|
I've just restored twice over the last couple of days, my hosts are screaming...he is a clever bugger...I have a developer keeping an eye on my site until Sunday so I will update this thread...I am using Spam Hammer and to date it is brilliant, so I don't think it is flawed, but Steve is the expert in this stuff
--------------- Added [DATE]1378651717[/DATE] at [TIME]1378651717[/TIME] --------------- clock.php...interesting...I have clock on my home page header, hmmm |
Hopefully with Steve watching the site, he can figure out everything they are doing and share with the community on how to put a stop to him.
|
Quote:
Thank you for these details. I was able to see these backdoor (php) files - about 4 in different names (gs.php, test.php, dyna_statistic.php) with exactly same content installed in the following folders: customprofilepics attachments captcha vba_dyna_modules Deleted those files today. Removed install directory the very next day of being hacked (6-Sep). Changed cpanel/FTP, vbulletin database and admin account passwords. I didn't find anything injected into the database, so should I restore it? Then the members posts will be lost! What more should I do to keep the hacker away? |
Well somethings still not right, i logged onto my site today and may account was using an un selectable style, the style options at the bottom were just showing a blank space, nothing in the control panel logs, no file edits on the server, no new admins......
|
Well, that is certainly a strange one. Surprised there was nothing in the logs.
|
This guy hacked our site with 3 usernames (administrator, z3ro and Th3H4ck), all admins, and with no record of them registering, no email confirmation to admin, so it had to be manually done. I deleted them, and the contents of the install folder (all were backup files). The site crashed, so I had our ISP restore web files from before the 3 stooges registered, run a malware scan, then verified the htaccess file. Meanwhile, within minutes of being back up, we had 2 more phoney admins, and ZAP! got a message saying, "This site has been hijacked by Frozen.Heart."
I also found at CPanel that all the access logs had been locked. Going thru File Manager, I found the files empty. Neither the ISP nor we have any idea what to do to restore the site without starting over, but they're going thru the software now. What else could he have done to hijack the site?? (I'm not much more than a glorified Mod, so hopefully I'll catch on to whatever suggestions you've got!) One other question: How does this guy find out who vB's clients are??? |
I would look at the raw server logs and identify the IP addresses he is using. You can buy yourself some time by blocking those in your .htaccess or firewall.
|
Thanks, Xenite, but first I need to figure out how to get the site back up, without any surprise easter eggs included. I suspended the account until we can get it fixed...we don't need to advertise his "expertise", since all you get at our URL is a flaming demon with music and his banner headline.
The ISP is asking me for any information available on what he does to the software. |
This is a long, convoluted thread and I'm about to get offline to run some errands so I apologize if this is an unhelpful suggestion.
When my site was hacked this morning all they did (besides create the ADMIN account) was add a NOTICE through the ADMINCP that had HTML code embedded in it. I found one SQL table entry for the notice and edited that but when I reactivated the forum the redirect still loaded. So then I just logged in to the ADMINCP and edited the notice. |
Quote:
|
| All times are GMT. The time now is 06:49 AM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|