATTACH=CONFIG]57427[/ATTACH]
                                Missing templates from the query are fine. You have a problem with the issue if there are additional ones.


                                Please run the queries listed in my post above and post the results here. They will give the best view of your installation.
                                Translations provided by Google.

                                Wayne Luke
                                The Rabid Badger - a vBulletin Cloud demonstration site.
                                vBulletin 5 API

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X