View Full Version : Help!!!!
RTMdotORG
12-30-2008, 05:18 PM
i got hacked...
www.ripthemic.org
any ideas on how to delete the html code?
--------------- Added 1230668356 at 1230668356 ---------------
...........................
Dismounted
12-31-2008, 05:19 AM
Your board looks fine.
RTMdotORG
12-31-2008, 11:31 PM
yeah i got it fixed....
then they hacked us again...
vbfirewall prevented it 5 times...
my server told me they inserted it into the database...
any suggestions?
can rss feeds do this?
--------------- Added 1230773562 at 1230773562 ---------------
now its the way it was before i got it fixed the last time...
hacked again...
Lynne
12-31-2008, 11:52 PM
Do you have phpMyAdmin? And is it protected? Disable all your mods when you next put the site up also. See if they can hack the site with your mods disabled. And look for any suspicious files on the server.
dyna88
01-01-2009, 12:19 AM
Have you checked your server logs???
RTMdotORG
01-01-2009, 12:22 AM
The first time this happened, i contacted my server and they fixed it...
they said it was injected into the database...
the very next day(today)...
I was hacked again...
i have vbfirewall and...
i received 5 emails saying it blocked 5 attempts from hacking...
then it bypassed and now im hacked....
fixed it once, then they hacked again....
www.ripthemic.org
heres wut it showed when prevented...
1||1230677435||66.156.165.120||do=viewsubscription ||http://www.ripthemic.org/forums/usercp.php||Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17
1||1230677439||66.156.165.120||do=viewsubscription ||http://www.ripthemic.org/forums/usercp.php||Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17
1||1230677448||66.156.165.120||do=viewsubscription ||http://www.ripthemic.org/forums/usercp.php||Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17
1||1230734502||124.187.20.43||do=removesubscriptio n&t=3||http://ripthemic.org/forums/showthread.php?t=3&nojs=1||Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
1||1230765308||67.167.16.183||do=viewsubscription| |http://www.ripthemic.org/forums/usercp.php||Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.2)
is it possible that people are having problems with subscriptions because theres a security issue???
all the actions have to do with subscriptions and everyone is talking about having issues with subscriptions....
i have a feeling vbfirewall has a security issue and id hate to accuse the creator of vbfirewall but you cant put it past anyone these days...
heres the link for vbfirewall
https://vborg.vbsupport.ru/showthread.php?t=196791
dyna88
01-01-2009, 12:44 AM
I think the server logs would be more telling. Oh I was looking at your site and you will find two more attempts with my IP, the last six digits are 180.113 probably because I tried to directly access the viewsubscription function.
RTMdotORG
01-01-2009, 12:49 AM
I think the server logs would be more telling. Oh I was looking at your site and you will find two more attempts with my IP, the last six digits are 180.113 probably because I tried to directly access the viewsubscription function.
nope...
no more attempts...
sparklywater
01-01-2009, 01:50 AM
That vbFirewall mod looks fishy to me. If I were you I'd uninstall it and not rely on that.
Lynne
01-01-2009, 02:32 AM
Read the vbfirewalled thread cuz I seem to recall them talking about problems with the subscriptions and a fix being posted. (sorry, I don't feel like reading it again.)
As suggested though, take a look at your server logs or ask your host to take a look at them and tell you how they are getting access to the database.
Medtech
01-01-2009, 02:54 AM
it's hacked now at this moment. sending ya a pm RTMdotORG
RTMdotORG
01-01-2009, 02:57 AM
it's hacked now at this moment. sending ya a pm RTMdotORG
okay.
Dismounted
01-01-2009, 03:19 AM
1||1230677435||66.156.165.120||do=viewsubscription ||http://www.ripthemic.org/forums/usercp.php||Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17
1||1230677439||66.156.165.120||do=viewsubscription ||http://www.ripthemic.org/forums/usercp.php||Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17
1||1230677448||66.156.165.120||do=viewsubscription ||http://www.ripthemic.org/forums/usercp.php||Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17
1||1230734502||124.187.20.43||do=removesubscriptio n&t=3||http://ripthemic.org/forums/showthread.php?t=3&nojs=1||Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
1||1230765308||67.167.16.183||do=viewsubscription| |http://www.ripthemic.org/forums/usercp.php||Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.2)
They are not "hackers". They are normal users trying to manage subscriptions... vBFirewall is more effort than its worth.
RTMdotORG
01-01-2009, 04:20 AM
They are not "hackers". They are normal users trying to manage subscriptions... vBFirewall is more effort than its worth.
well that's a relief.
--------------- Added 1230832971 at 1230832971 ---------------
well my site was put back up once again...
lass than 7 hours later....hacked AGAIN!!!
3 times in 3 days!!!!
www.ripthemic.org
1||1230777472||98.100.180.113||do=viewsubscription ||||Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
1||1230777561||98.100.180.113||do=viewsubscription ||||Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
1||1230816616||86.96.229.88||s=&do=add&dostyleid=10&title=headinclude&group=all&searchstring=&expandset=10||http://ripthemic.org/forums/admincp/||Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)
1||1230816628||86.96.229.88||s=&do=add&dostyleid=10&title=headinclude&group=all&searchstring=&expandset=10||http://ripthemic.org/forums/admincp/||Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)
^SuiCyde^
01-02-2009, 02:17 AM
wow - www.ripthemic.org/forums/
HaCked By : Sniper-3 | Devano |
__
# Black Hat's Crew #
MSN :
3-Z@Live.Com
__
Dismounted
01-02-2009, 03:10 AM
Disable and uninstall all your modifications. Making sure you remove all files of those modifications. Also make sure there are no suspicious files hiding in any of the directories.
Medtech
01-02-2009, 07:33 PM
I went through the file system and removed alot of code and restored admin access. Got the site back up again. they made a mess over there. they injected into the database. they targeted index.html. index.php. login.php and removed RTMdotORG's admin acct. Renamed admincp.... chmodded a few files and did some work on the server. outside of needing a new index.html file, should be no problems now. forums are working. :cool:
RTMdotORG
01-03-2009, 03:55 PM
yessir.
thank you.
vBulletin® v3.8.12 by vBS, Copyright ©2000-2025, vBulletin Solutions Inc.