Announcement

Collapse
No announcement yet.

Help Hackers hacked my vBulletin

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help Hackers hacked my vBulletin

    My orchid forum, www.orchidgeeks.com has been hacked by Russian hackers http://dengesiz-team.org/vb.htm

    When you go to orchidgeeks.com/forum (I think you might have to be logged in to view it) the page re-directs to http://dengesiz-team.org/vb.htm.

    How do I remove or fix this?
    \

  • #2
    You're not running FlashChat, are you?
    There have been some recent problems.
    ...steven
    www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
    bmwcca.org/forum | m135i.net
    "I tried to clean this up but this thread is beyond redemption." - Steve Machol

    Comment


    • #3
      No I don't use any flash chat. Just straight vBulletin.
      \

      Comment


      • #4
        Originally posted by HUMMER View Post
        No I don't use any flash chat. Just straight vBulletin.
        Any mods or hacks?
        Could also have been through someone sharing your server.
        ...steven
        www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
        bmwcca.org/forum | m135i.net
        "I tried to clean this up but this thread is beyond redemption." - Steve Machol

        Comment


        • #5
          Here's some interesting whois information for you over these hackers.

          It may be a good idea for you to email [email protected] and ask them to shut these websites down, or perhaps do a google search for tolga yildiz

          dengesiz-team.org

          Domain ID127594514-LROR
          Domain NameENGESIZ-TEAM.ORG
          Created On:21-Aug-2006 16:54:43 UTC
          Last Updated On:23-Aug-2006 06:48:01 UTC
          Expiration Date:21-Aug-2007 16:54:43 UTC
          Sponsoring Registrarotregistrar.com (R114-LROR)
          Status:CLIENT TRANSFER PROHIBITED
          Status:TRANSFER PROHIBITED
          Registrant ID:1523205-R
          Registrant Name:hacking-sabotage.com
          Registrant Street1:kopru alti
          Registrant Street2:
          Registrant Street3:
          Registrant City:hackcity
          Registrant State/Province:-
          Registrant Postal Code:31200
          Registrant Country:TR
          Registrant Phone:+90.9009000000
          Registrant Phone Ext.:
          Registrant FAX:+90.3269009092
          Registrant FAX Ext.:
          Registrant Email:[email protected]
          Admin ID:1523205-A
          Admin Name:hacking-sabotage.com
          Admin Street1:hackcity
          Admin Street2:
          Admin Street3:
          Admin City:Hatay
          Admin State/Province:-
          Admin Postal Code:31200
          Admin Country:TR
          Admin Phone:+90.9009000000
          Admin Phone Ext.:
          Admin FAX:+90.3269009092
          Admin FAX Ext.:
          Admin Email:[email protected]
          Tech ID:1523205-T
          Tech Name:hacking-sabotage.com
          Tech Street1:hackcity
          Tech Street2:
          Tech Street3:
          Tech City:Hatay
          Tech State/Province:-
          Tech Postal Code:31200
          Tech Country:TR
          Tech Phone:+90.9009000000
          Tech Phone Ext.:
          Tech FAX:+90.3269009092
          Tech FAX Ext.:
          Tech Email:[email protected]
          Name Server:NS1.CALISANHOST.NET
          Name Server:NS2.CALISANHOST.NET

          and also

          hacking-sabotage.com

          Domain Name: HACKING-SABOTAGE.COM
          Registrar: DSTR ACQUISITION VII, LLC
          Whois Server: whois.dotregistrar.com
          Referral URL: http://www.dotregistrar.com
          Name Server: NS2.HOSTSIMA.NET
          Name Server: NS1.HOSTSIMA.NET
          Status: REGISTRAR-LOCK
          EPP Status: clientDeleteProhibited
          EPP Status: clientTransferProhibited
          EPP Status: clientUpdateProhibited
          Updated Date: 28-Aug-2006
          Creation Date: 07-Feb-2006
          Expiration Date: 07-Feb-2007

          Registrant:
          tolga yildiz (HACKING-SABOTAGE-COM-DOM)
          iskenderun
          Hatay, 31200
          Turkey
          +90.4440542
          +90.4440542
          [email protected]

          Domain Name: HACKING-SABOTAGE.COM
          Status: PROTECTED

          Administrative Contact:
          tolga yildiz [email protected]
          iskenderun
          Hatay, 31200
          Turkey
          +90.4440542
          Fax- +90.4440542

          Technical Contact, Zone Contact:
          tolga yildiz [email protected]
          iskenderun
          Hatay, 31200
          Turkey
          +90.4440542
          Fax- +90.4440542

          Record last updated on 28-Aug-2006.
          Record expires on 07-Feb-2007.
          Record created on 07-Feb-2006.

          Domain servers in listed order:

          Name Server: ns1.hostsima.net
          Name Server: ns2.hostsima.net
          Attached Files
          Last edited by Bill Smith; Sun 3 Sep '06, 12:36am. Reason: Added attachment

          Comment


          • #6
            Originally posted by HUMMER View Post
            hacked by Russian hackers
            All the time you blame Russians, for all deadly sins, but you'd better go and learn the flags of the countries of the world.
            You cannot distinguish a sickle-and-hammer from a turkish star =\

            Comment


            • #7
              I'm nnot blaming the Russians, these guys have their site registered in Turkey and are causing a lot of trouble on a lot of forums and it's not just vBulletin, take a look at joomla.org

              What's the point???

              Google him

              tolga yildiz
              iskenderun
              Hatay, 31200
              Turkey
              +90.4440542
              [email protected]

              Comment


              • #8
                Bill Smith i'm speak with HUMMER..
                Last edited by gCtrl; Sun 3 Sep '06, 1:16am.

                Comment


                • #9
                  gCtrl, I don't care if these guys are Japanese. They are ruining my forums and I don't have time to check "flags"


                  Is there any template or file I should be looking in for how to resolve this hacking?
                  \

                  Comment


                  • #10
                    Originally posted by HUMMER View Post
                    gCtrl, I don't care if these guys are Japanese. They are ruining my forums and I don't have time to check "flags"


                    Is there any template or file I should be looking in for how to resolve this hacking?
                    check your topXstat hack there is an expolit that they know about and a fix for it my board was hacked to and was able to recover quick and during that process i uninstalled that hack everything is good so far.

                    Comment


                    • #11
                      So your saying to just uninstall the x top stats, or is there a patch for it?

                      Thanks
                      -Dave
                      \

                      Comment


                      • #12
                        Originally posted by HUMMER View Post
                        So your saying to just uninstall the x top stats, or is there a patch for it?

                        Thanks
                        -Dave
                        yes for the time being till you get straighten out go here for the info http://www.vbulletin.org/forum/showthread.php?t=93065
                        once you do the config i guess reinstall it.

                        Comment


                        • #13
                          I too, have been hacked - though to no great extent, but hacked never the less.

                          I have a server with Rack Space and they said my forum was compimised through the vbulletin file 'online.php'.

                          I also had FlashChat loaded, but have since uninstalled.

                          Is there a security issue with online.php? Will 3.6 fix this?

                          thanks

                          Comment


                          • #14
                            There are no known security issues with 3.6.0. There is a BIG issue with the FlashChat and TopXStats plugins.

                            Please see this thread on how to make your vBulletin more secure:

                            http://www.vbulletin.com/forum/showthread.php?t=172234

                            If you are still being hacked after doing all of this, then they are most likely doing this by accessing your server. You need to contact your host about this.
                            Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                            Change CKEditor Colors to Match Style (for 4.1.4 and above)

                            Steve Machol Photography


                            Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                            Comment


                            • #15
                              Has anyone been looking at their logs?
                              I found this in my error log.

                              I caught it just in time.
                              [Mon Sep 4 15:20:11 2006] [error] [client 200.82.226.80] File does not exist: /home/username/public_html/forum/chat//inc/cmses/aedatingCMS2.php
                              I would have been hacked if that file was still there.
                              ...steven
                              www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
                              bmwcca.org/forum | m135i.net
                              "I tried to clean this up but this thread is beyond redemption." - Steve Machol

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X