My vBulletin forum was "hacked" (actually one of my admins emails just wasnt secure >.>) They uploaded 2 shells and a deface page, which i deleted, yet it still tries to redirect to the deface page, and is in an endless loop of refreshing.

Basically when it was first hacked, when i went to mydomain.com it redirected to mydomain.com/deface.html

I then deleted deface.html, but it still tries to redirect to mydomain.com/deface.html

I DO NOT have a .htaccess file, I've looked and it is not there. I have tried to make my own, and it would not work, I even made sure to CHMOD it, but still no success.

does anyone know how to fix this?

Try running this script: https://vborg.vbsupport.ru/showthread.php?t=281080

Also, look in the Plugin Manager and see if there are any plugins you don't recognize.

I cant access my control panel because every page redirects.

Have you tried disabling hooks globally via the config.php file?

define('DISABLE_HOOKS', true);

Yeah that. And while it doesn't hurt to run that other script, if your admincp is redirecting it's got to be something other than a template.

Did you try using a database backup? If your database was also compromised, then that may be a good option.

Did you try using a database backup? If your database was also compromised, then that may be a good option.

database was not touched, only an admin account that wasnt even super admin. all they did was upload 2 shellls, a deface page, and whatever redirects every page.

You cannot upload a file without ftp/server access, so what makes you think someone wasn't able to access the server and the database?

Just throwing this out there, you should make sure the NameServers were not changed and that there are no forwarders

You cannot upload a file without ftp/server access, so what makes you think someone wasn't able to access the server and the database?
They uploaed a shell through the adminCP, then uploaded a deface page through that, i checked the 'last modified' date of all the files in my FTP, only the shell and the deface page were added.

Just throwing this out there, you should make sure the NameServers were not changed and that there are no forwarders
nameserves were not changed

Are you still having the redirect issue? If you upload a static html page and go to it, does it still redirect?

I think Lynne mentioned the database because if they didn't change any files then the only thing left is the vb database.

If they uploaded a plugin then chances are there are entries in your database that are making the redirect...

Is it possible for you to have the DB restored? Does your host take backups? If so, do that but also keep the current possibly compromised DB. Then, you can cross reference and compare any new tables or changes, delete those and possibly have repaired the DB

Also, as was mentioned above, if it is a plugin you can edit your includes/config.php file and add:
define('DISABLE_HOOKS', true);


somewhere after the first line. Then you should be able to go to the adminCP and use the plugin manager to figure out which one is causing the problem and disable it.

I'd seacrh my core vbulletin php files for eval(base64 code!

Also ask your host to check the access logs for around the time that the hack happened to see what went down precisely.

Try running this script: https://vborg.vbsupport.ru/showthread.php?t=281080

Also, look in the Plugin Manager and see if there are any plugins you don't recognize.

Have you tried disabling hooks globally via the config.php file?

define('DISABLE_HOOKS', true);




I cant access my control panel because every page redirects.

have you tried the above?
do you have access to the database, or the files?

have you tried the above?
do you have access to the database, or the files?

tried, didnt work.

I have access to the db and files, yes.

Can you post a link to your site?

Can you post a link to your site?

http://www.zamorak.net

<script>window.location='http://zamorak.net/PhaisamAndDan.html'</script>Unable to add cookies, header already sent.<br />
File: /home/trevors/public_html/Zamorak.net/includes/config.php<br />
Line: 48<br />

change this line in your config
$config['Database']['force_sql_mode'] = false;
if false change to true if true change to false

tried, didnt work.

I have access to the db and files, yes.

What exactly did you try? You should have cleaned your site 10 times by now. Did you also ask your host to check their logs to see what went down and how?

http://www.zamorak.net

As others have mentioned above, there seems to be something wrong in your includes/config.php file around line 48. The hackers may have inserted something directly in that file.

I don't see any redirects at all for this website.

remove your database name, username and password and post your config.php as text here.