Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 11-07-2010, 03:00 AM
jojojijijojo1 jojojijijojo1 is offline
 
Join Date: Oct 2009
Posts: 29
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default forum index hacked-redirect

Greeting everyone,
I own a vbulleitn 4 forum, and I was hacked, my forum index.php displayed a message of the hacker, then redirect to the hackers website, my question is how they could do that, and how to stop such an attack in the furure? what are the causes? also the exploit was used in the database, because re-uploading all the original files did not work, so i had to restore the database.
Reply With Quote
  #2  
Old 11-07-2010, 03:12 AM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You should talk to your host about how they did this. You'll need to look at your access_logs to see what happened.

If you had to fix this by restoring the database, then that means they got access to the server, so DEFINITELY talk to your host about this!
Reply With Quote
  #3  
Old 11-07-2010, 04:26 AM
sebaldus sebaldus is offline
 
Join Date: May 2008
Location: Halden - Norway
Posts: 80
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi all.
I also have had same problems.

Lucky me, so had I not upgrade the database after hacking.

All my forums, over 110 WP-blogs was hacked total and all index.php and index.html files was change.

I had a backup of all sides on my computer and also backup of all databases.

This was the second time on 14 days, I have try to secure my host account using Geo City IP Secure, but id do's not help at all.

I asked my host how I should do not to be hacked and they ansver: Change all 777 files,,(close them) change password to FTP and ACP loggin.

But I had done that also and are using an generated password, so special that I have to copy username to loggin.. LIKE THIS: *Sebaldus*™ ) that TM - trademark are very difficult to wite for hackers and they have to know it and copy it also.

So I guess its an script, tracking cookie or anything on my huge host account and my host told me to scann the account total?

How can I scann an host account?

Then I have to download all to my computer and scann it for then upload it again..

Thats a big work .

Only overwrite all files on all sdes and forums have take me 3 days now and still are overwrite the last sides.

My host, http://servage.net can NOT reset the database, thats why I always take backup af them.

This time I was hacked by Shichemt Alen from : http://Shichemt-Alen.com
And they accuce me for supporting ISRAEL.. WHY?
I don't support Israel or Palestina..

All sides look like this:


View at EasyCaptures.com

I'm an pagan ( wicca) and don't care if they are bumbing each other back to the stoneage.


But: About the HACKING..

They use to upload script in all index.php and index.html files.. Just fine the script, change it back to orginal ( remowe the script - upload new index files) and upgrade the database..

I did that and it work fine.

So I did'nt have to reset the database at all..

Just an Advice.. Try it first..

AGAIN:

1. Overwrite all index.php and index.html files using FTP and upload only those files.
2. Backup your database again.

Hackers are now writing a script in yours forums, who attacking all yours index files. when they are posting in the forum.

This are very difficult to find.

To secure this, go to ACP, BAN word as: index.php - index.html.

VIOLA.. It worked for me on my vB forums.


Have a Great time my friends.
All the Best from sebaldus.
Reply With Quote
  #4  
Old 11-07-2010, 10:37 PM
jojojijijojo1 jojojijijojo1 is offline
 
Join Date: Oct 2009
Posts: 29
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks all for your replies,
@ Lynne:
Thank you for your suggestion, can you please tell what should I look for exactly at the access log? like what are the things that can point me to the vulnerable exploit on my forum. Also such changes on the database, can it be done by sql injection? without having access to the server, I have a shoutbox on the index.php page that was hacked, and it was the only page that was actually hacked + my supermods got demoted and 1 got deleted by the hacker itself. How can this be explained and can be done with other ways other than the server access? Can it be an exploit on the shoutbox since user actually do insert data on it?
Reply With Quote
  #5  
Old 11-08-2010, 02:12 AM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Look for logs into your admincp - check the IP, is it yours? Look for additions to the end of URL that look like queries "UPDATE xxxx SET yyy = zzzz". I really don't know how to explain what to look for. Look for anything unusual (and yeah, that will be hard to do if you aren't familiar with access_logs which is why you should become familiar with them).
Reply With Quote
  #6  
Old 11-08-2010, 04:58 AM
YankForum's Avatar
YankForum YankForum is offline
 
Join Date: Mar 2010
Location: MY
Posts: 304
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

it's not necessarily your vbulletin got hacked , it could be your host or ftp password or even your email
Reply With Quote
  #7  
Old 11-08-2010, 01:15 PM
JorgeX JorgeX is offline
 
Join Date: Oct 2005
Posts: 55
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Watch the scripts you installed in vbulletin...

i got hacked once by vBA Gallery security bug, then they made a backdoor file to get into the FTP.

Whatch for NEW FILES (older than vbulletin installation OR files with the date when you got hacked.

If you find one, maybe its a FTP.
Reply With Quote
  #8  
Old 11-09-2010, 02:14 PM
YankForum's Avatar
YankForum YankForum is offline
 
Join Date: Mar 2010
Location: MY
Posts: 304
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

i wonder how those hackers are not still able to hack 3.6.12 ( which is installed here )
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 08:37 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03906 seconds
  • Memory Usage 2,233KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete