PDA

View Full Version : Website hacked :/


gregory_clayton
03-31-2011, 11:01 AM
i was hoping this shit wouldnt happen again :/..happend a few years back on my old forum and on my new one which has been opended 2 months which has finally started tog row jut got hacked this morning.

www.wwehq.com

It doesnt look like any files/tables were deleted. But it is displaying his websites on each page.

If I try to go onto the arcade.php its just the same.

Any idea anyone :/

lazydesis
03-31-2011, 11:04 AM
I am sure the database has been modified. It happened to me in the past. Open phpmyadmin and search for the text that's being displayed on your website, or search for the URL to which it is being redirected and you will see that.

Luckily I had a database backup which I restored, and then changed all my passwords. Also I would delete all the files in the public_html dir and reupload the vb files.

There is also a possibility that he might have just modified your config.php file. So take a look at that as well.

gregory_clayton
03-31-2011, 11:08 AM
tried searching in phpmyadmin the text isnt found. Makes me wonder if he is using some sort of script to link to that site

--------------- Added 1301575085 at 1301575085 ---------------

bump :(

borbole
03-31-2011, 12:45 PM
What was the text displayed? I get a forum closed message when I loaded your forum?

it would be best to ask your host to check their access logs for around the time that the hack occurred to see how they got access.

What version of vb were you having btw?

gregory_clayton
03-31-2011, 01:47 PM
The host has now uploaded a backup of the forum back online. I am awaiting the logs, they are going to transfer them to me later. When it happens I will be sure to paste the bas!£$ds ip for you guys here to ban him too.

I am using Powered by vBulletin™ Version 4.1.2

DNN
04-01-2011, 12:06 AM
wow. Let me hurry up and update my stuff too.

conradk
04-01-2011, 10:13 PM
Several years ago when the hacking attempts got bad on my site I renamed the admincp directory and created a bogus admincp directory with bogus/broken php files.

and regular backups are a good thing - thanks for the reminder

Phaedrus
04-03-2011, 02:59 PM
check your PHP files, if he has access he can add just a couple lines to them that redirect everything to his pages. If such is the case, reload your clean files w/overwrite, then change your password you use to get into your server control panel to something indecipherable.

Chase
04-03-2011, 05:39 PM
I highly recommend renaming your admincp and modcp folders and putting a password protection on them as well.

If you change your admincp folder name to something else, make sure you update it in your config.php file as well.

TheLastSuperman
04-03-2011, 05:54 PM
Change cPanel Password (Or Hosting Account Manager password etc)
Change FTP Passwords
Change Forum Passwords
Changes ALL Database Usernames & Passwords then reset in config, remove old user from all DB's etc.
Check for modified files, compare timestamps etc.
IF you can access admincp check your template system for edits, revert all modified templates.
Check for shell files, .php, any new very large image files, anything with a odd name as sometimes it's apparent and sometimes it's not, depends on the hacker per say.
Check for oddly names modifications or plugins, recently a plugin was the culprit for me on a clients site.


The most important this is restoring from a backup, unless you know what to look for you could miss something so restoring then figuring out how you were compromised should be your number one priority otherwise they'll simply repeat the process :eek:.

gregory_clayton
04-03-2011, 09:24 PM
Hi all sorry for not getting back to you all sooner!

My host revealed to me that an old ftp account I used to use which I didn't realise was still in use was the ftp which was compromised allowing him access to edit some of the files on the forums.

=======

--------------
Mar 31 09:23:36 quark pure-ftpd: (greg@darkhybrid.com@212.248.222.94) [NOTICE] /home2/darkhybr//www/wwehq.com/forum.bkp/includes/class_upload.php uploaded (44880 bytes, 51.14KB/sec)
--------------

====

This was the file which was edited. Just in case any of you guys were stuck in where to look in your code.


Thanks again for the security feedback though guys. Website is running perfectly now and ready for wrestlemania!