Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 09-06-2007, 08:46 PM
Flumples Flumples is offline
 
Join Date: Dec 2005
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default URGENT: My forum's been hacked.

I'm not sure how to fix it...

Here's the some of the source code for the faq.php page (I've taken the index.php offline):

Quote:
<html dir="ltr" lang="en">
<head>
<meta name="robots" content="noindex,follow" />
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<meta name="generator" content="vBulletin 3.6.4" />


<meta name="keywords" content="habbo,meadow,forum,flumples,kokey,kokes,p roductions,callie,chat,discussion,hotel" />
<meta name="description" content="The Habbo Meadow forum is the official forum of HabboMeadow.com, an official UK Habbo Hotel fansite. Sign up and join in the fun!" />



<!-- CSS Stylesheet -->

<html>

<head>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">

<meta name="GENERATOR" content="Microsoft FrontPage Express 2.0">
<title>Hacked !!</title>
</head>

<body link="#000099" vlink="#990099" alink="#000099"
style="color: rgb(255, 102, 0); background-color: rgb(0, 0, 0);">

<p align="center">&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp;
<img
src="http://www.graphfr.com/image-tutorial/758/757551/20060426/main-noire.jpg"
alt="zzz" width="500" height="500"
style="width: 411px; height: 395px;"> &nbsp; &nbsp; &nbsp;<br>

<font size="4">&nbsp;Hacked By <br>
<span style="color: rgb(0, 102, 0);">Team Special Agent</span><br>
Team Mafia TaourirT<br>
<span style="color: rgb(0, 102, 0);">H-T Team</span><br>
slawi-team<br>
<span style="color: rgb(0, 102, 0);">Team MoroCcan Islam DefenderS</span><br>
</font><font color="#FF0000" size="6"><strong><span style="color: rgb(0, 102, 0);">H</span>a<span style="color: rgb(0, 102, 0);">c</span>k<span style="color: rgb(0, 102, 0);">e</span>r<span style="color: rgb(0, 102, 0);">s</span> O<span style="color: rgb(0, 102, 0);">f</span> <span style="color: rgb(0, 102, 0);">M</span>o<span style="color: rgb(0, 102, 0);">r</span>o<span style="color: rgb(0, 102, 0);">C</span>c<span style="color: rgb(0, 102, 0);">O</strong></font><font
color="#FF0000" size="4"><br>

</font><font size="4">&nbsp; &nbsp;<img
src="http://membres.lycos.fr/gaizado/mh.jpg" alt="ZZZ"
width="450" height="300" style="width: 450px; height: 300px;"><br>
</span>Not sorry admin LoL .... !! <br>
</font><font color="#FFFFFF" size="2" face="Tahoma"><font style="color: rgb(0, 102, 0);"></font></font><font
color="#FFFFFF" size="4" face="Tahoma"><b>I Think For This Your
Security = </b></font><font size="4" face="Tahoma"><b>0</b></font>
<br>
!!!......Bye Bye ....!!!<br>
<span style="font-family: Comic Sans MS;">&nbsp;ciao admin&nbsp;</span><br>
<font size="4"><br>
</font></p>
</body>
</html>


<!-- / CSS Stylesheet -->

<script type="text/javascript">
<!--
function who_rated_member(userid)
{
return openWindow(
'misc.php?' + SESSIONURL + 'do=who_rated_member&u=' + userid,
230, 300
);
}

function who_viewed_member(userid)
{
return openWindow(
'misc.php?' + SESSIONURL + 'do=who_viewed_member&u=' + userid,
230, 300
);
}
// -->
</script>

<script type="text/javascript">
<!--
var SESSIONURL = "";
var IMGDIR_MISC = "";
var vb_disable_ajax = parseInt("0", 10);
// -->
</script>

<script type="text/javascript" src="clientscript/vbulletin_global.js?v=364"></script>
<script type="text/javascript" src="clientscript/vbulletin_menu.js?v=364"></script>

<link rel="alternate" type="application/rss+xml" title="Habbo Meadow Forum RSS Feed" href="external.php?type=RSS2" />


<title>Habbo Meadow Forum</title>

</head>
<body>
Somehow, they've replaced the CSS stylesheet links and replaced it with their own code.

Here's how the page looks: http://www.meadowforum.com/faq.php

Any ideas?
Reply With Quote
  #2  
Old 09-06-2007, 08:55 PM
cheat-master30's Avatar
cheat-master30 cheat-master30 is offline
 
Join Date: Mar 2007
Location: Information Classified
Posts: 1,715
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

How about... not sure, I don't how they would have loaded that in via a way reversable easily. Although I do know these hackers can't code for their life and use a rubbish WYSIWYG editor.
Reply With Quote
  #3  
Old 09-06-2007, 09:02 PM
Swampfox Swampfox is offline
 
Join Date: Aug 2006
Posts: 119
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Re-upload the files that have been hacked, overwriting the existing ones

and get a new host
Reply With Quote
  #4  
Old 09-06-2007, 09:10 PM
Flumples Flumples is offline
 
Join Date: Dec 2005
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I tried re-uploading, didn't work.

I've just searched the MySQL database for 'MoroCcan Islam' and it brought up a few results. I'm restoring database from about a week ago and seeing if that solves the problem.
Reply With Quote
  #5  
Old 09-06-2007, 09:27 PM
Evolution06 Evolution06 is offline
 
Join Date: May 2006
Location: California
Posts: 161
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

did a google search on that image of the hand came up with a tutorial but.. Its very interesting to see his name "neimadthehacker"

Can't read this language at all
Click Here
Click Here

Looked at all these sites that have been hacked by them
Google Search Results

Not sure if any of this helps but I am pretty good at tracking down the source of hackers I have had my fair share. Also best way to get your site back online is what you are doing now do a restore because hackers usually put "Rogue" files that are very well hidden and will carry key loggs among other things.

Sorry this happened to ya best thing to do is contact your host tell them what happened and ask them to help ya secure your site/webserver and they will help you because if someone trys to do a ddos attack on you that can cause multi millons in damage depending on how big it is and they won't want that trust me.
Reply With Quote
  #6  
Old 09-06-2007, 09:43 PM
Flumples Flumples is offline
 
Join Date: Dec 2005
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks for your help. I had a go at fixing the database, but it was pretty messed up. I did manage to remove the content the hacker put on the site, but there was still traces that I couldn't get rid of - there was even some in the shoutbox? :S
Reply With Quote
  #7  
Old 09-06-2007, 09:53 PM
Evolution06 Evolution06 is offline
 
Join Date: May 2006
Location: California
Posts: 161
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What are you on a single hosted account or do you own a vps? Cause if you did a backup a week back it should of restored a clean *unhacked database* along with the files.
Reply With Quote
  #8  
Old 09-06-2007, 10:00 PM
SEOvB's Avatar
SEOvB SEOvB is offline
 
Join Date: May 2007
Location: Indianapolis
Posts: 2,451
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You need to remove the code that is in red from your template which ever one they put it in, probably headinclude or header.

Then you need to figure out which hacks have the security hole, or if you are on a old version of vBulletin you'll need to upgrade to make sure its the most secure.
Reply With Quote
  #9  
Old 09-10-2007, 09:34 PM
Weapon-x Weapon-x is offline
 
Join Date: Jan 2005
Location: USA
Posts: 117
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Make sure you are up to date on everything installed on your board. Plus look into getting a new host. I recommend Dreamhost
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:42 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06598 seconds
  • Memory Usage 2,255KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (9)post_thanks_box
  • (9)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (9)post_thanks_postbit_info
  • (9)postbit
  • (9)postbit_onlinestatus
  • (9)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete