Forum hacked, keeps redirecting to to deface page after i deleted it
 

My vBulletin forum was "hacked" (actually one of my admins emails just wasnt secure >.>) They uploaded 2 shells and a deface page, which i deleted, yet it still tries to redirect to the deface page, and is in an endless loop of refreshing.

Basically when it was first hacked, when i went to mydomain.com it redirected to mydomain.com/deface.html

I then deleted deface.html, but it still tries to redirect to mydomain.com/deface.html

I DO NOT have a .htaccess file, I've looked and it is not there. I have tried to make my own, and it would not work, I even made sure to CHMOD it, but still no success.

does anyone know how to fix this?

Try running this script: https://vborg.vbsupport.ru/showthread.php?t=281080

Also, look in the Plugin Manager and see if there are any plugins you don't recognize.

I cant access my control panel because every page redirects.

Have you tried disabling hooks globally via the config.php file?

define('DISABLE_HOOKS', true);

Yeah that. And while it doesn't hurt to run that other script, if your admincp is redirecting it's got to be something other than a template.

Did you try using a database backup? If your database was also compromised, then that may be a good option.

database was not touched, only an admin account that wasnt even super admin. all they did was upload 2 shellls, a deface page, and whatever redirects every page.

You cannot upload a file without ftp/server access, so what makes you think someone wasn't able to access the server and the database?

Just throwing this out there, you should make sure the NameServers were not changed and that there are no forwarders

They uploaed a shell through the adminCP, then uploaded a deface page through that, i checked the 'last modified' date of all the files in my FTP, only the shell and the deface page were added.

nameserves were not changed

Are you still having the redirect issue? If you upload a static html page and go to it, does it still redirect?

I think Lynne mentioned the database because if they didn't change any files then the only thing left is the vb database.

If they uploaded a plugin then chances are there are entries in your database that are making the redirect...

Is it possible for you to have the DB restored? Does your host take backups? If so, do that but also keep the current possibly compromised DB. Then, you can cross reference and compare any new tables or changes, delete those and possibly have repaired the DB

Also, as was mentioned above, if it is a plugin you can edit your includes/config.php file and add:

somewhere after the first line. Then you should be able to go to the adminCP and use the plugin manager to figure out which one is causing the problem and disable it.

I'd seacrh my core vbulletin php files for eval(base64 code!

Also ask your host to check the access logs for around the time that the hack happened to see what went down precisely.

have you tried the above?
do you have access to the database, or the files?

tried, didnt work.

I have access to the db and files, yes.

Can you post a link to your site?

<script>window.location='http://zamorak.net/PhaisamAndDan.html'</script>Unable to add cookies, header already sent.<br />
File: /home/trevors/public_html/Zamorak.net/includes/config.php<br />
Line: 48<br />

change this line in your config
$config['Database']['force_sql_mode'] = false;
if false change to true if true change to false

What exactly did you try? You should have cleaned your site 10 times by now. Did you also ask your host to check their logs to see what went down and how?

As others have mentioned above, there seems to be something wrong in your includes/config.php file around line 48. The hackers may have inserted something directly in that file.

I don't see any redirects at all for this website.

remove your database name, username and password and post your config.php as text here.