Go Back   vb.org Archive > Community Discussions > Forum and Server Management
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 10-16-2008, 06:09 PM
Berethorn Berethorn is offline
 
Join Date: Jun 2004
Posts: 69
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Got hacked. What now?

Hi everyone, haven't been here in a long time,

But last week my site got hacked. Practically every single page displays the typical black bg "you were hacked, haha" message (and nothing else) Restoring the entire file system did nothing, leading me to believe the hack is hidden in the database somewhere.

I'm not sure if I should post the link to my forum so people can see, or not?

Not only has it been a terribly long time since I backed up the database (I've been a bad admin and haven't been active at my forum), but the backup file is so large I don't know if I can restore it with phpMyAdmin.

A much better solution would be fixing the database. Where should I look in the database? Keep in mind that this bit of code or whatever effects every page with the exception of admincp/index.php (it displays the login page, but once you try to login, you get the hacked page again).

Any help is appreciated!!!
Reply With Quote
  #2  
Old 10-16-2008, 06:14 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I would look for files in your directories that shouldn't be there. Is there a link to the site that we can see this happening?
Reply With Quote
  #3  
Old 10-16-2008, 06:31 PM
Berethorn Berethorn is offline
 
Join Date: Jun 2004
Posts: 69
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

http://www.landofrohan.com/forum/forumdisplay.php

(I edited the index.php page to give a notice to forumites - hence the link to forumdisplay)

I do believe I took care of any files that shouldn't have been there, as I replaced the entire /forum directory with a backup.
Reply With Quote
  #4  
Old 10-16-2008, 06:45 PM
Quarterbore Quarterbore is offline
 
Join Date: Mar 2005
Location: Valley Forge PA
Posts: 538
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I am working on a server side spider to find hacked files and I would really be interested in working with you on this if you are game.

First, go into your server and look for an .htaccess file and make sure they didn't drop something in there. Often that is how they do this and it could be an easy fix to make it stop.

Next, go into your FTP program and look at the date/time that your files were changed. It is possible that they did not change all of your files. The files that were changed should be copied somewhere where they can be looked at later to try to help identify the culprate and perhaps learn how to identify their work in the future.

Then, you should replace all of the files that were modified with safe versions. I hope you have backups as otherwise this can be a painful experience. From there, let's hope that your site works but if not you may need to get more help.

If you find modified files, send me a PM and I will give you some clues on what I could use to bulk my hacker detector script I have started.

--------------- Added [DATE]1224186718[/DATE] at [TIME]1224186718[/TIME] ---------------

I also find it strange when you look atthe source for the code I get this:

PHP Code:
<!-- saved from url=(0026)http://woot.king-nerd.com/ --> 
The site itself is just a front...
Reply With Quote
  #5  
Old 10-16-2008, 07:12 PM
Berethorn Berethorn is offline
 
Join Date: Jun 2004
Posts: 69
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I know, it's very strange. And it seems like it would be easy to find.

As for .htaccess, I can't find one unfortunately - that would have been too easy.

For your second suggestion, alas, I already over writ the entire forum directory, so no evidence remains. But since the hack is still there, I don't believe it's actually in the files themselves. I still think it's a database thing.
Reply With Quote
  #6  
Old 10-16-2008, 07:20 PM
puertoblack2003's Avatar
puertoblack2003 puertoblack2003 is offline
 
Join Date: Aug 2005
Location: Philadelphia
Posts: 1,073
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Berethorn View Post
http://www.landofrohan.com/forum/forumdisplay.php

(I edited the index.php page to give a notice to forumites - hence the link to forumdisplay)

I do believe I took care of any files that shouldn't have been there, as I replaced the entire /forum directory with a backup.
it appears to be a file that you have to check when viewing the source code

index4_files/ads.js find that file some how it's using that to deface your page and in the sql you would have to go to post or thread to view that code too.
Reply With Quote
  #7  
Old 10-16-2008, 07:44 PM
Berethorn Berethorn is offline
 
Join Date: Jun 2004
Posts: 69
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hmn. There's no index4_files/ads.js anywhere on my server. Seems that's hosted remotely somewhere else. I'll look in post or thread in the DB though I'm not sure where to look in them.
Reply With Quote
  #8  
Old 10-16-2008, 07:48 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

After you got hacked, did you restore your database from a backup?

Search and see if you have a plugin you don't recognize.
Reply With Quote
  #9  
Old 10-16-2008, 07:54 PM
Berethorn Berethorn is offline
 
Join Date: Jun 2004
Posts: 69
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I haven't backed up the database, no. The last backup is from January. You don't have to tell me I should have backed up more (I used to).

I would still try to restore the January one if I could, but I think it's too big for phpMyAdmin to handle, and too big to send to the folks at my server to have them do it. Nonetheless I will find a way if needs must.

All the plugins are of my own installation.
Reply With Quote
  #10  
Old 10-16-2008, 07:57 PM
Quarterbore Quarterbore is offline
 
Join Date: Mar 2005
Location: Valley Forge PA
Posts: 538
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Berethorn View Post
I haven't backed up the database, no. The last backup is from January. You don't have to tell me I should have backed up more (I used to).

I would still try to restore the January one if I could, but I think it's too big for phpMyAdmin to handle, and too big to send to the folks at my server to have them do it. Nonetheless I will find a way if needs must.
A reminder to everyone that this really is easy to prevent!!!

Tutorial: Using the CRON tab to do daily backups and long term MYSQL archives

--------------- Added [DATE]1224191004[/DATE] at [TIME]1224191004[/TIME] ---------------

Did you try disabling the plugin system by editing your config file?

To temporarily disable the plugin system, edit config.php

FIND
PHP Code:
<?php
AFTER ADD
PHP Code:
define('DISABLE_HOOKS'true); 
That will at least confirm there is no way it is in the plugin system somehow.

Just remove it when you are done and you will be back to normal.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:11 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.07968 seconds
  • Memory Usage 2,285KB
  • Queries Executed 14 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (3)bbcode_php
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete