Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 07 Nov 2010, 04:00
jojojijijojo1 jojojijijojo1 is offline
 
Join Date: Oct 2009
forum index hacked-redirect

Greeting everyone,
I own a vbulleitn 4 forum, and I was hacked, my forum index.php displayed a message of the hacker, then redirect to the hackers website, my question is how they could do that, and how to stop such an attack in the furure? what are the causes? also the exploit was used in the database, because re-uploading all the original files did not work, so i had to restore the database.
Reply With Quote
  #2  
Old 07 Nov 2010, 04:12
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Real name: Lynne
You should talk to your host about how they did this. You'll need to look at your access_logs to see what happened.

If you had to fix this by restoring the database, then that means they got access to the server, so DEFINITELY talk to your host about this!
__________________
Former vBulletin.org Staff Member

Try a search before posting for help. Many users won't, and don't, help if the question has been answered several times before.
W3Schools -
Online vBulletin Manual
If I post some CSS and don't say where it goes, put it in the additional.css template.
I will NOT help via PM (you will be directed to post in the forums for help.)
Reply With Quote
  #3  
Old 07 Nov 2010, 05:26
sebaldus sebaldus is offline
 
Join Date: May 2008
Real name: Thor
Hi all.
I also have had same problems.

Lucky me, so had I not upgrade the database after hacking.

All my forums, over 110 WP-blogs was hacked total and all index.php and index.html files was change.

I had a backup of all sides on my computer and also backup of all databases.

This was the second time on 14 days, I have try to secure my host account using Geo City IP Secure, but id do's not help at all.

I asked my host how I should do not to be hacked and they ansver: Change all 777 files,,(close them) change password to FTP and ACP loggin.

But I had done that also and are using an generated password, so special that I have to copy username to loggin.. LIKE THIS: *Sebaldus*™ ) that TM - trademark are very difficult to wite for hackers and they have to know it and copy it also.

So I guess its an script, tracking cookie or anything on my huge host account and my host told me to scann the account total?

How can I scann an host account?

Then I have to download all to my computer and scann it for then upload it again..

Thats a big work .

Only overwrite all files on all sdes and forums have take me 3 days now and still are overwrite the last sides.

My host, http://servage.net can NOT reset the database, thats why I always take backup af them.

This time I was hacked by Shichemt Alen from : http://Shichemt-Alen.com
And they accuce me for supporting ISRAEL.. WHY?
I don't support Israel or Palestina..

All sides look like this:


View at EasyCaptures.com

I'm an pagan ( wicca) and don't care if they are bumbing each other back to the stoneage.


But: About the HACKING..

They use to upload script in all index.php and index.html files.. Just fine the script, change it back to orginal ( remowe the script - upload new index files) and upgrade the database..

I did that and it work fine.

So I did'nt have to reset the database at all..

Just an Advice.. Try it first..

AGAIN:

1. Overwrite all index.php and index.html files using FTP and upload only those files.
2. Backup your database again.

Hackers are now writing a script in yours forums, who attacking all yours index files. when they are posting in the forum.

This are very difficult to find.

To secure this, go to ACP, BAN word as: index.php - index.html.

VIOLA.. It worked for me on my vB forums.


Have a Great time my friends.
All the Best from sebaldus.

Last edited by sebaldus; 07 Nov 2010 at 07:35. Reason: write errors..
Reply With Quote
  #4  
Old 07 Nov 2010, 23:37
jojojijijojo1 jojojijijojo1 is offline
 
Join Date: Oct 2009
Thanks all for your replies,
@ Lynne:
Thank you for your suggestion, can you please tell what should I look for exactly at the access log? like what are the things that can point me to the vulnerable exploit on my forum. Also such changes on the database, can it be done by sql injection? without having access to the server, I have a shoutbox on the index.php page that was hacked, and it was the only page that was actually hacked + my supermods got demoted and 1 got deleted by the hacker itself. How can this be explained and can be done with other ways other than the server access? Can it be an exploit on the shoutbox since user actually do insert data on it?
Reply With Quote
  #5  
Old 08 Nov 2010, 03:12
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Real name: Lynne
Look for logs into your admincp - check the IP, is it yours? Look for additions to the end of URL that look like queries "UPDATE xxxx SET yyy = zzzz". I really don't know how to explain what to look for. Look for anything unusual (and yeah, that will be hard to do if you aren't familiar with access_logs which is why you should become familiar with them).
__________________
Former vBulletin.org Staff Member

Try a search before posting for help. Many users won't, and don't, help if the question has been answered several times before.
W3Schools -
Online vBulletin Manual
If I post some CSS and don't say where it goes, put it in the additional.css template.
I will NOT help via PM (you will be directed to post in the forums for help.)
Reply With Quote
  #6  
Old 08 Nov 2010, 05:58
YankForum's Avatar
YankForum YankForum is offline
 
Join Date: Mar 2010
Real name: alij
it's not necessarily your vbulletin got hacked , it could be your host or ftp password or even your email
__________________
No more signature for me , Tnx!
Reply With Quote
  #7  
Old 08 Nov 2010, 14:15
JorgeX JorgeX is offline
 
Join Date: Oct 2005
Watch the scripts you installed in vbulletin...

i got hacked once by vBA Gallery security bug, then they made a backdoor file to get into the FTP.

Whatch for NEW FILES (older than vbulletin installation OR files with the date when you got hacked.

If you find one, maybe its a FTP.
Reply With Quote
  #8  
Old 09 Nov 2010, 15:14
YankForum's Avatar
YankForum YankForum is offline
 
Join Date: Mar 2010
Real name: alij
i wonder how those hackers are not still able to hack 3.6.12 ( which is installed here )
__________________
No more signature for me , Tnx!
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 11:09.

Layout Options | Width: Wide Color: