PDA

View Full Version : Site hacked 24 hours ago, still problems


pjkcards
09-11-2013, 04:37 AM
As everyone is experience, my forum was hacked. Yesterday I found a small, temp. fix, but today the homepage and forum are redirecting.

In regards to:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked

In step 2 it says to restore your original files. This means all the custom mods will be gone, correct? If so, is there any way to preserve them?

At the moment, the /admincp redirects even, so I am unable to login there.

Any further guidance would be much appreciated.
Thanks.

TheLastSuperman
09-11-2013, 04:45 AM
Did you check your forumhome template?

https://vborg.vbsupport.ru/showpost.php?p=2444641&postcount=52

If its still redirecting to adfly (if that is where its redirecting) then check the forumhome template, you may need to take the site into debug mode to check the master style otherwise it could be in your .htaccess file.

pjkcards
09-11-2013, 04:52 AM
Did you check your forumhome template?

https://vborg.vbsupport.ru/showpost.php?p=2444641&postcount=52

If its still redirecting to adfly (if that is where its redirecting) then check the forumhome template, you may need to take the site into debug mode to check the master style otherwise it could be in your .htaccess file.
When I put it into debug mode, I can get to the admincp login, then when I login it brings up the redirect at: http://www.domain.com/forum/login.php?do=login

I checked the .htaccess in /forum and don't see anything odd.

What can I do next?

Thanks.

ps. If you have a chat/messenger and can help me via that, it would be much appreciated and I'll send you some money for your time. Please message me if so. Thanks.

TheLastSuperman
09-11-2013, 04:53 AM
Yesterday I found a small, temp. fix, but today the homepage and forum are redirecting.


One thing to note though (not sure what the temp fix was) but if you made changes, assumed it was clean then all of a sudden its defaced.redirecting again that may also mean there is still a shell script somewhere on your server.

pjkcards
09-11-2013, 05:01 AM
One thing to note though (not sure what the temp fix was) but if you made changes, assumed it was clean then all of a sudden its defaced.redirecting again that may also mean there is still a shell script somewhere on your server.
See my above post again, I updated it.

There is a shell script somewhere, you're correct. How can I find it? Thanks again for your time.

TheLastSuperman
09-11-2013, 05:01 AM
When I put it into debug mode, I can get to the admincp login, then when I login it brings up the redirect at: http://www.domain.com/forum/login.php?do=login

I checked the .htaccess in /forum and don't see anything odd.

What can I do next?

Thanks.

ps. If you have a chat/messenger and can help me via that, it would be much appreciated and I'll send you some money for your time. Please message me if so. Thanks.

Then they more then likely have a plugin doing this... you did verify no edits to .htaccess were made correct?

Also we do not discuss paid this or that outside of the actual paid request forum or private messages. If you're looking to hire someone please post in the paid request forum (https://vborg.vbsupport.ru/forumdisplay.php?f=30). I'm simply trying to help @ 2:00am my time after a long day of sorting several forums that were hacked and completing a style so I'm honestly about to try and get some sleep, I wanted to try and offer suggestions that may help you before I nod off though ;).

TheLastSuperman
09-11-2013, 05:02 AM
Hmm if you cannot access admincp, then check the plugins table from phpmyadmin ;).

You can sort the plugins using the dateline to see the last edited/added.

pjkcards
09-11-2013, 05:09 AM
Then they more then likely have a plugin doing this... you did verify no edits to .htaccess were made correct?
Yes, I have checked the .htaccess in the /forum and no edits were made.

Hmm if you cannot access admincp, then check the plugins table from phpmyadmin ;).

You can sort the plugins using the dateline to see the last edited/added.
Thanks, I'll see if I can find them there.

TheLastSuperman
09-11-2013, 05:14 AM
Also don't forget to check for files such as lol.php and any non-vbulletin files and verify they are not malicious.

I'm off to bed but wish you good luck on this, Good'night!

pjkcards
09-11-2013, 05:42 AM
I just ran this query:
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

And it returned A1.jpg (see attachment).

I just ran this:
SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';
And it returned 2 pages full of stuff.

How can I go about getting around the admincp redirect issue?

pjkcards
09-11-2013, 06:27 AM
A couple questions:
1) In step 2 it says to restore the vB files. Will I lose any customizations if I do this?
2) How do I get rid of the login redirect to start?

Thanks!

Spangle
09-11-2013, 10:09 AM
I was going to add, check your file structure in public_html after I'd been hacked I found that index.php had been altered, and there were other files, mail.php

There was also a rogue folder called image which had several unknown files in it, I deleted the lot.

kh99
09-11-2013, 01:28 PM
I just ran this query:


And it returned A1.jpg (see attachment).



The last plugin listed in you image A1.jpg look suspicious to me. You could try disabling it or post the code here so we can see. The "Smilie Window Redirect" looks a little suspicious as well, but it says it's part of product adv_cmps and I'm not familiar with that, so it might be OK.

pjkcards
09-11-2013, 05:27 PM
I've paid someone to solve the problem, but now the templates are all messed up, and the vBAdvanced CMPS doesn't work. How can I troubleshoot from here?
Thanks.

ForceHSS
09-11-2013, 05:36 PM
I've paid someone to solve the problem, but now the templates are all messed up, and the vBAdvanced CMPS doesn't work. How can I troubleshoot from here?
Thanks.
Whoever fixed the problem for you they need to fix the errors as well if not I would be looking for something back

kh99
09-11-2013, 05:39 PM
I've paid someone to solve the problem, but now the templates are all messed up, and the vBAdvanced CMPS doesn't work. How can I troubleshoot from here?
Thanks.


I don't know what the problem is with the templates, but I remember vBAdvanced used to require an edit of index.php (or whatever the main page is) when it was installed, so if you restored all the original vb files you might have to make that edit again.

ForceHSS
09-11-2013, 05:42 PM
I see it was kn99 he is very good at what he does I am sure he will see all things are right

kh99
09-11-2013, 05:46 PM
I see it was kn99 he is very good at what he does I am sure he will see all things are right


I wasn't the one who was paid to fix his problems, if that's what you mean, but thanks anyway.

pityocamptes
09-11-2013, 06:29 PM
Depending on who your hosting provider is, you could have backed the files and db up to the day prior to the hack...

ForceHSS
09-15-2013, 05:01 PM
I wasn't the one who was paid to fix his problems, if that's what you mean, but thanks anyway.
I meant you could help as you are very good at the coding