....... www.offthaave.com/forums (http://www.offthaave.com/forums) OTA 4 DAYZZ! We still runnin strong on you lames!

They may have added a Meta Redirect, check your headinclude template I believe.

Do you have the topXstats mod installed ?

i'm new to all this so please be as exact as you can acid. Walk me thru to what i would have to look for.

Thanks 4 the quick reply

yes @ Paul M.. i was just reading your other post a few threads down. I dont get it though, yes i have it, but what do i do now?

Paul is probably right on this one, I know a lot of people have been recently getting this problem as they've installed Top X Stats or Cyb Top Poster.

Download the latest version whichever you have; they should be patched.

Actually, it looks like your index.php file may have been replaced, upload the original vbulletin index.php from your zip file.

Nope @ Paul M. restored original index.php and it still re-directs!!!!!! what now??

Check to see if there is a .htaccess file on your server.

Try disabling all your plugins by adding this line to your config.php

define('DISABLE_HOOKS', true)

Check to see if there is a .htaccess file on your server.

Check to see if a redirect has been added to your .htaccess file; most people already have one on their server.

Check to see if there is a .htaccess file on your server.

yeh, i have the myspace profiles up and the .htaccess is in the forums root. But i just tried deleting that and no good.. Paul M, i'll try disabling the hooks like you said and see what happens

*************************************

well do i have to put
define('DISABLE_HOOKS' true)

in a certain place? cuz i put it below the first two boxes and nothing.... still re-directs to that lame @$$ site. WHat's next?

and for the .htaccess file on my forum root, this is the only thing in it

RewriteEngine On
RewriteRule ^$ index.php
RewriteRule (^[-_A-Za-z0-9\ ]*$) member.php?&username=$1

Sorry, there is nothing else I can tell you, it looks like you will need to give someone access to your site to investigate where the redirect is coming from.

ok, well who do i give access to the site because you can't even login thru admin cp? should i try to alert my host administrator or what?

anyone that ;

1. You trust.
2. Knows what they are doing with respect to vbulletin.

No, check to see if you have a .htaccess file in your public_html directory not forums directory.

You can get to his acp login page up okay, so I don't think it's an htaccess file anywhere.

well.. i just filled out a support ticket @ vbulletin.com .. but i mean, if i can't log on thru admin cp, what good will it do giving some1 out my info like that?

read this post https://vborg.vbsupport.ru/showpost.php?p=1066969&postcount=6

question to Paul

what does the Top X Poster do to the site?

question to Paul

what does the Top X Poster do to the site?
Well if paul dosen't answer you can find more description of it here

https://vborg.vbsupport.ru/showthread.php?t=93065&highlight=top

i have one similar to that on my site by Cyb

it works just fine with no problems at all, i had it for months now

but this site hack thing got me scared LOL

yea its happened twice to the forum i admin and code for. so i divised my own fix that the vbull developers think is stupid

What was your fix Wild-Wing?

go up to post # 19 and click that link its the best solution i think

well, i think i MIGHT know what its coming from. Lets say if you had illegal content on your site (music downloads) and a company sent you a e-mail twice, but you didn't end up checkin your mail till the day your site is down, could they tell your domain to foward your site to another one? I'm willin to work with this buisness cuz they said they would let me take down the music, but how the f*ck am i goin to do it if i can't get on. So i e-mailed these jackasses back askin them what they did and they need to put my site back cuz i can't do anything if i can't even get into the admin cp.

On top of that, these @$$holes coulda had it re-direct to there own site, but they have it sent to another forum.... b*tches

well, i think i MIGHT know what its coming from. Lets say if you had illegal content on your site (music downloads) and a company sent you a e-mail twice, but you didn't end up checkin your mail till the day your site is down, could they tell your domain to foward your site to another one? I'm willin to work with this buisness cuz they said they would let me take down the music, but how the f*ck am i goin to do it if i can get on. So i e-mailed these jackasses back askin them what they did and they need to put my site back cuz i can't do anything if i can't even get into the admin cp.

On top of that, these @$$holes coulda had it re-direct to there own site, but they have it sent to another forum.... b*tches

listen i had the same problem go to your admin cp disable your forum. Go to the last reg user delete that because that will be the hacker that registered and then disable all plugins from there go to the thread that the script was injected then then delete the post and take it from there and install new patch for topxstat that's where the problem with me was.And turn plugin back on and you will be ok

check all your forum postings.

You probably got hit with a meta refresh in a thread title.

if you need help let me know

i have one similar to that on my site by Cyb

it works just fine with no problems at all, i had it for months now

but this site hack thing got me scared LOLThe mod by cybernetic had a security hole in it until last week when he updated it.

That'll do it to :darnkids:

lol you guys are skipping the important part, i CANT access admin cp. I can get into the log in screen but when i log in, it goes to that stupid ass site. And you can access my homepage via www.offthaave.com but you can't access the forums without it re-directing!

lol you guys are skipping the important part, i CANT access admin cp. I can get into the log in screen but when i log in, it goes to that stupid ass site. And you can access my homepage via www.offthaave.com but you can't access the forums without it re-directing!

i saw that one of the user say to replace the index.php now in admincp it also has a index.php try to replace it and try again

also go to the topXstat.php and change the extension to wat ever.

^^ well i replaced the index.php in the admin cp and no go.... and i can't find the directory where topXstats.php goes.. help?

well, i think i MIGHT know what its coming from. Lets say if you had illegal content on your site (music downloads) and a company sent you a e-mail twice, but you didn't end up checkin your mail till the day your site is down, could they tell your domain to foward your site to another one? I'm willin to work with this buisness cuz they said they would let me take down the music, but how the f*ck am i goin to do it if i can't get on. So i e-mailed these jackasses back askin them what they did and they need to put my site back cuz i can't do anything if i can't even get into the admin cp.

On top of that, these @$$holes coulda had it re-direct to there own site, but they have it sent to another forum.... b*tches heres what you do go to your site ie http://www.yoursite.com/forum/usercp.php then go to new posts and delete the thread

^^ well i replaced the index.php in the admin cp and no go.... and i can't find the directory where topXstats.php goes.. help?

man ok the topXstst should be in your forum directory that if you have it installed

most likely the root directory of the forums

lol you guys are skipping the important part, i CANT access admin cp. I can get into the log in screen but when i log in, it goes to that stupid ass site. And you can access my homepage via www.offthaave.com but you can't access the forums without it re-directing! get phpmyadmin and look in your templates table and search for the header include template delete the meta redirection in it

its either a meta redirect, or a .htaccess which will be in the web root

well if it was a .htaccess redirect the whole site would redirect

well still can't get on. Butters is trying to help me.. but unfortunately, my site is still redirected hacked :(

I've just tried and can get to your admincp just fine.

Go directly to the URL for your admincp NOT to your forums first.

peterska, buddy, you're kinda late. I could already access Admin CP log-in via URL. But the thing is, when i log in, it re-directs to the page. Everyone, try for yourself and see. Just make up any bogus screen name and password.

http://www.offthaave.com/forums/admincp/index.php

try replacing your login.php file

cant you get in to your mysql? if so and you know mysql you can delete the post they made.

I guess they fixed it huh?

well i'm gettin alotta help in here an PM and i appriciate everyone's input btw. Right now, we're trying to get access thru CPanel.... if anyone has any other suggestions, I'm all ears

you should be able to get in cpanel no problem. I think even if you disable the hooks in your config like paul or whoever said you could check alot easier

honestly did you replace you login.php with a vbulletin default.

Im 70% sure thats it.

Use phpMyAdmin and run the following query to see if it's in a template:

# replace vb3_ with your vB table prefix

SELECT title FROM vb3_template WHERE template LIKE '%slumz%';

well i'm getting help thru CPanel like stated so if this doesn't work, i will most def. like you guys know and i will try your ways. He promises it will work cuz i guess the same happened to him. So hopefully, in 20 minutes, i will be able to come back in here with good news

20 mins? shouldnt take that long. why dont you download your database via phpmyadmin open it in a notepad and search for that site name that its being refreshed to and see where it is in the sql. this way you can point it out quickly and fix it quickly

These are the templates that have been replaced .....


(yes ... 20 mins ish ... I need sleep !)

he said they replaced my whole FORUMHOME template.. but ill try

revert

Ok thanks everyone, Butters helped me everything and he had to do everything in CPanel, but its restored now. Thanks for all your replies

BTW now that i can see your site, not bad.

They may have added a Meta Redirect, check your headinclude template I believe.


This was done to my forum also but the redirect was just a thread they started, I deleted the thread and it stopped.

NOW

How can I not let that happen again?

upgrade to the newest topXstats or flashchat which ever one you use.

its so wierd ur id chicago and i am chicago and same shit happen on saturday to me looooooooooool it was redirected to a turkish site saying we hacked it ok let me tell what to do it this happens again which lets hope not to.

first of all this was the turkish delight who did my site
IP: 85.104.221.179 Country: Turkey City: oh well half of turkey will never be able to come my site i did a ip range..

now when ever anyone gets this problem this post is always been done on the first page of ur forum right ? so u try to get in like members area or admin area since this code is only code for main page than press new members or new posts and than from c panel of the forum just delete the main post they used 4 posts on me :( this is the code they used so All Admins see this and fix make a patch for it i lost 140 good posts bicuz of this

i will change some settings in this code so no one can learn this code

"">>>><meta http-equiv="??????" ?????="0;url=http://ts.somee.com"> """" > <showthread.php?t=2699>

this is what they used on my site 4 of them :( all day my site was done and it was so embaresing:( so i forword my domian to another folder meanwhile till i fixed this i hope VB make a patch for this they used this on my forum nuke site also few yrs ago !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

i see my last reply didnt go thru. Well my site was better, ecspecially the MEMBERINFO template. We had the myspace profiles and i personally edited them and added more features so alotta time and dedication was put into this site, then these b*tches come in, hack it and delete sh*t with no warning. Thats why i was wondering if i could get it back running to the way it was 2 days ago instead restoring it to the backup point, which is 3 weeks or more old? I believe butters backed up in CPanel so thats why i'm wondering? what are you guy's input cuz my site is running again, but like i said, its runnin to what it was running exactly 3 weeks ago sence i last backed up

hmm you should of just dropped them 3 sql tables back in the database this way you didnt lose everything.

did u find hte problem? i had this happen to my site FOUR times now...once while I was sitting right there removing one...

it was a post in a thread that redirected....the 4th attempt was a line that was trying to execute a script. basically, i just deleted the thread. Also, i had the cyb forumhome installed, and i disabled it, and the redirect went away.

PM me if ur still having this problem...a lot of people have been getting hacked this weekend.

Sounds like all these hackers are from Turkey lately. Glad it hasnt happened to me yet. *knocks on wood*

it happened to me, but the failed miserably, only thing was, mine were arabs.

i see my last reply didnt go thru. Well my site was better, ecspecially the MEMBERINFO template. We had the myspace profiles and i personally edited them and added more features so alotta time and dedication was put into this site, then these b*tches come in, hack it and delete sh*t with no warning. Thats why i was wondering if i could get it back running to the way it was 2 days ago instead restoring it to the backup point, which is 3 weeks or more old? I believe butters backed up in CPanel so thats why i'm wondering? what are you guy's input cuz my site is running again, but like i said, its runnin to what it was running exactly 3 weeks ago sence i last backed upRestore your backup from 3 weeks ago to another database, and then extract the three templates you want and update the current database with them.

Has anybody checked to see if he has HTML on and somebody put a redirect on a Thread Title?

happened the same to my site
but some of my supermod accidentally delete the thread and it back to normal now

i have the top x on my site on 3.0.7
please tell us how to fix this

If you have the topXstats mod installed then remove it, afaik there is no fixed version for vb 3.0.x boards.

If you have the topXstats mod installed then remove it, afaik there is no fixed version for vb 3.0.x boards.

I upgraded over the weekend to the c version for 3.6.

Is that one actually OK or should I remove it in case there are additional problems?

I also saw a reference to flashchat in another forum having a problem.

Should flashchat be removed too?

Any others?

-Raymond

Hey! Sorry if this was posted in the few pages, I didnt look through.
I had the same problem as you, I got hacked.

Now, this is how I got rid of the redirect:

As your forum loads, click 'stop' in the browser toolbar, before it redirects. Scroll down the page, until you find a post with some code as its title. Delete it. Thats it.

I wish people would stop saying they got hacked. Your board was exploited through a modification that had a hole in it.
It was never infiltrated by some unknown assailant, quit being so dramatic.

I understand about whether you were "hacked" or not. We where, via FlashChat, they inserted a file called 17-2.

Do a Google on "suidsafe exploit" and you'll see they are all over the Internet today with this thing. They were caught as they were going to root level, we pulled the server off line, deleted all the compromised files, then upgraded all our systems with new hard drives. The reason they were caught so fast, they tried running a "cron" that failed, so I got an email with the cron error--happened to be on line when they had done it.

A friend of mine with another popular photo forum was hacked with the same exploit on shared server the week prior, also running FC and VB 3.5. I'm not a programmer, but I can tell you my server provider, Rackspace.com did a fanatical job, we had to replace hard drives to be sure too.

Today a few hours ago with another attempt, via a "registered users only" forum, they tried to insert this: ">""********<**** **********=********* content="0;url=http://hastabeyinler.com/a"> **** > which I have part of in the "censored words" section as this, >>>> {http-equiv} "Refresh" """" By adding " >>>> {http-equiv} "Refresh" """" " (w/o the quote marks) it will add another layer of defense. The attemped hacker today went by the name of "dreamer" and the email is lll_dreampool_lll@hotmail.com and for his city he put "Ankara" and his IP was 85.101.1.4 resolves near there in a place called Kocaeli.

Oh well, we get attacked daily, and yes, we've been through hackers before, but we keep putting up layer after layer, someday perhaps they will all go away? (yea right).

For those worried about Turkish IP's, I've attached a list in the format you'd put in the banned IP list. Becareful, not sure if they block other IP's that are legit. For an even more precise list, go here, http://www.dnsstuff.com/pages/testbed.htm
(http://www.dnsstuff.com/pages/testbed.htm) and enter "Turkey" or whatever country you want--be careful in banning an entire country from your site--they can still use other methods and other IP's from other countries. This is just a "layer" of protection but will not stop them.

Oh, on the Cyb Topstats, we made it where the "form" where you can change the amount of results is only visible by "paid" members. Here is the code (crossing my fingers I can post this right)
<if condition="is_member_of($bbuserinfo, X, X, X, X, X,)">
<form method="post">
<input type="hidden" name="resultsnr" value="$resultsnr" />
<div class="smallfont">$vbphrase[cyb_results_more]<br /><input type="text" class="bginput" style="font-size:11px" name="resultsnr" value="$resultsnr" size="2" />&nbsp;<input type="submit" class="button" value="$vbphrase[cyb_results_more_show]" accesskey="s" /></div>
<else />
<b><font size="2" color="red" face="Arial,Helvetica,Geneva,Swiss,SunSans-Regular"> You must be a paid member for more stats options, up to 150 top results.</font></b></if></form>
</td>
<else />
<td width="100%" class="alt1" align="center">
$vbphrase[cyb_more_disabled]
</td>
</if>


Note: Replace "X" with your forum field ID's as appropriate. In the end, you can prevent, it just gets harder everyday. Wishing everyone the best, rg sends!

I wish people would stop saying they got hacked. Your board was exploited through a modification that had a hole in it.
It was never infiltrated by some unknown assailant, quit being so dramatic.

who cares what termology you consider "hacking", point is, it's back up and running

I care. :)

who cares what termology you consider "hacking", point is, it's back up and running

Don't think so mate, check your site link. It says your site is suspended! :rolleyes:

:banana: lol yeah that it is

Don't think so mate, check your site link. It says your site is suspended! :rolleyes:

hahha good eye, it's cuz i'm switching host due to my current one shutting down shop

The suidsafe exploit appears to be a linux kernel exploit ;

The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption).

hey guys my site got exploited 2 days ago, and after 2 days of trying to fix it, i seem i cant do it, i have done everything like changing things from _STR to _NOHTML, SQL Querys in CPanel, and looking for wierd named threads to delete but nothing, also the site redirects to a turkish hacker site, and when i log into AdminCP everything is ok, untill i go to look @ the forum things, then those pages redirect as well, If anyone could take a hands on look, (Like butters or Paul) I would pay via PayPal for your help, thank you all in advance.

This thread was from September...
Just go to your domain configuration and change it there or check the .htaccess file.

nothing is wrong in the .htaccess files, and the domain config im not sure what your referring to, is it inside the admincp?

I'm talking about the people who host your domain. Such as Godaddy, etc.
Check the forward option in their panel. Chances are, he has set a forward onto it or changed the DNS records.

Edit: If that doesn't work either, try searching in the Styles for the site you get redirected to. Same with the PHP files.

is there someway, possibly a query command that would search ever file for his url to find the corrupted file(s)? - Im running version 3.6.5 do you think i should update to the newest version of 3.6.7 PL1, do you think upgrading would automaticly fix this problem? Also when upgrading would i have to remod everything? Thanks.

Upgrade to 3.6.7 PL1 and revert all the templates. Then re-apply all the template edits from your mods. Another way would be to compare them and change the necessary but it'd take more time than the other way.

is the top posty I have installed a security issue ... I have been having a lot of hack attempts.
http://www.chatterscene.com


Paul is probably right on this one, I know a lot of people have been recently getting this problem as they've installed Top X Stats or Cyb Top Poster.

Download the latest version whichever you have; they should be patched.

Is there a 'Things to check first' listing or document somewhere, when something like this happens?

If not, I'd certainly like to see one come out of this thread. There's a lot of good tips from what I could tell, but no logic to their order in all these replies.

Even a simple one page PDF Hint Sheet could save someone hours, or days in sorting their way through issues like this. :(