vb.org Archive - Forum hack please help

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)

- - Forum hack please help (https://vborg.vbsupport.ru/showthread.php?t=306972)

Forum hack please help

Hello

I had my forum hacked today and the frontpage defaced. Any file i try to go to gives me the hackers message on the front i removed every file on the server and reuploaded them, set the config.php with the database information and also added define('DISABLE_HOOKS', true); into the PHP, now after i did this there was no change, the hackers message is still in the database wich makes me guess that he maybe changed FORUMHOME as suggested when i tried searching google for answers, i can access the database from Phpmyadmin BUT i cannot access the forum adminCP i can access the login windows but when i press "login" it redirects me to login.php wich gives me the hackers message again, what do i do from php my admin to get my forums back online ?

Link to the site?

If the INSTALL folder still exists on your server, delete it.

The site is over at welikeanime.com and i can go to admincp/ but i cannot login. The installfolder is deleted from the root folder since the install.

I get nothing but a blank page, there's no code in reading page source.

my stupid host removed the default style in the "style" table in the database when scaning, i tried to restore it it but now i just get blank pages. i have a test forum with another license that also was defaced and the code bellow is on all pages i try to access like login.php index.php or simillair. It was on the frontpage where you also get a white page now but after the problems in the "style" table the page is just white, anything you can figure out?

it's for most .php files in root like if i go to mysite.com/login.php or index.php instead i get the hackers message

Malware:

Code:

<html>



<head>

<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">

<title>HACKED BY Mr.M0R0 MOROCCAN HACKER</title>

</head>



<body>



<p align="center"><img border="0" src="http://stupidwebsite.com/46/95/864954/65130309_p.gif"></p>



<p align="center">&nbsp;HACKED AND DEFACED BY Mr.MORO MOROCCAN HACKER</p>



<p align="center">&nbsp;WHAT THE HELL IS GOING ON HERE YOUR SECURITY IS LIKE A SHIT</p>



<p align="center">&nbsp;++++ING UNSECURE SERVERS I REALLY HATE IT. NO APOLOQIZE , NO MERCY</p>



<p align="center">&nbsp;NO PITTY , NO SORRY , BUT DO NOT WORRY NO FILES DELETED ONLY YOUR INDEX</p>



<p align="center">&nbsp;HAS BEEN CHENGED SO TRY TO EDIT QUICKLY GOOD LUCK . FOR MORE INFO CONTACT ME ON :</p>



<p align="center">&nbsp;Mr.MoRo@HOTMAIL.FR</p>



<p align="center">&nbsp; BYE</p>



</body>  



  



</p>



</html>

That's coming from a file on the server, not the database.

PM me with FTP credentials and i will have a look.

It's more than likely this one: http://www.vbulletin.com/forum/forum...=1387659347561

See post #13

.. If not then it's the other variant where the hacker edits your master style replacing all templates with the same identical code which is rather bothersome as you can imagine :p.

I would like to thank Max Taxable for helping me with this issue, thank you very very much! :)

Quote:

Originally Posted by Rizzler (Post 2474107)

I would like to thank Max Taxable for helping me with this issue, thank you very very much! :)

I did some PM networking and little else. The party responsible for the actual help is a really good egg.

X vBulletin 3.8.12 by vBS Debug Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_code_printable (1)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (9)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages:

Phrase Groups Available:

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01045 seconds Memory Usage 1,731KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_code_printable (1)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (9)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: