Site hacked by Myanmar Muslim Cyber Force

[TheLastSuperman]

Quote:

Originally Posted by teamemmenracing

I have a similar re-direct as of yesterday, only mine is to
http://www.cadiroig.cat/downalert.html

I have spent hours following instructions,, have re-installed files etc removed directories, I even deleted all files on the server and up loaded last months back up ...... which makes me wonder if it is the database that has been attacked.

I have found this unauthorised visit ......

20749 N/A 04:05, 10th Sep 2013 notice.php modify 91.144.37.46
20748 N/A 04:04, 10th Sep 2013 notice.php update 91.144.37.46
20747 N/A 04:04, 10th Sep 2013 notice.php add 91.144.37.46

........ but even replacing the notice.php with a newly downloaded version doesn't help.

Im kind of hoping that as hundreds of sites have been affected that someone might have found a common fix .....

anybody have any ideas ?

Ladies and Gentlemen, there is no "added fix" let me clear up some misconceptions here:

• Most of the sites hacked recently still had their /install/ folder present on the site, its the exploit mentioned here - http://www.vbulletin.com/forum/forum...-1-vbulletin-5
• A security bulletin email was also sent out, you should have received one and followed instructions promptly. *Always ensure you're receiving vBulletin emails and eBulletins/any and all mail from vBulletin.com needs to bypass your spam filters and others and be in your inbox and able to be read each and every time and you need to read these emails as apparently they are important!
• If you restore a backup of the database prior to being hacked, you must restore a backup of the files from that time as well otherwise a file may have been modified still allowing access. Is it just vBulletin files to overwrite? Well you certainly need to overwrite the vBulletin files with 100% fresh files AND any others you find that were modified, if you find a suspect file such as lol.php or sexy.php or even owned.html basically anything that does not belong should be deleted, run suspect file versions from the admincp maintenance area to check vBulletin related files.
• Follow the links that myself and Zachery have been posting in countless threads, the links to his blog, mine and other links we post are to blogs and articles that provide detailed instructions including various ways to test and ways to fix.

Here are the links again:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
http://www.vbulletin.com/forum/blogs...vbulletin-site

So to be perfectly clear, there is no "automatic" fix, no upload this and run it then your done and site secure... it is this simple:

1) Restore a complete backup (database and filesystem, the backups need to be from before the hacker made changes and had access) then once restored promptly delete the /install/ folder and at this time check your version, patch to the most recent patch # of your version OR upgrade to a more secure version i.e. 4.1.5 --> 4.2.1

- OR -

2) If no backup is available, using the links provided above you must manually clean your site. Check the database and filesystem for modified files and be very thorough to ensure nothing slips past you and remains in place for example if a shell script is left on the server or a spare admin account then you're still vulnerable and the site can be exploited/defaced again.

If you're unsure about something and need a clarification do not hesitate to post and ask, if you feel its a stupid question well then its not, no question is stupid unless your specifically being silly when you ask it and even then it ends up being a silly question instead lol. Ask questions now and receive helpful replies that may assist you in cleaning your site and returning to business as usual .