|
Got hacked. What now?
Hi everyone, haven't been here in a long time,
But last week my site got hacked. Practically every single page displays the typical black bg "you were hacked, haha" message (and nothing else) Restoring the entire file system did nothing, leading me to believe the hack is hidden in the database somewhere. I'm not sure if I should post the link to my forum so people can see, or not? Not only has it been a terribly long time since I backed up the database (I've been a bad admin and haven't been active at my forum), but the backup file is so large I don't know if I can restore it with phpMyAdmin. A much better solution would be fixing the database. Where should I look in the database? Keep in mind that this bit of code or whatever effects every page with the exception of admincp/index.php (it displays the login page, but once you try to login, you get the hacked page again). Any help is appreciated!!! |
I would look for files in your directories that shouldn't be there. Is there a link to the site that we can see this happening?
|
http://www.landofrohan.com/forum/forumdisplay.php
(I edited the index.php page to give a notice to forumites - hence the link to forumdisplay) I do believe I took care of any files that shouldn't have been there, as I replaced the entire /forum directory with a backup. :) |
I am working on a server side spider to find hacked files and I would really be interested in working with you on this if you are game.
First, go into your server and look for an .htaccess file and make sure they didn't drop something in there. Often that is how they do this and it could be an easy fix to make it stop. Next, go into your FTP program and look at the date/time that your files were changed. It is possible that they did not change all of your files. The files that were changed should be copied somewhere where they can be looked at later to try to help identify the culprate and perhaps learn how to identify their work in the future. Then, you should replace all of the files that were modified with safe versions. I hope you have backups as otherwise this can be a painful experience. From there, let's hope that your site works but if not you may need to get more help. If you find modified files, send me a PM and I will give you some clues on what I could use to bulk my hacker detector script I have started. --------------- Added [DATE]1224186718[/DATE] at [TIME]1224186718[/TIME] --------------- I also find it strange when you look atthe source for the code I get this: PHP Code:
|
I know, it's very strange. And it seems like it would be easy to find. :(
As for .htaccess, I can't find one unfortunately - that would have been too easy. For your second suggestion, alas, I already over writ the entire forum directory, so no evidence remains. But since the hack is still there, I don't believe it's actually in the files themselves. I still think it's a database thing. |
Quote:
index4_files/ads.js find that file some how it's using that to deface your page and in the sql you would have to go to post or thread to view that code too. |
Hmn. There's no index4_files/ads.js anywhere on my server. Seems that's hosted remotely somewhere else. I'll look in post or thread in the DB though I'm not sure where to look in them. :(
|
After you got hacked, did you restore your database from a backup?
Search and see if you have a plugin you don't recognize. |
I haven't backed up the database, no. The last backup is from January. You don't have to tell me I should have backed up more (I used to).
I would still try to restore the January one if I could, but I think it's too big for phpMyAdmin to handle, and too big to send to the folks at my server to have them do it. Nonetheless I will find a way if needs must. All the plugins are of my own installation. :( |
Quote:
Tutorial: Using the CRON tab to do daily backups and long term MYSQL archives --------------- Added [DATE]1224191004[/DATE] at [TIME]1224191004[/TIME] --------------- Did you try disabling the plugin system by editing your config file? To temporarily disable the plugin system, edit config.php FIND PHP Code:
PHP Code:
Just remove it when you are done and you will be back to normal. |
1 Attachment(s)
I am an idiot...
Just upload the attached file to your server. you will need to change the extension to .php (the file is safe). See if you can run it or if that is redirected somewhere. |
Quote:
No, seriously, I didn't know about automatic backups. That's a great tip! I disabled plugins as you said, and no change, so at least that's narrowed out. |
try uploading that file and see if you still have the problem. If so, then it is not a vbulletin or database issue. You may need to rename it forumdisplay.php to me sure as well.
|
It shows up fine - "I hate hackers" - and I agree with it. ;)
But afterwards I realized I'd already edited my index.php. http://www.landofrohan.com/forum/index.php? |
OK, so you uploaded that file to "forumdisplay.php" and it didn't redirect?
This is important as that confirms this is not some server trick! ---------------------------------- The next thing I would do is make a new database and reinstall the forum software to the new database WITHOUT changing your existing site! You can create a new directory as the new copy can be anywhere as you really just need the database. You will need to install the same version you are running now so if you are running 3.6.11 don't install a 3.7.x or you will get errors. Once it is installed and running, then go to the config file of the hacked forums and change the config file to have it look at the NEW database. If you don't get this problem, then the issue is certainly in your database! |
Yes, I uploaded it as forumdisplay.php. No redirect. No server trick.
Okay, I'll try that. Meanwhile, if it IS a problem with the database, where is it likely to be? I know the possibilities are endless, but... i have searched the database quite a bit already but it's a big place. Thanks for all your help, eh? :) |
Quote:
|
Quote:
|
There is no need to use a backup, this is a database driven hack, you need to start searching for phrases he has on that page in your DB, use phpmyadmin, thats fixable, after you find it all, start upgrading your forums & plugins.
|
I just wanted to add..... he got onto your site somehow and he will do so again unless to 'fix' the hole in your security. You may need to be talking to your host to help figure out how he got in.
|
Yes, Lynne, this is a wakeup call indeed. I may reinstall and tighten things up after I get the problem sorted out. The main thing now to salvage months of user data, posts, and settings.
I did as Quarterbore said, and confirmed it to be a database problem. Snakes1100, there are hundreds of pages in the phrases table in the database (if that's what you meant). Any hint where to start? :( |
So, how did you fix it?
http://www.landofrohan.com/forum/forumdisplay.php edit - never mind you did a fresh install huh? |
It's not fixed... I just did like you said and installed vb to a new database then edited the original config.php to point to it. The old database is still there, and I'm looking through it. Perhaps I could try exporting and importing bits from the old database into the new "test" DB until something breaks.
|
I would go with snakes suggestion first.
Try searching for "index4_files" in your database... If that doesn't work, look for something else in the source code that would be unique like "hacked" perhaps. |
Sorry, you will need to search the entire DB, in phpmyadmin, click the db to view all the tables, click search form there at the top and click/select all tables to search at one time. with keywords/phrases that the hacker has on the page.
|
I haven't found anything that way... my feeling is that the "hacker page" is remotely hosted, and that none of what you see is actually in the database. What I fear IS in the database is some harder-to-find redirector. :(
|
Quote:
|
...try looking for "REFRESH" or "HTTP-EQUIV"
I know you don't know me but if you would like help I would be glad to try to help but the only I could do that is to get access to your database. I am very curious how they did this for the tool I am coding hence my interest. EDIT: you are searching like this, right: %refresh% %http-equiv% %index4_files% I ask as I get hits for the first two and my site is not hacked. But there are not may of them so you can look at them to find the cause. Also search for this if you are not finding anything... %base64% |
I FOUND IT! :D
It was your base64 hint! There was base 64 code hidden in the templates table, in a row with the title "spacer_open" which was part of something I added long ago - I don't know what for. But I think it was a random placement of the base64 code. I copied and then deleted the offending code, and now the site seems to be back to normal! Absolutely stunning what some code in one obscure area can do... So thank you so much everyone! and especially Quarterbore who came up with the key to the mystery in the end: is there any information you want from me to help with your tool? :) |
Quote:
--------------- Added [DATE]1224203268[/DATE] at [TIME]1224203268[/TIME] --------------- Quote:
|
Alright. I'll try to beef up the guard. :)
|
I would be curious to see the code they added if you can send me a PM with the encripted code. I am sure it is just an encripted refresh but I will see if I can decript it. I have been studying the enemy for a while and there probably isn't much I can get from the code but I would still like to see it for basic syntax.
You obviously have something they were able to take advantage of to do a sql injection. So, as suggested get the forums upgraded and evaluate your hacks you have added. Also, don't forget to get the automated database backups running as if they did this the hacker could have deleted your entire database as well! |
Ok, guilty as charged... I skimmed a bit...
Here's what I would do: Make a backup now instead of tinkering w/ the only (although hacked) full version of your database that exist. Make a copy of that and tinker w/ it! Check the FTP or File Manager for recently modified files or folders and review the code. Also make sure however your vewing the files you have it to where it's not hiding any from your view. As for restoring a large DB try bigdump.php or SQLyog Enterprise and give it a shot! S-MAN |
Yes, luckily it wasn't a destructive hack; more of an informative one. I'll send it to you in a sec.
Unfortunately I have to pay $60 to renew to download anything above 3.6.8. I don't think it's feasible for me now. |
Thanks for the code and for your reference you should never send code like that unmodified. For example, if you get encrypted code like that if you modify the start of the encrypted code so it is changed...
From: eval(base64_decode(' To: eval(baNOCODEse64_decNOTode(' The code can not be executed! You really have to be careful with encrypted code like that as you never know everything it does until it is decrypted. Luckily, there are tools out there that can decript stuff pretty darned easily anymore. --------------- Added [DATE]1224207351[/DATE] at [TIME]1224207351[/TIME] --------------- I decripted the code and it was relatively harmless HTML code. There was nothing in there to log passwords as an example. I am posting the code here just for the record and so you can see it. That nonsense of letters and numbers when decoded is the code that follows! PHP Code:
|
Oh dear, that was clumsy of me. :(
|
Quote:
My site got hacked last week and I found a different method to get my templates showing up instead of the hacked version, however i still have a couple of the hacked templates up as I have not had time to change those just yet. Any idea what table name, or what kind of code i should be looking for more exactly? |
There shouldn't be any base 64 scripts in your forums ;)
|
how is that even embed? is it a mod badly written?
|
Quote:
Search results for "%base64%" at least one of the words: 2 match(es) inside table vb3_datastore 4 match(es) inside table vb3_plugin 2 match(es) inside table vb3_pmtext 4 match(es) inside table vb3_post 3 match(es) inside table vb3_postedithistory 1 match(es) inside table vb3_postparsed 1 match(es) inside table vb3_word Total: 17 Example: Table: vb3_word Code:
Code:
SQL query: SELECT * Wordid: 57647 title: base64 Example: table vb3_plugin Code:
SQL query: SELECT * Code:
$attachpatch_patchfirstpost = array (); |
| All times are GMT. The time now is 04:57 PM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|