Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
  #1  
Old 04-18-2011, 04:29 AM
ebp123 ebp123 is offline
 
Join Date: Mar 2010
Posts: 39
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Forum hacked need help!

My forum g r o w b o x f o r u m (dot com) was hacked and when you go to the forum the hackers page is displayed. My web hosting service said that I need to delete everything and start over. Unfortunately I do not have a back up, and I cannot afford to lose over 1 years worth of data. All of my information is still in my cpanel, I just cannot figure out how to get the hackers page from being displayed...I guess it was a SQL injection technique.

Please help!! I make part of my living from this forum and need to get it back asap or Im going to be in a horrible situation financially.

Thanks
Reply With Quote
  #2  
Old 04-18-2011, 04:52 AM
frankie. frankie. is offline
 
Join Date: Jan 2009
Posts: 24
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Your host should be able to log in root WHM and change your cpanel password and email it to you. Once you log in you can check out the .htaccess file, most likely the hacker added something like "DirectoryIndex hackedfile.html" to it so that is why that file loads for your site. I recommend backing up the database as soon as you log in and do a whole new vb install, but link it to your database. (edit the configuration.php) If anything you might had lost files but not the database (posts, threads, text, etc..) Good luck
Reply With Quote
  #3  
Old 04-18-2011, 04:58 AM
ebp123 ebp123 is offline
 
Join Date: Mar 2010
Posts: 39
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The password was not the issue, but i have changed it anyway. It was an SQL injection technique. Somehow they are redirecting my forum home page to a page they created and possibly uploaded on my server themselves. I just cant figure out which file is causing the redirection and how to delete it. My database and website files are intact, im sure they would have deleted all of it if they could.

--------------- Added [DATE]1303107275[/DATE] at [TIME]1303107275[/TIME] ---------------

Quote:
Originally Posted by frankie. View Post
Your host should be able to log in root WHM and change your cpanel password and email it to you. Once you log in you can check out the .htaccess file, most likely the hacker added something like "DirectoryIndex hackedfile.html" to it so that is why that file loads for your site. I recommend backing up the database as soon as you log in and do a whole new vb install, but link it to your database. (edit the configuration.php) If anything you might had lost files but not the database (posts, threads, text, etc..) Good luck
Thanks for the help. I logged into my cpanel and my my htaccess file shows the following:

# Comment the following line (add '#' at the beginning)
# to disable mod_rewrite functions.
# Please note: you still need to disable the hack in
# the vBSEO control panel to stop url rewrites.
RewriteEngine On

# Some servers require the Rewritebase directive to be
# enabled (remove '#' at the beginning to activate)
# Please note: when enabled, you must include the path
# to your root vB folder (i.e. RewriteBase /forums/)
#RewriteBase /

#RewriteCond %{HTTP_HOST} !^www\.yourdomain\.com
#RewriteRule (.*) http://www.yourdomain.com/forums/$1 [L,R=301]

RewriteRule ^((urllist|sitemap_).*\.(xml|txt)(\.gz)?)$ vbseo_sitemap/vbseo_getsitemap.php?sitemap=$1 [L]

RewriteCond %{REQUEST_URI} !(admincp/|modcp/|cron|vbseo_sitemap)
RewriteRule ^((archive/)?(.*\.php(/.*)?))$ vbseo.php [L,QSA]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !/(admincp|modcp|clientscript|cpstyles|images)/
RewriteRule ^(.+)$ vbseo.php [L,QSA]


Does anything look out of the ordinary? Im backing up the database as we speak. Just to make sure I understand correctly, I will need to basically reinstall vbulletin and redo all of the graphics/mods?
Reply With Quote
  #4  
Old 04-18-2011, 05:50 AM
cellarius's Avatar
cellarius cellarius is offline
 
Join Date: Aug 2005
Posts: 1,987
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Most importantly: you need to find out how they compromised your system and fix that issue. If you just go back to business as it was, what should keep them from doing the same again?
Reply With Quote
  #5  
Old 04-18-2011, 06:26 AM
ebp123 ebp123 is offline
 
Join Date: Mar 2010
Posts: 39
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Im pretty sure they used the exploit described below, I just hadn't installed the patch. I would still like to better understand how it was done, maybe even try it on myself when the backup is installed again.

"A flaw within a side query that is used in the search UI has recently been discovered that affects all versions of vBulletin 4 Forum Classic and vBulletin 4 Publishing Suite. This flaw may enable malicious individuals to inject sql that would allow you to run arbitrary queries on the db via this exploit. To resolve this issue, it has been necessary to release a patch level version on all versions of vBulletin 4.X. "
Reply With Quote
  #6  
Old 04-18-2011, 06:39 PM
Stefan118 Stefan118 is offline
 
Join Date: Dec 2010
Location: Vaassen (Netherlands)
Posts: 299
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I see that you have managed it.
I can see your forum perfectly.
Reply With Quote
  #7  
Old 04-18-2011, 10:24 PM
venom2124 venom2124 is offline
 
Join Date: Feb 2009
Location: North Carolina
Posts: 213
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yeah had the same issue and they never got into my database so all I had to do was erase all the forum files and reload them like a new install.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:16 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03999 seconds
  • Memory Usage 2,216KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (7)post_thanks_box
  • (7)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (7)post_thanks_postbit_info
  • (7)postbit
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete