|
peterska, buddy, you're kinda late. I could already access Admin CP log-in via URL. But the thing is, when i log in, it re-directs to the page. Everyone, try for yourself and see. Just make up any bogus screen name and password.
http://www.offthaave.com/forums/admincp/index.php |
try replacing your login.php file
|
cant you get in to your mysql? if so and you know mysql you can delete the post they made.
I guess they fixed it huh? |
well i'm gettin alotta help in here an PM and i appriciate everyone's input btw. Right now, we're trying to get access thru CPanel.... if anyone has any other suggestions, I'm all ears
|
you should be able to get in cpanel no problem. I think even if you disable the hooks in your config like paul or whoever said you could check alot easier
|
honestly did you replace you login.php with a vbulletin default.
Im 70% sure thats it. |
Use phpMyAdmin and run the following query to see if it's in a template:
Code:
# replace vb3_ with your vB table prefix |
well i'm getting help thru CPanel like stated so if this doesn't work, i will most def. like you guys know and i will try your ways. He promises it will work cuz i guess the same happened to him. So hopefully, in 20 minutes, i will be able to come back in here with good news
|
20 mins? shouldnt take that long. why dont you download your database via phpmyadmin open it in a notepad and search for that site name that its being refreshed to and see where it is in the sql. this way you can point it out quickly and fix it quickly
|
1 Attachment(s)
These are the templates that have been replaced .....
(yes ... 20 mins ish ... I need sleep !) |
he said they replaced my whole FORUMHOME template.. but ill try
|
revert
|
Ok thanks everyone, Butters helped me everything and he had to do everything in CPanel, but its restored now. Thanks for all your replies
|
BTW now that i can see your site, not bad.
|
Quote:
This was done to my forum also but the redirect was just a thread they started, I deleted the thread and it stopped. NOW How can I not let that happen again? |
upgrade to the newest topXstats or flashchat which ever one you use.
|
its so wierd ur id chicago and i am chicago and same shit happen on saturday to me looooooooooool it was redirected to a turkish site saying we hacked it ok let me tell what to do it this happens again which lets hope not to.
first of all this was the turkish delight who did my site IP: 85.104.221.179 Country: Turkey City: oh well half of turkey will never be able to come my site i did a ip range.. now when ever anyone gets this problem this post is always been done on the first page of ur forum right ? so u try to get in like members area or admin area since this code is only code for main page than press new members or new posts and than from c panel of the forum just delete the main post they used 4 posts on me :( this is the code they used so All Admins see this and fix make a patch for it i lost 140 good posts bicuz of this i will change some settings in this code so no one can learn this code Code:
"">>>><meta http-equiv="??????" ?????="0;url=http://ts.somee.com"> """" > <showthread.php?t=2699> |
i see my last reply didnt go thru. Well my site was better, ecspecially the MEMBERINFO template. We had the myspace profiles and i personally edited them and added more features so alotta time and dedication was put into this site, then these b*tches come in, hack it and delete sh*t with no warning. Thats why i was wondering if i could get it back running to the way it was 2 days ago instead restoring it to the backup point, which is 3 weeks or more old? I believe butters backed up in CPanel so thats why i'm wondering? what are you guy's input cuz my site is running again, but like i said, its runnin to what it was running exactly 3 weeks ago sence i last backed up
|
hmm you should of just dropped them 3 sql tables back in the database this way you didnt lose everything.
|
did u find hte problem? i had this happen to my site FOUR times now...once while I was sitting right there removing one...
it was a post in a thread that redirected....the 4th attempt was a line that was trying to execute a script. basically, i just deleted the thread. Also, i had the cyb forumhome installed, and i disabled it, and the redirect went away. PM me if ur still having this problem...a lot of people have been getting hacked this weekend. |
Sounds like all these hackers are from Turkey lately. Glad it hasnt happened to me yet. *knocks on wood*
|
it happened to me, but the failed miserably, only thing was, mine were arabs.
|
Quote:
|
Has anybody checked to see if he has HTML on and somebody put a redirect on a Thread Title?
|
happened the same to my site
but some of my supermod accidentally delete the thread and it back to normal now i have the top x on my site on 3.0.7 please tell us how to fix this |
If you have the topXstats mod installed then remove it, afaik there is no fixed version for vb 3.0.x boards.
|
Quote:
Is that one actually OK or should I remove it in case there are additional problems? I also saw a reference to flashchat in another forum having a problem. Should flashchat be removed too? Any others? -Raymond |
Hey! Sorry if this was posted in the few pages, I didnt look through.
I had the same problem as you, I got hacked. Now, this is how I got rid of the redirect: As your forum loads, click 'stop' in the browser toolbar, before it redirects. Scroll down the page, until you find a post with some code as its title. Delete it. Thats it. |
I wish people would stop saying they got hacked. Your board was exploited through a modification that had a hole in it.
It was never infiltrated by some unknown assailant, quit being so dramatic. |
1 Attachment(s)
I understand about whether you were "hacked" or not. We where, via FlashChat, they inserted a file called 17-2.
Do a Google on "suidsafe exploit" and you'll see they are all over the Internet today with this thing. They were caught as they were going to root level, we pulled the server off line, deleted all the compromised files, then upgraded all our systems with new hard drives. The reason they were caught so fast, they tried running a "cron" that failed, so I got an email with the cron error--happened to be on line when they had done it. A friend of mine with another popular photo forum was hacked with the same exploit on shared server the week prior, also running FC and VB 3.5. I'm not a programmer, but I can tell you my server provider, Rackspace.com did a fanatical job, we had to replace hard drives to be sure too. Today a few hours ago with another attempt, via a "registered users only" forum, they tried to insert this: ">""********<**** **********=********* content="0;url=http://hastabeyinler.com/a"> **** > which I have part of in the "censored words" section as this, >>>> {http-equiv} "Refresh" """" By adding " >>>> {http-equiv} "Refresh" """" " (w/o the quote marks) it will add another layer of defense. The attemped hacker today went by the name of "dreamer" and the email is lll_dreampool_lll@hotmail.com and for his city he put "Ankara" and his IP was 85.101.1.4 resolves near there in a place called Kocaeli. Oh well, we get attacked daily, and yes, we've been through hackers before, but we keep putting up layer after layer, someday perhaps they will all go away? (yea right). For those worried about Turkish IP's, I've attached a list in the format you'd put in the banned IP list. Becareful, not sure if they block other IP's that are legit. For an even more precise list, go here, http://www.dnsstuff.com/pages/testbed.htm and enter "Turkey" or whatever country you want--be careful in banning an entire country from your site--they can still use other methods and other IP's from other countries. This is just a "layer" of protection but will not stop them. Oh, on the Cyb Topstats, we made it where the "form" where you can change the amount of results is only visible by "paid" members. Here is the code (crossing my fingers I can post this right) Code:
<if condition="is_member_of($bbuserinfo, X, X, X, X, X,)"> |
Quote:
|
I care. :)
|
Quote:
|
:banana: lol yeah that it is
|
Quote:
|
The suidsafe exploit appears to be a linux kernel exploit ;
Quote:
|
hey guys my site got exploited 2 days ago, and after 2 days of trying to fix it, i seem i cant do it, i have done everything like changing things from _STR to _NOHTML, SQL Querys in CPanel, and looking for wierd named threads to delete but nothing, also the site redirects to a turkish hacker site, and when i log into AdminCP everything is ok, untill i go to look @ the forum things, then those pages redirect as well, If anyone could take a hands on look, (Like butters or Paul) I would pay via PayPal for your help, thank you all in advance.
|
This thread was from September...
Just go to your domain configuration and change it there or check the .htaccess file. |
nothing is wrong in the .htaccess files, and the domain config im not sure what your referring to, is it inside the admincp?
|
I'm talking about the people who host your domain. Such as Godaddy, etc.
Check the forward option in their panel. Chances are, he has set a forward onto it or changed the DNS records. Edit: If that doesn't work either, try searching in the Styles for the site you get redirected to. Same with the PHP files. |
| All times are GMT. The time now is 11:17 AM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|