vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   Our site has been hacked -please help us urgently (https://vborg.vbsupport.ru/showthread.php?t=159951)

shahin531 10-10-2007 06:57 PM
Our site has been hacked -please help us urgently
 
Hi all.
Please advise me about this problem.
Our website has been hacked.
Our site has two admin account, and the hacker reset one of account and hack our site . then we restore the site by another admin account .
Any way I don’t know what happening when I go to the cpanel for editing the forums, I saw all of the forums name is the same as hacker name!!!
Also in the forums description this code is exist “<script>location.href="http://kamy4r.persiangig.com/xmors.htm";</script>”
So when all of the topics and forums redirect to the above link.
Pls note that I totally change (new) the following files and I sure that these files don’t have any problem:
config.php
index.php
.htaccess

Please help us , what should we do .

Thank you in advance.

EnIgMa1234 10-10-2007 07:30 PM
Change all passwords e.g all admin accounts, cpanel, ftp

Also .htaccess the admincp
There should be an option in cpanel (password protect directories)

DivisionByZero 10-10-2007 11:41 PM
also, if you're personally prone to these attacks, it may not be a bad idea to do an hourly backup of your database!!!

shahin531 10-11-2007 03:36 AM
thanks.i have been changed all the password.but how about the forums , the name and description of all forums changed to:
“<script>location.href="http://kamy4r.persiangig.com/xmors.htm";</script>”
and we redirected to this link . what should we do and how we can modify the forums name and description as before ? we strongly beleive that the hacker put above link into one of the main file(or settings) of our site.
waiting for your advise.
thanks.

SCRIPT3R 10-11-2007 03:46 AM
what version of vB are you using?

Freesteyelz 10-11-2007 04:31 AM
Check your headerinclude and header templates. Unless you know for sure that the person did not access via server check for any additional files/scripts that you did not upload/edit yourself. 1) Can you not re-edit the forum names and descriptions via Admin CP? 2) Also, did you say that when clicking topics the links will take you to the person's site?

Go To:
In Admin CP, at the left-hand navigation, go to Statistics & Logs --> Control Panel Logs --> Control Panel Log Viewer --> View

*Check any entries made other than you. Snag the IP(s) if any and look at the files that were edited. More likely if the person gained access via Admin CP he/she did not consider pruning those entries.

shahin531 10-11-2007 08:37 PM
Quote:
Originally Posted by Freesteyelz (Post 1357394)
Check your headerinclude and header templates. Unless you know for sure that the person did not access via server check for any additional files/scripts that you did not upload/edit yourself. 1) Can you not re-edit the forum names and descriptions via Admin CP? 2) Also, did you say that when clicking topics the links will take you to the person's site?

Go To:
In Admin CP, at the left-hand navigation, go to Statistics & Logs --> Control Panel Logs --> Control Panel Log Viewer --> View

*Check any entries made other than you. Snag the IP(s) if any and look at the files that were edited. More likely if the person gained access via Admin CP he/she did not consider pruning those entries.
thank you.
i checked the address. but contol panel log viewer in restricted access in our site . ("Control Panel log viewing restricted.") do you have any other solution?

--------------- Added at 22:41 ---------------

Quote:
Originally Posted by GearTripper (Post 1357382)
what version of vB are you using?
3.6.7

EnIgMa1234 10-11-2007 08:59 PM
Add your userid to config.php

Can view admincp log.

vertigo jones 10-11-2007 09:39 PM
Make sure to search your templates for "persiangig", "kamy4r", ".com" or anything else that might lead you to them and remove it. You never know what kind of javascript they've included without you knowing.

But yea, most importantly change your password, .htaccess protect your admincp, and change the name of the admincp directory.


All times are GMT. The time now is 05:23 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01560 seconds
  • Memory Usage 1,730KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (9)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete