The Arcive of Official vBulletin Modifications Site.

pjkcards · #1 09-11-2013, 04:37 AM

As everyone is experience, my forum was hacked. Yesterday I found a small, temp. fix, but today the homepage and forum are redirecting.

In regards to:
http://www.vbulletin.com/forum/blogs...ve-been-hacked

In step 2 it says to restore your original files. This means all the custom mods will be gone, correct? If so, is there any way to preserve them?

At the moment, the /admincp redirects even, so I am unable to login there.

Any further guidance would be much appreciated.
Thanks.

TheLastSuperman · #2 09-11-2013, 04:45 AM

Did you check your forumhome template?

https://vborg.vbsupport.ru/showpost....1&postcount=52

If its still redirecting to adfly (if that is where its redirecting) then check the forumhome template, you may need to take the site into debug mode to check the master style otherwise it could be in your .htaccess file.

pjkcards · #3 09-11-2013, 04:52 AM

Quote:

Originally Posted by TheLastSuperman

Did you check your forumhome template?

https://vborg.vbsupport.ru/showpost....1&postcount=52

If its still redirecting to adfly (if that is where its redirecting) then check the forumhome template, you may need to take the site into debug mode to check the master style otherwise it could be in your .htaccess file.

When I put it into debug mode, I can get to the admincp login, then when I login it brings up the redirect at: http://www.domain.com/forum/login.php?do=login

I checked the .htaccess in /forum and don't see anything odd.

What can I do next?

Thanks.

ps. If you have a chat/messenger and can help me via that, it would be much appreciated and I'll send you some money for your time. Please message me if so. Thanks.

TheLastSuperman · #4 09-11-2013, 04:53 AM

Quote:

Originally Posted by pjkcards

Yesterday I found a small, temp. fix, but today the homepage and forum are redirecting.

One thing to note though (not sure what the temp fix was) but if you made changes, assumed it was clean then all of a sudden its defaced.redirecting again that may also mean there is still a shell script somewhere on your server.

pjkcards · #5 09-11-2013, 05:01 AM

Quote:

Originally Posted by TheLastSuperman

One thing to note though (not sure what the temp fix was) but if you made changes, assumed it was clean then all of a sudden its defaced.redirecting again that may also mean there is still a shell script somewhere on your server.

See my above post again, I updated it.

There is a shell script somewhere, you're correct. How can I find it? Thanks again for your time.

TheLastSuperman · #6 09-11-2013, 05:01 AM

Quote:

Originally Posted by pjkcards

When I put it into debug mode, I can get to the admincp login, then when I login it brings up the redirect at: http://www.domain.com/forum/login.php?do=login

I checked the .htaccess in /forum and don't see anything odd.

What can I do next?

Thanks.

ps. If you have a chat/messenger and can help me via that, it would be much appreciated and I'll send you some money for your time. Please message me if so. Thanks.

Then they more then likely have a plugin doing this... you did verify no edits to .htaccess were made correct?

Also we do not discuss paid this or that outside of the actual paid request forum or private messages. If you're looking to hire someone please post in the paid request forum. I'm simply trying to help @ 2:00am my time after a long day of sorting several forums that were hacked and completing a style so I'm honestly about to try and get some sleep, I wanted to try and offer suggestions that may help you before I nod off though

.

TheLastSuperman · #7 09-11-2013, 05:02 AM

Hmm if you cannot access admincp, then check the plugins table from phpmyadmin

.

You can sort the plugins using the dateline to see the last edited/added.

pjkcards · #8 09-11-2013, 05:09 AM

Quote:

Then they more then likely have a plugin doing this... you did verify no edits to .htaccess were made correct?

Yes, I have checked the .htaccess in the /forum and no edits were made.

Quote:

Originally Posted by TheLastSuperman

Hmm if you cannot access admincp, then check the plugins table from phpmyadmin

.

You can sort the plugins using the dateline to see the last edited/added.

Thanks, I'll see if I can find them there.

TheLastSuperman · #9 09-11-2013, 05:14 AM

Also don't forget to check for files such as lol.php and any non-vbulletin files and verify they are not malicious.

I'm off to bed but wish you good luck on this, Good'night!

pjkcards · #10 09-11-2013, 05:42 AM

I just ran this query:

Quote:

SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

And it returned A1.jpg (see attachment).

I just ran this:

Quote:

SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

And it returned 2 pages full of stuff.

How can I go about getting around the admincp redirect issue?

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.07805 seconds Memory Usage 2,283KB Queries Executed 14 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (8)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (1)postbit_attachment (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start postbit_attachment pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!