PDA

View Full Version : forum index hacked-redirect


jojojijijojo1
11-07-2010, 03:00 AM
Greeting everyone,
I own a vbulleitn 4 forum, and I was hacked, my forum index.php displayed a message of the hacker, then redirect to the hackers website, my question is how they could do that, and how to stop such an attack in the furure? what are the causes? also the exploit was used in the database, because re-uploading all the original files did not work, so i had to restore the database.

Lynne
11-07-2010, 03:12 AM
You should talk to your host about how they did this. You'll need to look at your access_logs to see what happened.

If you had to fix this by restoring the database, then that means they got access to the server, so DEFINITELY talk to your host about this!

sebaldus
11-07-2010, 04:26 AM
Hi all.
I also have had same problems.

Lucky me, so had I not upgrade the database after hacking.

All my forums, over 110 WP-blogs was hacked total and all index.php and index.html files was change.

I had a backup of all sides on my computer and also backup of all databases.

This was the second time on 14 days, I have try to secure my host account using Geo City IP Secure, but id do's not help at all. :(

I asked my host how I should do not to be hacked and they ansver: Change all 777 files,,(close them) change password to FTP and ACP loggin.

But I had done that also and are using an generated password, so special that I have to copy username to loggin.. LIKE THIS: *Sebaldus*™ ) that TM - trademark are very difficult to wite for hackers and they have to know it and copy it also.

So I guess its an script, tracking cookie or anything on my huge host account and my host told me to scann the account total?

How can I scann an host account?

Then I have to download all to my computer and scann it for then upload it again..

Thats a big work .

Only overwrite all files on all sdes and forums have take me 3 days now and still are overwrite the last sides.

My host, http://servage.net can NOT reset the database, thats why I always take backup af them.

This time I was hacked by Shichemt Alen from : http://Shichemt-Alen.com
And they accuce me for supporting ISRAEL.. WHY?
I don't support Israel or Palestina..

All sides look like this:

http://easycaptures.com/fs/uploaded/511/thumbs/6652377278_b.jpg (http://easycaptures.com/6652377278)
View at EasyCaptures.com (http://easycaptures.com/6652377278)

I'm an pagan ( wicca) and don't care if they are bumbing each other back to the stoneage.


But: About the HACKING..

They use to upload script in all index.php and index.html files.. Just fine the script, change it back to orginal ( remowe the script - upload new index files) and upgrade the database..

I did that and it work fine.

So I did'nt have to reset the database at all..

Just an Advice.. Try it first..

AGAIN:

1. Overwrite all index.php and index.html files using FTP and upload only those files.
2. Backup your database again.

Hackers are now writing a script in yours forums, who attacking all yours index files. when they are posting in the forum.

This are very difficult to find.

To secure this, go to ACP, BAN word as: index.php - index.html.

VIOLA.. It worked for me on my vB forums.


Have a Great time my friends.
All the Best from sebaldus.

jojojijijojo1
11-07-2010, 10:37 PM
Thanks all for your replies,
@ Lynne:
Thank you for your suggestion, can you please tell what should I look for exactly at the access log? like what are the things that can point me to the vulnerable exploit on my forum. Also such changes on the database, can it be done by sql injection? without having access to the server, I have a shoutbox on the index.php page that was hacked, and it was the only page that was actually hacked + my supermods got demoted and 1 got deleted by the hacker itself. How can this be explained and can be done with other ways other than the server access? Can it be an exploit on the shoutbox since user actually do insert data on it?

Lynne
11-08-2010, 02:12 AM
Look for logs into your admincp - check the IP, is it yours? Look for additions to the end of URL that look like queries "UPDATE xxxx SET yyy = zzzz". I really don't know how to explain what to look for. Look for anything unusual (and yeah, that will be hard to do if you aren't familiar with access_logs which is why you should become familiar with them).

YankForum
11-08-2010, 04:58 AM
it's not necessarily your vbulletin got hacked , it could be your host or ftp password or even your email

JorgeX
11-08-2010, 01:15 PM
Watch the scripts you installed in vbulletin...

i got hacked once by vBA Gallery security bug, then they made a backdoor file to get into the FTP.

Whatch for NEW FILES (older than vbulletin installation OR files with the date when you got hacked.

If you find one, maybe its a FTP.

YankForum
11-09-2010, 02:14 PM
i wonder how those hackers are not still able to hack 3.6.12 ( which is installed here )