Hacked by Team Animus?

[borbole]

Quote:

Originally Posted by GRJoker

When I try and run the Query and it does not allow me to do so, Where exactly do you have to go and do the Query?

I assume you tried to run it from your Acp, right? You should enter your uid at the can run queries part at the config.php file to be able to run queries from your Acp.

Anyway, you can also run the query at the SQL box at your phpmyadmin in the CP of your host.

[Bulldog Stang]

I have now been hacked twice. I followed the stated guidlines and updated my CYB - Advanced Forum Rules as well. I have checked all files in FTP and removed any new ones. Also checked the db and deleted the new user.

I do not know what else to do here.

[AusPhotography]

We were attacked again today. Similar attack, but slightly different payload.
VSa - Advanced Forum Rules is the latest version, so I think there is another hole maybe in another plugin.

[vijayninel]

Quote:

Originally Posted by snoopytas

We were attacked again today. Similar attack, but slightly different payload.
VSa - Advanced Forum Rules is the latest version, so I think there is another hole maybe in another plugin.

What other plugins do you have? Are you sure they didnt leave any backdoors for them to come back the last time they hacked you?

[AusPhotography]

I have several other plugins.
I restored from a backup and re-loaded all scripts and removed vsa.php index.html etc.

The new payload concerns me, similar but different. It did include vsa.php (again)

HTML Code:

<head> 
<title>hack by liut</title> 
<script src="party.js"></script>
</head> 
<body bgcolor="black"> 
<br/><br/>
<center> 
<font color="white">make sur u turn up ur speakers so u can here me talk about the hack n express my opinions. btw i hacked slq injector db decriptin passwrds rite now :)</font> 
<img src="http://i.imgur.com/QBquY.jpg" /> 
<object width="0" height="0"> 
<param name="movie" value="http://www.youtube.com/v/3a56LO3heac&autoplay=1&amp;hl=en_GB&amp;fs=1?color1=0x234900&amp;color2=0x4e9e00"></param> 
<param name="allowFullScreen" value="true"></param> 
<param name="allowscriptaccess" value="always"></param> 
<embed src="http://www.youtube.com/v/3a56LO3heac&autoplay=1&amp;hl=en_GB&amp;fs=1?color1=0x234900&amp;color2=0x4e9e00" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="0" height="0"> 
</embed> 
</object> 
<object width="0" height="0"> 
<param name="movie" value="http://www.youtube.com/v/Xi5ZUVP62Iw&autoplay=1&amp;hl=en_GB&amp;fs=1?color1=0x234900&amp;color2=0x4e9e00"></param> 
<param name="allowFullScreen" value="true"></param> 
<param name="allowscriptaccess" value="always"></param> 
<embed src="http://www.youtube.com/v/Xi5ZUVP62Iw&autoplay=1&amp;hl=en_GB&amp;fs=1?color1=0x234900&amp;color2=0x4e9e00" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="0" height="0"> 
</embed> 
</object> 
<font color="white">Phillip S Roberts<br />
14 Prince's St N<br/>
Exeter, Devon EX2 9AL, UK<br/>
i dar u 2 com get me u lil pussies i been doin mma for 4 months i can tak u</font> 
</center> 
</body> 
</html> 

--------------- Added [DATE]1305183220[/DATE] at [TIME]1305183220[/TIME] ---------------

I just found that I had the fist fixed version not the 2nd. Damn!

[DeanoUK]

Yep I've been hacked for the second time too - like the first time I didn't have that user or the vsa.php files etc. Just turned my forum off and removed my admin rights.

I've turned off all extensions for now, while this story pans out.

[Infopro]

You guys should check your own computers for issues. Are you using an FTP client that stores your passwords in plain text? Are you using SFTP for connecting to your server?

[kh99]

I think I've noticed another potential problem in Advanced Forum Rules. I've sent a PM to Valter but haven't heard back yet (is there someone else I should contact?)

[borbole]

Quote:

Originally Posted by kh99

I think I've noticed another potential problem in Advanced Forum Rules. I've sent a PM to Valter but haven't heard back yet (is there someone else I should contact?)

I think in such cases you can contact the admins here.

[RCKSTR]

Just got the quarantine email, again