Announcement

Collapse
No announcement yet.

jforjustice.co.uk/banksters - Hacked

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] jforjustice.co.uk/banksters - Hacked

    I upgraded to the latest version of vbulletin last night and now when I try to view my forum it gets redirected to jforjustice.co.uk/banksters. Has this happened to anyone else and if so, how do you fix it? I can't see how the redirection is happening. My .htaccess doesn't appear to be doing it and I don't see that any of the vb files were changed.

    Thanks,

    Tim
    Five Star Review Script - Add reviews to your website!
    Mixed Martial Arts - Houston MMA Training
    Women's Self-Defense - Courses and DVDs available

  • #2
    Most common causes of redirecting in my experience are files that were edited on your server or a plugin on a common hook.

    You'll need to run the Suspect File Versions Diagnostic for any files that do not contain the expected contents. You can do this under Maintenance -> Diagnostics.

    You'll also need to review your plugins in the Plugin Manager under Plugins / Products to make sure they do not contain redirect code. The code is often hidden in base64 code and looks like Gibberish. Any plugin with base64 code should be considered suspect enough to be disabled and/or deleted.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud customization and demonstration site.
    vBulletin 5 Documentation - Updated every Friday. Report issues here.
    vBulletin 5 API - Full / Mobile
    I am not currently available for vB Messenger Chats.

    Comment


    • #3
      Thanks for the reply Wayne. Unfortunately, I can't even get into the admin without being redirected. I'm going to upload the files again to hopefully overwrite the problem file.
      Five Star Review Script - Add reviews to your website!
      Mixed Martial Arts - Houston MMA Training
      Women's Self-Defense - Courses and DVDs available

      Comment


      • #4
        To temporarily disable the plugin system, edit config.php and add this line right under <?php

        define('DISABLE_HOOKS', true);
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud customization and demonstration site.
        vBulletin 5 Documentation - Updated every Friday. Report issues here.
        vBulletin 5 API - Full / Mobile
        I am not currently available for vB Messenger Chats.

        Comment


        • #5
          Originally posted by Wayne Luke View Post
          To temporarily disable the plugin system, edit config.php and add this line right under <?php

          define('DISABLE_HOOKS', true);
          That really helped. I am now able to log in and see my plugins. There is a new one:

          Location: global_start
          Title: AnonymousPleaseNoteWeMadeItEasyToFix
          header('Location: http://jforjustice.co.uk/banksters');

          Any idea of how they could have added that or how to prevent it in the future?

          Thanks,

          Tim
          Five Star Review Script - Add reviews to your website!
          Mixed Martial Arts - Houston MMA Training
          Women's Self-Defense - Courses and DVDs available

          Comment


          • #6
            They could add it with access to the database or through your AdminCP. Make sure your AdminCP has restricted access via .htaccess which uses a different username and password or even IPAddress restriction.

            https://www.vbulletin.com/docs/html/...letin_restrict

            Make sure your database doesn't allow remote connections except what is absolutely necessary. Your hosting provider can help with this.

            Make sure that tools like PHPMyAdmin and Adminer are not accessable via the Web without .htaccess protection.

            Make sure you use a different password for your AdminCP, FTP, Hosting Control Panel, Database and Email.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud customization and demonstration site.
            vBulletin 5 Documentation - Updated every Friday. Report issues here.
            vBulletin 5 API - Full / Mobile
            I am not currently available for vB Messenger Chats.

            Comment


            • #7
              Thank you very much.
              Five Star Review Script - Add reviews to your website!
              Mixed Martial Arts - Houston MMA Training
              Women's Self-Defense - Courses and DVDs available

              Comment


              • #8
                Originally posted by Wayne Luke View Post
                To temporarily disable the plugin system, edit config.php and add this line right under <?php

                define('DISABLE_HOOKS', true);
                Does this work the same with vB 3.8.6? I had my site get hacked to with the same issue, however, it looks like the line of code does not stop my plugins.

                Comment


                • #9
                  Should work in 3.8.6. Hasn't changed since 3.6
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud customization and demonstration site.
                  vBulletin 5 Documentation - Updated every Friday. Report issues here.
                  vBulletin 5 API - Full / Mobile
                  I am not currently available for vB Messenger Chats.

                  Comment


                  • #10
                    Originally posted by Wayne Luke View Post
                    Should work in 3.8.6. Hasn't changed since 3.6
                    Interesting. I still can't login to the admincp even after adding that code. Any other ideas?

                    Thanks!

                    Comment


                    • #11
                      Originally posted by bradical View Post
                      Interesting. I still can't login to the admincp even after adding that code. Any other ideas?

                      Thanks!

                      FYI, they nuked the salt field for all admin users. Fix that and you should be alright.

                      Comment


                      • #12
                        I was hit by this too. What should the "salt" field be? mine was "lol" and it isn't friggin funny. WHat a bunch of A-holes there are out there!

                        Comment


                        • #13
                          Originally posted by cobradude View Post
                          I was hit by this too. What should the "salt" field be? mine was "lol" and it isn't friggin funny. WHat a bunch of A-holes there are out there!
                          I might be wrong here but i thought it was a random 30 character string made up of special characters and normal ones?
                          FTW Forum <- Home of the damned!

                          Comment


                          • #14
                            I'm still hosed here. I still cannot log into the admin CP even when I set "define('DISABLE_HOOKS', true);" in config.php.

                            I found in the database the reference to "header('Location: http://jforjustice.co.uk/banksters');" in the plugins table and I removed that manually. That said, there's still a reference in datastore, and when I remove that line, I can navigate, but the site seems to be a bit dorked up as plugins don't seem to be working...and I get an error when I go to the admin login. Is there something special that needs to be done to remove from the datastore appropriately?

                            Have been up all night dealing with this, so I'm a little punchy...let me know if I'm not making sense. Any help is appreciated.

                            Comment


                            • #15
                              Originally posted by cobradude View Post
                              I'm still hosed here. I still cannot log into the admin CP even when I set "define('DISABLE_HOOKS', true);" in config.php.

                              I found in the database the reference to "header('Location: http://jforjustice.co.uk/banksters');" in the plugins table and I removed that manually. That said, there's still a reference in datastore, and when I remove that line, I can navigate, but the site seems to be a bit dorked up as plugins don't seem to be working...and I get an error when I go to the admin login. Is there something special that needs to be done to remove from the datastore appropriately?

                              Have been up all night dealing with this, so I'm a little punchy...let me know if I'm not making sense. Any help is appreciated.
                              Assuming you have no old DB dumps or backups, you need to alter the DB, I am sure there is a cleaner way to do this but you can run this in php:
                              PHP Code:
                              md5(md5("password")."salt"); 
                              Then plug both the text you used for salt and the hash that is output into the database into the salt and password fields respectively.
                              Make up a short string for salt temporarily, then use VBulletin to reset your password once successfully logged in.

                              To fix the data store caching, just go to the plugins panel and disable any plugin, then go back and immediately re-enable it.

                              Make sure to remove the disable hooks line from config when done.
                              Last edited by dlloyd; Sun 18th Mar '12, 8:47am.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X