Hacked By Red Virus!!! [Archive]

princeedward

01-19-2009, 02:09 PM

Hacked By Red Virus!!!

...please help or any advice what to do...our site is just hacked... :p LOL!

appreciate any help from any of you guys...

best regards...
:o

saltedm8

01-19-2009, 02:33 PM

my first suggestion if you have are not already is to update to 3.8, because even if you get your site back online, they will just come back and do it again.

secondly, change all your ftp control panel and admincp passwords

if you are on the latest version then you had better send a support ticket to vbulletin.com

Lynne

01-19-2009, 02:47 PM

Do you have access to phpMyAdmin? If so, go in and select the user table to repair.

Brandon Sheley

01-19-2009, 03:28 PM

Do you have a backup? Does your host?
I would restore the backup to right before it was hacked.
At that point, update the forum and ALL the hacks and change all your passwords as well as putting a pass protect popup on your admincp.
Then examine the logs, and see how they got in.

Sawa Dee SohL

01-19-2009, 03:31 PM

For something like this, would it be good to have a backup admin name? For example, does this effect all Admin accounts? Or do they just go after the Head Admin name?

I have a few alternate Admin accounts on my site (basically hidden) - didn't know if that sort of thing might help in a case like this?

snakes1100

01-19-2009, 03:37 PM

A backup admin account is meaning less for this hack, he simply modified either a template or added code in a php file to call his site & code.

The user table crash is hard to say, it might or might not of been caused by the hacker.

There is really no need to do a backup either, removing what he did is rather easy, but as Loco stated, upgrade everything to plug the hole he used to hack the site in the first place.

princeedward

01-19-2009, 04:07 PM

Do you have access to phpMyAdmin? If so, go in and select the user table to repair.thanks Lynne...any hint how to do it...got no any idea about this....just a newbie here....

Do you have a backup? Does your host?
I would restore the backup to right before it was hacked.
At that point, update the forum and ALL the hacks and change all your passwords as well as putting a pass protect popup on your admincp.
Then examine the logs, and see how they got in.ACP Pass Protect Popup ON? ....i guess...if no other way to resolve this and back to the original situation...i guess have no choice but to restore it back...like 1 day before this happen...

For something like this, would it be good to have a backup admin name? For example, does this effect all Admin accounts? Or do they just go after the Head Admin name?
I have a few alternate Admin accounts on my site (basically hidden) - didn't know if that sort of thing might help in a case like this?how it good to have the backup admin name...in time like this? the first time...still got access to my ACP...the time that i tried to renew my pass...i got that TABLE ERROR ...so now got no ACP access anymore...

A backup admin account is meaning less for this hack, he simply modified either a template or added code in a php file to call his site & code.
The user table crash is hard to say, it might or might not of been caused by the hacker.
There is really no need to do a backup either, removing what he did is rather easy, but as Loco stated, upgrade everything to plug the hole he used to hack the site in the first place.hmmm...

anyway million thanks guys for your time about this......much appreciated...don't know how they got me...i guess don't have any solution on this but to decide to restore into previous time..say 1 day before this S---T ! happen....

just copy the page source fo more info::


<html xmlns:v="urn:schemas-microsoft-com:vml"
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:w="urn:schemas-microsoft-com:office:word"
xmlns:st1="urn:schemas-microsoft-com:office:smarttags"
xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name="keywords" content="hacked by red virus">
<meta name="description" content="hacked by red virus">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 11">
<meta name=Originator content="Microsoft Word 11">
<link rel=Edit-Time-Data href="index_files/editdata.mso">
<title> hacked by red virus</title>

<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="City"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PlaceType"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PlaceName"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="place"/>

<style>

</style>

<meta http-equiv=Content-Language content=en-us>

</head>

<body bgcolor=black lang=EN-US style='tab-interval:36.0pt;background-attachment:
fixed'>

<div class=Section1>

 Ow3nd by 

Red Virus

<img width=350 height=60
id="_x0000_i1025" src="http://upload.traidnt.net/upfiles/WyO07387.gif" border=0><o:p></o:p>

 [ 
Red
ViRus WaS HeRe  ]<o:p></o:p>

[~] Stay Safe..
Don't Try This AT WEB (๏̯͡๏) 

---- - - - - - - - - - [ oPS , Doomed By RED VIRUS ] - - - - - - - - - ----



<st1:City w:st="on"><st1:place w:st="on">Mission</st1:place></st1:City>
Complete "); 
 
Exit
Form This Dirty Box ...

من يكره مصر خسران

ومن يرسمها فنان ومن يحسدها غيران ومن يحبها انسان ومن يحتلها حيوان وتعيش مصر غصبأ
على الزمان 

---- - - - - - - - - - [ Contact ] - - - - - - - - - ----



C3O@W.CN

 (๏̯͡๏)

---- - - - - - - - - - [ Greets ] - - - - - - - - - ----


 D3ViL
<a href="mailto:iR@Q,hebarieh,falconbuss,هتلر">iR@Q</a><a href="mailto:iR@Q,hebarieh,falconbuss,هتلر">,hebarieh,ASD,هتلر</a>
الشمرى<a href="mailto:iR@Q,hebarieh,falconbuss,هتلر">,</a>EgYpTioN
HaCkEr<a href="mailto:iR@Q,hebarieh,falconbuss,هتلر">,</a><a href="mailto:iR@Q,hebarieh,falconbuss,هتلر">falconbuss</a>

</div>

</body>

</html>


<script type="text/javascript">

</script>

snakes1100

01-19-2009, 04:10 PM

1. Its not that hard to remove what he did, search the db for keywords in his code, (most likely a template)

2. Verify no php files were modified. (global.php if its on every page)

3. Upgrade site, forums, hacks etc.

princeedward

01-19-2009, 07:13 PM

i guess there is really no way to put back my site to the latest situation...i'll have to re-upload the previous data back up to make my site online again...

one question:

is there anyway to search from my latest backup those latest post and bring or pull it up or back again...i mean just those latest post yesterday and today before my site hacked/freeze and mix it to last 2 days ago...because i re-install or upload again those backup from 17 Jan.

thanks and appreciate any help guys...

:o

snakes1100

01-19-2009, 08:16 PM

There is no reason to import a backup, we have already told you how to repair your site, use phpmyadmin to recover the table crash, then use phpmyadmin to find any keywords from the hackers pages, it is most likely he simply modified a template.

Importing a old db is simply going to allow the hacker to do what he did again if you dont update the forums and its hacks.