Announcement

Collapse
No announcement yet.

Site Hacked

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Site Hacked

    www.coloradoevo.com My Site was hacked about a week ago, no backup copies available from the server hosts as they just updated their software and the only copy is the hacked version. I went and upgraded my site to 4.1.9 from 4.1.5 and installed everything but the site still won't return to its original state. I can't even log into the Admin PanelEvery folder I visit takes me to the same main page.... like a redirectPlease visit my site above and see if you can help me outthanksSteve
    Last edited by sdfontanini; Wed 21 Dec '11, 9:58pm.
    www.coloradoevo.com

  • #2
    Check your .htaccess file and index.html file
    "Our greatest weakness lies in giving up. The most certain way to succeed is always to try just one more time!"
    "It's important to only think about what you desire, not what you fear to achieve your ultimate goal!!"
    "When doors close, tear down the walls. Never give up!"

    Comment


    • #3
      doesn't look like the .htacess file was changed, and I have no index.html, just php

      where are you Steve Machol
      Last edited by sdfontanini; Wed 21 Dec '11, 10:09pm.
      www.coloradoevo.com

      Comment


      • #4
        Have you tried deleting the index.php and reuploading it. Also check the www or public_html root directory for an index html or php file and delete it as well.
        www.cdmagurus.com
        www.cellphone-gurus.com

        Comment


        • #5
          Hacked by gaza-hacker.com

          174.122.69.72 resolves to
          "48.45.7aae.static.theplanet.com"
          Top Level Domain: "theplanet.com"
          Simple Straight Forward EU cPanel vBulletin Web Hosting Provider.

          Comment


          • #6
            Were you running a lot of mods?
            http://www.streamernation.com

            Comment


            • #7
              Here are the steps to check for hacks:

              1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

              2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

              3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

              4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

              5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

              6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

              Query for step 4 and 5 -
              SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

              7) Run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

              It checks the templates for compromising code.

              8) Check .htaccess to make sure there are no redirects there. This isn't a vBulletin issue but customers really don't understand that.



              After a few quick checks, it looks like a basic template replacement scheme. Step 7 should expose such a scheme.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API - Full / Mobile
              Vote for your favorite feature requests and the bugs you want to see fixed.

              Comment


              • #8
                I have tried reuploading all my files, as he left a .tar backup in my directory, also tried to upgrade to 419 without sucess
                www.coloradoevo.com

                Comment


                • #9
                  Originally posted by sdfontanini View Post
                  I have tried reuploading all my files, as he left a .tar backup in my directory, also tried to upgrade to 419 without sucess
                  Please go through the steps above.
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud demonstration site.
                  vBulletin 5 API - Full / Mobile
                  Vote for your favorite feature requests and the bugs you want to see fixed.

                  Comment


                  • #10
                    Originally posted by sdfontanini View Post
                    I have tried reuploading all my files, as he left a .tar backup in my directory, also tried to upgrade to 419 without sucess
                    Have you tried disabling all mods and look for any index.html or ***.html in the root folder

                    Comment


                    • #11
                      I can't even access the vbadmin panel. And I've searched for the HTML index file w no luck
                      www.coloradoevo.com

                      Comment


                      • #12
                        Originally posted by sdfontanini View Post
                        I can't even access the vbadmin panel. And I've searched for the HTML index file w no luck
                        what is it telling you incorrect password? you have tools in your do not upload folder to help you reset the admin password just make sure you delete it when your finish

                        Comment


                        • #13
                          Originally posted by sdfontanini View Post
                          I can't even access the vbadmin panel. And I've searched for the HTML index file w no luck
                          I can access your admincp by adding /admincp to the end of the URL on your customer account. Due to the hack, you'd have to log in and then manually go back to the URL.
                          Translations provided by Google.

                          Wayne Luke
                          The Rabid Badger - a vBulletin Cloud demonstration site.
                          vBulletin 5 API - Full / Mobile
                          Vote for your favorite feature requests and the bugs you want to see fixed.

                          Comment


                          • #14
                            I get a 404 Error in my browser when I go to www.coloradoevo.com/admincp

                            This is getting frustrating...

                            I can not find any index.html files in my root folder, not sure how this thing is working... completely baffled
                            www.coloradoevo.com

                            Comment


                            • #15
                              Updated again to 4.1.9 and it looks like I now have access to the AdminCP


                              But where to go from here???
                              www.coloradoevo.com

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X