Superman I do not have vBSEO installed, However i will read the post you provided and report back.
If you had it in the past let us know, if you have never installed and used it then simply read my blog and run the queries listed from within phpmyadmin. If you are not the best at dealing with this type of stuff or using phpmyadmin then please post the results here and we'll try to assist you the best we can.
*Also who is your host? No name required I simply ask as some do backups free of charge some daily, some do hourly backups and they may have one handy and can simply restore the site to just before the time of being hacked - if that is the case you will lose all posts/info since said time but you'll go back to the point before infection where your safe to assume it's clean, then the objective at that time would be to rid yourself of any possible exploits such as removing the /install/ directory and checking for suspect file versions etc.
This username appeared 4 times in the admin group:
Th3H4ck
Note the userid's of those 4 accounts, you may need them for reference later but as soon as you write them down delete those admin accounts and as Zachery noted then me as well, delete the /install/ directly immediately if its present.
*Stop for one second though and reply to my backup question above ^ Do you have a recent backup? If so its better to restore and nip any possible exploits in the bud. If no backups then continue on investigating and clearing out any malicious code/files/other.
Edit: I'm taking the family out to dinner but will check this when I return as I have work to do tonight regardless .
Deleted the install directory but the iframe still remains. Also, i have no idea how i was hacked.
--------------- Added [DATE]1378338074[/DATE] at [TIME]1378338074[/TIME] ---------------
Quote:
Originally Posted by TheLastSuperman
Note the userid's of those 4 accounts, you may need them for reference later but as soon as you write them down delete those admin accounts and as Zachery noted then me as well, delete the /install/ directly immediately if its present.
*Stop for one second though and reply to my backup question above ^ Do you have a recent backup? If so its better to restore and nip any possible exploits in the bud. If no backups then continue on investigating and clearing out any malicious code/files/other.
Edit: I'm taking the family out to dinner but will check this when I return as I have work to do tonight regardless .
I do have backups provided by my host. However, they are probably to old. My forum is very busy. It really needs a daily backup.
You'll need to dig into the db, even though its a iframe, he could have it hidden in a base64 code thats decoding into the iframe.
This could be hidden in numerous tables of your db, datastore, plugins, styles etc.
I just installed the admincp firewall from here to block unknown ip addresses. I also have changed all my passwords. Now I am searching folder by folder for unknown php files. I will report if i find the source.
09-04-2013, 10:34 PM
.
Linear Mode
