Site hacked by Myanmar Muslim Cyber Force

[pityocamptes]

Quote:

Originally Posted by teamemmenracing

................... well I have tried everything and its still there.
worst of all, when I try to copy files back to my computer, they are all password protected and I cant access them.

Finally I went to my host and deleted everything from the server ........ except the database, then loaded new files that I just downloaded from the vbulletin members area ......

and from nowhere this file appears .....

zdberrb4476bf0aed19d1e05964d0757f51.dat

it doesn't look legit, I managed to open it up and the only contents were a number .....

13790115241146

Im thinking I now have a server problem .....

any ideas ?

Get back ups of both your files and the db PRIOR to the hack. Contact your provider to make sure they wipe everything off your hosted server and DB. Upload backups and see if that helps. Most host providers can get backups, either through their interface or requesting...

CHANGE all your passwords on your host, FTP, etc. DB pw etc, before uploading backup files, change config files to reflect. I would also force everyone on the site to put in a new pw, and I would change the admin pw...


I would also check your htaccess files for code, redirects, etc...

[xenite]

Quote:

Originally Posted by teamemmenracing

I have a similar re-direct as of yesterday, only mine is to
http://www.cadiroig.cat/downalert.html

I have spent hours following instructions,, have re-installed files etc removed directories, I even deleted all files on the server and up loaded last months back up ...... which makes me wonder if it is the database that has been attacked.

Login to your ADMINCP and go to NOTICES. You should find it there. Just delete the notice. Then delete the admin account.

[Phat Phreddy]

As above..

Deleted EVERYTHING but the DB multiple times..

Removed install of course
Changed all passwords
Removed admins
Removed the plugin.php
Scanned for strange files..

And still back in last night

--------------- Added [DATE]1379033803[/DATE] at [TIME]1379033803[/TIME] ---------------

Quote:

Originally Posted by pjkcards

I hired someone in the paid forum to fix it. Took them quite awhile to fix it, and the styles are now messed up. Apparently it isn't an easy fix.

Who did you hire ??

[teamemmenracing]

Well I bit the bullet and had my Host wipe the server and data base.

Time to start all over again ..... and once I have a clean site running with an empty db, I will try and import an older db backup.

[Phat Phreddy]

I have so much time in site config.. templates.. RSS feeds.. Spam control.. VBSEO..

I have my backups.. But working from them still somehow leaves me open..

I really dont want to revert to a earlier database.. There has to be someone or a way that this can be cleaned up.

[pityocamptes]

Quote:

Originally Posted by Phat Phreddy

I have so much time in site config.. templates.. RSS feeds.. Spam control.. VBSEO..

I have my backups.. But working from them still somehow leaves me open..

I really dont want to revert to a earlier database.. There has to be someone or a way that this can be cleaned up.

Here is an idea. Take your CLEAN backup (with all your mods) and if you have a copy of the corrupted files (hacked) compare them in Meld http://meldmerge.org/ opensource software. See if it flags certain files and folder, and look into those...

--------------- Added [DATE]1379091231[/DATE] at [TIME]1379091231[/TIME] ---------------

I have not tried this, but you could also do the same for db comparison...

http://dbcomparer.com/

[sr20de_99]

Quote:

Originally Posted by Zachery

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
...

How do I access the tool mentioned in "Step 5: Removing unknown files" from the AdminCP?

Never mind I think I found it.

[tnedator]

Quote:

Originally Posted by pityocamptes

Here is an idea. Take your CLEAN backup (with all your mods) and if you have a copy of the corrupted files (hacked) compare them in Meld http://meldmerge.org/ opensource software. See if it flags certain files and folder, and look into those...

--------------- Added [DATE]1379091231[/DATE] at [TIME]1379091231[/TIME] ---------------

I have not tried this, but you could also do the same for db comparison...

http://dbcomparer.com/

Ok, meldmerge sounds interesting, but what if you don't have a graphical UI on your server?

[bremereric]

I have found two hackers hacked the admincp and added themselves as administrators, they only hacked my default style to link it to Syria. I have deleted the hackers, I bought Sitelock for one year and just need to find their crap in the default style.

--------------- Added [DATE]1379179783[/DATE] at [TIME]1379179783[/TIME] ---------------

I found their crap in the forumhome of my default style. I copied the code from another working style and pasted over their crap. My site is back to normal now. I did delete the install folder as suggested and also changed my password and deleted all other admins. I found their two ip addresses and added them to the banned list. Good luck to everyone. Run you admin log to see what they did.

[pityocamptes]

Quote:

Originally Posted by tnedator

Ok, meldmerge sounds interesting, but what if you don't have a graphical UI on your server?

I would get a hold of a clean version of you entire root download it to your desktop, along with the corrupted files (entire root files) and compare the corrupted version to the clean version you have before the hack...