I helped the OP find there were over 120 templates with base64 encoding in them. Once these templates were deleted the site stopped forwarding to the hacker' site.

We had to run "Step 7" from Wayne's instructions via phpmyadmin.

Anyone else having their site forwarded to a hacker's site it's probably one or more changed templates.

Joe is awesome, thank you so much for all your help. Very cool to take time out to help a poor dude out. Thanks again

If you could, please describe how you do Step 7, as I'm still a little new to running these queries...

thanks again

- Steve

1) Copy the query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

2) Go to phpMyAdmin.

3) Click on the SQL tab after selecting your database.

4) Paste the previously copied query into the text box.

5) Press the Go Button.

Awesome, thanks Wayne

So I no longer have my custom Templates under the stylvars section, is there any way to recover those pages, they were packed full of info?

Any help would be appreciated... Thanks

When I looked at the templates they had all their info erased and replaced with the hack code- there was nothing left... I would suggest re-installing your custom style (hopefully you still have it somewhere) that should bring back any missing templates.

Thanks Joe, I looked in my custom style and they were gone... guess I'll have to re-write them, not a huge deal I guess. Just make sure I back these up also next time...

Thanks again for all your help guys, everything is back up and running properly

- steve

After your customizations, you can back up the style by exporting it under Upload / Download Styles. It will all be packaged in a XML file.

Sorry to raise an old thread but I've run into a similar issue.

I've just recently installed 4.2.0 on a new domain (new forum).

My domain name with all the versions below now redirect to the site in the attachment but only on 1 network connection.
http://www.mysite.com
http://www.mysite.com/forums/
http://www.mysite.com/forums/forums.php

When I tried to get on to the forum with my phone using the same wireless network as the desktop I had the same site come up but when I tried to connect on my phone not using that network I had no problems. I can also connect to the forum if I use my temporary URL provided by the host. This morning I couldn't get the forum up at all no matter what URL I used until I backed up my database and after that the temp URL worked.
I have no problem getting the forum up working from a different computer on a different wireless network.

I ran the Query from step 7 and about 19 templates came up. Do I delete these now? I'm a bit lost as to what to do now.
Any idea why it only happens from one internet connection?

EDIT: I've sent a ticket to my host provider with this issue as it sounds like a similar issue to this:
http://ask.metafilter.com/146730/Why...te-redirecting
But I've cleared my cache etc without it doing a thing, it wasn't until I restored my database that I could get on to the site.

- - - Updated - - -

To further this, I have absolutely no issues accessing the forum from a different computer with a different internet connection.

My host responded to the ticket by "adding a absolute forum path in your index.php file which is situated under the public_html folder". I'm not sure if this has fixed the problem as I won't be on that computer till tomorrow to see if the issue is resolved. But correct me if I'm wrong, but because my forum runs off the vBullentin index.php in the forums folder not from the public_html folder this will have no effect?

Anyone got any ideas on why this 1 internet connection and computer has been infected? Bearing in mind I had the same issue with my phone on the same wireless network but not with the network turned off.

Site here: http://www.allartforums.com

Anyone else having issues with it?

Edit: Forgot to attach the attachment and I don't have it here now, will add it tomorrow.

I can see your site at http://www.allartforums.com/ and http://www.allartforums.com/forums/ and http://www.allartforums.com/forums/forum.php Is that not what you want?

Hi Lynne,

Yes I was having problems from only 1 computer and internet connection, every other internet connection I tried was fine, just wanted to make sure everyone else could get to it.

It seems the problem is fixed now as I can access the forums from the "infected computer". Thanks.