The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
#11
09-11-2013, 01:20 PM
|
|||
|
|||
Doing my head in.. Restored a full clean backup 3 times.. removed install.. Deleted admins.. Changed PWs..
Still it keeps coming back.. If the files are from a week ago, and hence clean.. what can there be to cleanup ?? What can forum logs show me ?? How can I look at how this is happening ?? 
|
|
#12
09-11-2013, 06:51 PM
|
||||
|
||||
|
Would running your site through http://sitecheck.sucuri.net/scanner/ help? Might find the malware file. Also, have you checked your htaccess in root?
|
|
#14
09-12-2013, 01:40 AM
|
|||
|
|||
|
Quote:
|
|
#15
09-12-2013, 11:14 AM
|
|||
|
|||
|
I have a similar re-direct as of yesterday, only mine is to
http://www.cadiroig.cat/downalert.html I have spent hours following instructions,, have re-installed files etc removed directories, I even deleted all files on the server and up loaded last months back up ...... which makes me wonder if it is the database that has been attacked. I have found this unauthorised visit ...... 20749 N/A 04:05, 10th Sep 2013 notice.php modify 91.144.37.46 20748 N/A 04:04, 10th Sep 2013 notice.php update 91.144.37.46 20747 N/A 04:04, 10th Sep 2013 notice.php add 91.144.37.46 ........ but even replacing the notice.php with a newly downloaded version doesn't help. Im kind of hoping that as hundreds of sites have been affected that someone might have found a common fix ..... anybody have any ideas ?
|
|
#16
09-12-2013, 11:24 AM
|
|||
|
|||
|
You got the added admins ??
Also make sure you change admin PW, FTP and MySQL passwords ??
|
|
#17
09-12-2013, 11:47 AM
|
||||
|
||||
|
Quote:
Here are the links again: http://www.vbulletin.com/forum/blogs...ve-been-hacked http://www.vbulletin.com/forum/blogs...vbulletin-site http://www.vbulletin.com/forum/blogs...vbulletin-site So to be perfectly clear, there is no "automatic" fix, no upload this and run it then your done and site secure... it is this simple: 1) Restore a complete backup (database and filesystem, the backups need to be from before the hacker made changes and had access) then once restored promptly delete the /install/ folder and at this time check your version, patch to the most recent patch # of your version OR upgrade to a more secure version i.e. 4.1.5 --> 4.2.1 - OR - 2) If no backup is available, using the links provided above you must manually clean your site. Check the database and filesystem for modified files and be very thorough to ensure nothing slips past you and remains in place for example if a shell script is left on the server or a spare admin account then you're still vulnerable and the site can be exploited/defaced again. If you're unsure about something and need a clarification do not hesitate to post and ask, if you feel its a stupid question well then its not, no question is stupid unless your specifically being silly when you ask it and even then it ends up being a silly question instead lol. Ask questions now and receive helpful replies that may assist you in cleaning your site and returning to business as usual  .
|
| 2 благодарности(ей) от: | ||
| CAG CheechDogg, ozzy47 | ||
|
#19
09-12-2013, 05:45 PM
|
|||
|
|||
|
Quote:
|
|
#20
09-12-2013, 06:33 PM
|
|||
|
|||
|
................... well I have tried everything and its still there.
worst of all, when I try to copy files back to my computer, they are all password protected and I cant access them. Finally I went to my host and deleted everything from the server ........ except the database, then loaded new files that I just downloaded from the vbulletin members area ...... and from nowhere this file appears ..... zdberrb4476bf0aed19d1e05964d0757f51.dat it doesn't look legit, I managed to open it up and the only contents were a number ..... 13790115241146 Im thinking I now have a server problem ..... any ideas ?
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 06:36 AM.