URGENT: My forum's been hacked.

[Flumples]

I'm not sure how to fix it...

Here's the some of the source code for the faq.php page (I've taken the index.php offline):

Quote:

<html dir="ltr" lang="en">
<head>
<meta name="robots" content="noindex,follow" />
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<meta name="generator" content="vBulletin 3.6.4" />


<meta name="keywords" content="habbo,meadow,forum,flumples,kokey,kokes,p roductions,callie,chat,discussion,hotel" />
<meta name="description" content="The Habbo Meadow forum is the official forum of HabboMeadow.com, an official UK Habbo Hotel fansite. Sign up and join in the fun!" />



<!-- CSS Stylesheet -->

<html>

<head>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">

<meta name="GENERATOR" content="Microsoft FrontPage Express 2.0">
<title>Hacked !!</title>
</head>

<body link="#000099" vlink="#990099" alink="#000099"
style="color: rgb(255, 102, 0); background-color: rgb(0, 0, 0);">

<p align="center">&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp;
<img
src="http://www.graphfr.com/image-tutorial/758/757551/20060426/main-noire.jpg"
alt="zzz" width="500" height="500"
style="width: 411px; height: 395px;"> &nbsp; &nbsp; &nbsp;<br>

<font size="4">&nbsp;Hacked By <br>
<span style="color: rgb(0, 102, 0);">Team Special Agent</span><br>
Team Mafia TaourirT<br>
<span style="color: rgb(0, 102, 0);">H-T Team</span><br>
slawi-team<br>
<span style="color: rgb(0, 102, 0);">Team MoroCcan Islam DefenderS</span><br>
</font><font color="#FF0000" size="6"><strong><span style="color: rgb(0, 102, 0);">H</span>a<span style="color: rgb(0, 102, 0);">c</span>k<span style="color: rgb(0, 102, 0);">e</span>r<span style="color: rgb(0, 102, 0);">s</span> O<span style="color: rgb(0, 102, 0);">f</span> <span style="color: rgb(0, 102, 0);">M</span>o<span style="color: rgb(0, 102, 0);">r</span>o<span style="color: rgb(0, 102, 0);">C</span>c<span style="color: rgb(0, 102, 0);">O</strong></font><font
color="#FF0000" size="4"><br>

</font><font size="4">&nbsp; &nbsp;<img
src="http://membres.lycos.fr/gaizado/mh.jpg" alt="ZZZ"
width="450" height="300" style="width: 450px; height: 300px;"><br>
</span>Not sorry admin LoL .... !! <br>
</font><font color="#FFFFFF" size="2" face="Tahoma"><font style="color: rgb(0, 102, 0);"></font></font><font
color="#FFFFFF" size="4" face="Tahoma"><b>I Think For This Your
Security = </b></font><font size="4" face="Tahoma"><b>0</b></font>
<br>
!!!......Bye Bye ....!!!<br>
<span style="font-family: Comic Sans MS;">&nbsp;ciao admin&nbsp;</span><br>
<font size="4"><br>
</font></p>
</body>
</html>

<!-- / CSS Stylesheet -->

<script type="text/javascript">
<!--
function who_rated_member(userid)
{
return openWindow(
'misc.php?' + SESSIONURL + 'do=who_rated_member&u=' + userid,
230, 300
);
}

function who_viewed_member(userid)
{
return openWindow(
'misc.php?' + SESSIONURL + 'do=who_viewed_member&u=' + userid,
230, 300
);
}
// -->
</script>

<script type="text/javascript">
<!--
var SESSIONURL = "";
var IMGDIR_MISC = "";
var vb_disable_ajax = parseInt("0", 10);
// -->
</script>

<script type="text/javascript" src="clientscript/vbulletin_global.js?v=364"></script>
<script type="text/javascript" src="clientscript/vbulletin_menu.js?v=364"></script>

<link rel="alternate" type="application/rss+xml" title="Habbo Meadow Forum RSS Feed" href="external.php?type=RSS2" />


<title>Habbo Meadow Forum</title>

</head>
<body>

Somehow, they've replaced the CSS stylesheet links and replaced it with their own code.

Here's how the page looks: http://www.meadowforum.com/faq.php

Any ideas?

[cheat-master30]

How about... not sure, I don't how they would have loaded that in via a way reversable easily. Although I do know these hackers can't code for their life and use a rubbish WYSIWYG editor.

[Swampfox]

Re-upload the files that have been hacked, overwriting the existing ones

and get a new host

[Flumples]

I tried re-uploading, didn't work.

I've just searched the MySQL database for 'MoroCcan Islam' and it brought up a few results. I'm restoring database from about a week ago and seeing if that solves the problem.

[Evolution06]

did a google search on that image of the hand came up with a tutorial but.. Its very interesting to see his name "neimadthehacker"

Can't read this language at all
Click Here
Click Here

Looked at all these sites that have been hacked by them
Google Search Results

Not sure if any of this helps but I am pretty good at tracking down the source of hackers I have had my fair share. Also best way to get your site back online is what you are doing now do a restore because hackers usually put "Rogue" files that are very well hidden and will carry key loggs among other things.

Sorry this happened to ya best thing to do is contact your host tell them what happened and ask them to help ya secure your site/webserver and they will help you because if someone trys to do a ddos attack on you that can cause multi millons in damage depending on how big it is and they won't want that trust me.

[Flumples]

Thanks for your help. I had a go at fixing the database, but it was pretty messed up. I did manage to remove the content the hacker put on the site, but there was still traces that I couldn't get rid of - there was even some in the shoutbox? :S

[Evolution06]

What are you on a single hosted account or do you own a vps? Cause if you did a backup a week back it should of restored a clean *unhacked database* along with the files.

[SEOvB]

You need to remove the code that is in red from your template which ever one they put it in, probably headinclude or header.

Then you need to figure out which hacks have the security hole, or if you are on a old version of vBulletin you'll need to upgrade to make sure its the most secure.

[Weapon-x]

Make sure you are up to date on everything installed on your board. Plus look into getting a new host. I recommend Dreamhost