Our server has recently been hacked, and when loading the forum index page it redirects to some silly page. i've checked for any code in the forum files that could redirect the forum, but there is none there. I've searched the vbulletin database and I couldn't find anything there either.

How do most hackers redirect pages once hacked? Do they edit the apache config files or something? How bad could the security breach be? Most important, what exploit might they have used?

Running fedora core 4
Plesk 8.01
Vbulletin 3.54

thanks for any kind of hints or answers.

What mods do you have installed ? have you tried disabling them ?

[vB 3.5.0] Thread Thumbnail
[vB 3.5.4] Gallery for vBulletin 3.5.X
[vB 3.5.4] vbBux / vbPlaza v1.5.8
[vB 3.5.0 Beta 1] vBExternal v1.6
Zero Tolerance - [ Uninstall Modification ]
and GARS (geeks article system, full version)

Hope it helps determine the cause. I haven't disabled the mods yet, but that isn't causing the redirect. When viewing the source of the redirecting page (html output of the forum index page) , there is no redirect there.

If you can get into your CPanel (if you have one), check your site redirects.

http://www.intus.co.za/cpanel_tutorials/tp/redirect.gif

It might have been changed there.

I'm using plesk, and can still reach it. I'll check it out.

ok this has happend twice on the forum i admin on and its a stupid exploit in the thread titles that allows meta reditection. im not going to say how its done but ill pm you what to look for.

heres a fix for it
find in newthread.php:
if ($_POST['do'] == 'postthread')

then find:
'subject' => TYPE_STR,
change the TYPE_STR to TYPE_NOHTML

That seems to be correct, I noticed a weird thread with a meta refresh of some kind. Thanks for letting me know!

strange if this is the case where its happening to alot of people why wouldnt vbulletin patch it? or is it the fact its only happening when a certain hack is installed?

its only happening with the topxstats hack thats why they wont do anything about it.

well paul posted a fix didnt it work for you?

Unfortunately a good amount of the hackers seem to come from Turkey. When I ran a php site we always blocked Turkey ips cause there known for tryin this stuff. It is up to you if you want to use it or not.

just add the following to your .htaccess file:



Code:
---------------
Code is only visible to licensed users, and only when logged into the forums.
---------------



This is NOT going to stop a hacker, even from turkey. It will slow them down a bit.

well paul posted a fix didnt it work for you?

Unfortunately a good amount of the hackers seem to come from Turkey. When I ran a php site we always blocked Turkey ips cause there known for tryin this stuff. It is up to you if you want to use it or not.

just add the following to your .htaccess file:



Code:
---------------
Code is only visible to licensed users, and only when logged into the forums.
---------------



This is NOT going to stop a hacker, even from turkey. It will slow them down a bit.
Why do you do that ? There are hackers all around the world and you only belame Turkish people. That is nonsense. Anyway it is your choice not to let Turkish people to your board.

cause like it said..
Unfortunately a good amount of the hackers seem to come from Turkey

I've some people try to do this to my site as well, all were from Turkey.. thanks for those ips, they were close to the ones that tried it on mine.

no problem there not all of the ips from turkey but alot of them ill update it as I grab more.

did u fix the problem? I recently had the SAME problem on my site...THREE times...i had one on friday, once on saturday morning, and now today, this morning. Luckily for me my mods call me once it happens, so I just fix it...

but basically for me, someone signed up on my forum and posted a thread with a title similar to this: >"">>>><meta http-equiv......

and it would basically take your homepage and redirect it to some other site. I would just delete the thread and it would fix the problem, however, that is just a short-term fix.

I censored some of the words for the redirect as well...try censoring "meta" or "http-equiv" and see if it fixes the problem so you can find the thread.

Also, try disabling your plugins/hacks one by one and see if it removes the redirecting. If u disable a hack and it doens't redirect, then u know that plugin/hack has a vulnerability and shoudlnt' be used unless u find the problem.

let me know if u find any other fixes...both u and I sound like we are getting the same problem...oh, and for the record, usually topxstats AND cyb avanced forumhome statistics BOTH have this problem

ok this has happend twice on the forum i admin on and its a stupid exploit in the thread titles that allows meta reditection. im not going to say how its done but ill pm you what to look for.

heres a fix for it
find in newthread.php:
if ($_POST['do'] == 'postthread')

then find:
'subject' => TYPE_STR,
change the TYPE_STR to TYPE_NOHTML

Thank you Wild-Wing your tips is very helpful :)

ok this has happend twice on the forum i admin on and its a stupid exploit in the thread titles that allows meta reditection. im not going to say how its done but ill pm you what to look for.

heres a fix for it
find in newthread.php:
if ($_POST['do'] == 'postthread')

then find:
'subject' => TYPE_STR,
change the TYPE_STR to TYPE_NOHTML

i am using 3.0.7
i do have this if ($_POST['do'] == 'postthread')

but the rest r like this



Code:
---------------
Code is only visible to licensed users, and only when logged into the forums.
---------------



nothing like 'subject'

please show me a way to fix this

i have the top 5x stat on my forum

Remove the topXstats mod - there is currently no fixed version of that for vb 3.0.x boards.

Gosh, im glad i have some Pro Turkish stuff on my site..... and Turkish members. lol.

its sad people do this sort of stuff :( .

What are good sites to learn about protecting servers?

Personaly I use this site alot for tips and tweaks for servers. http://www.eth0.us/