vb.org Archive
Page 3 of 4 12 3 4
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Site hacked by Myanmar Muslim Cyber Force (https://vborg.vbsupport.ru/showthread.php?t=302092)

pityocamptes 09-12-2013 06:47 PM
Quote:
Originally Posted by teamemmenracing (Post 2445163)
................... well I have tried everything and its still there.
worst of all, when I try to copy files back to my computer, they are all password protected and I cant access them.

Finally I went to my host and deleted everything from the server ........ except the database, then loaded new files that I just downloaded from the vbulletin members area ......

and from nowhere this file appears .....

zdberrb4476bf0aed19d1e05964d0757f51.dat

it doesn't look legit, I managed to open it up and the only contents were a number .....

13790115241146

Im thinking I now have a server problem .....

any ideas ?



Get back ups of both your files and the db PRIOR to the hack. Contact your provider to make sure they wipe everything off your hosted server and DB. Upload backups and see if that helps. Most host providers can get backups, either through their interface or requesting...

CHANGE all your passwords on your host, FTP, etc. DB pw etc, before uploading backup files, change config files to reflect. I would also force everyone on the site to put in a new pw, and I would change the admin pw...


I would also check your htaccess files for code, redirects, etc...

xenite 09-12-2013 11:29 PM
Quote:
Originally Posted by teamemmenracing (Post 2445081)
I have a similar re-direct as of yesterday, only mine is to
http://www.cadiroig.cat/downalert.html

I have spent hours following instructions,, have re-installed files etc removed directories, I even deleted all files on the server and up loaded last months back up ...... which makes me wonder if it is the database that has been attacked.
Login to your ADMINCP and go to NOTICES. You should find it there. Just delete the notice. Then delete the admin account.

Phat Phreddy 09-12-2013 11:32 PM
As above..

Deleted EVERYTHING but the DB multiple times..

Removed install of course
Changed all passwords
Removed admins
Removed the plugin.php
Scanned for strange files..

And still back in last night

--------------- Added [DATE]1379033803[/DATE] at [TIME]1379033803[/TIME] ---------------

Quote:
Originally Posted by pjkcards (Post 2444975)
I hired someone in the paid forum to fix it. Took them quite awhile to fix it, and the styles are now messed up. Apparently it isn't an easy fix.
Who did you hire ??

teamemmenracing 09-13-2013 05:23 AM
Well I bit the bullet and had my Host wipe the server and data base.

Time to start all over again ..... and once I have a clean site running with an empty db, I will try and import an older db backup.

Phat Phreddy 09-13-2013 06:18 AM
I have so much time in site config.. templates.. RSS feeds.. Spam control.. VBSEO..

I have my backups.. But working from them still somehow leaves me open..

I really dont want to revert to a earlier database.. There has to be someone or a way that this can be cleaned up.

pityocamptes 09-13-2013 03:51 PM
Quote:
Originally Posted by Phat Phreddy (Post 2445284)
I have so much time in site config.. templates.. RSS feeds.. Spam control.. VBSEO..

I have my backups.. But working from them still somehow leaves me open..

I really dont want to revert to a earlier database.. There has to be someone or a way that this can be cleaned up.
Here is an idea. Take your CLEAN backup (with all your mods) and if you have a copy of the corrupted files (hacked) compare them in Meld http://meldmerge.org/ opensource software. See if it flags certain files and folder, and look into those...

--------------- Added [DATE]1379091231[/DATE] at [TIME]1379091231[/TIME] ---------------

I have not tried this, but you could also do the same for db comparison...

http://dbcomparer.com/

sr20de_99 09-14-2013 10:25 AM
Quote:
Originally Posted by Zachery (Post 2444557)
Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
...

How do I access the tool mentioned in "Step 5: Removing unknown files" from the AdminCP?

Never mind I think I found it.

tnedator 09-14-2013 02:02 PM
Quote:
Originally Posted by pityocamptes (Post 2445368)
Here is an idea. Take your CLEAN backup (with all your mods) and if you have a copy of the corrupted files (hacked) compare them in Meld http://meldmerge.org/ opensource software. See if it flags certain files and folder, and look into those...

--------------- Added [DATE]1379091231[/DATE] at [TIME]1379091231[/TIME] ---------------

I have not tried this, but you could also do the same for db comparison...

http://dbcomparer.com/

Ok, meldmerge sounds interesting, but what if you don't have a graphical UI on your server?

bremereric 09-14-2013 03:23 PM
I have found two hackers hacked the admincp and added themselves as administrators, they only hacked my default style to link it to Syria. I have deleted the hackers, I bought Sitelock for one year and just need to find their crap in the default style.

--------------- Added [DATE]1379179783[/DATE] at [TIME]1379179783[/TIME] ---------------

I found their crap in the forumhome of my default style. I copied the code from another working style and pasted over their crap. My site is back to normal now. I did delete the install folder as suggested and also changed my password and deleted all other admins. I found their two ip addresses and added them to the banned list. Good luck to everyone. Run you admin log to see what they did.

pityocamptes 09-15-2013 02:39 AM
Quote:
Originally Posted by tnedator (Post 2445585)
Ok, meldmerge sounds interesting, but what if you don't have a graphical UI on your server?
I would get a hold of a clean version of you entire root download it to your desktop, along with the corrupted files (entire root files) and compare the corrupted version to the clean version you have before the hack...


All times are GMT. The time now is 02:19 PM.
Page 3 of 4 12 3 4
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01148 seconds
  • Memory Usage 1,750KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (7)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete