My Site Hacked Redirected?! Got Damn!

[da420]

Sounds like all these hackers are from Turkey lately. Glad it hasnt happened to me yet. *knocks on wood*

[SuperFly]

it happened to me, but the failed miserably, only thing was, mine were arabs.

[Paul M]

Quote:

Originally Posted by Chicago_VLNU_4s

i see my last reply didnt go thru. Well my site was better, ecspecially the MEMBERINFO template. We had the myspace profiles and i personally edited them and added more features so alotta time and dedication was put into this site, then these b*tches come in, hack it and delete sh*t with no warning. Thats why i was wondering if i could get it back running to the way it was 2 days ago instead restoring it to the backup point, which is 3 weeks or more old? I believe butters backed up in CPanel so thats why i'm wondering? what are you guy's input cuz my site is running again, but like i said, its runnin to what it was running exactly 3 weeks ago sence i last backed up

Restore your backup from 3 weeks ago to another database, and then extract the three templates you want and update the current database with them.

[Phaedrus]

Has anybody checked to see if he has HTML on and somebody put a redirect on a Thread Title?

[stan111]

happened the same to my site
but some of my supermod accidentally delete the thread and it back to normal now

i have the top x on my site on 3.0.7
please tell us how to fix this

[Paul M]

If you have the topXstats mod installed then remove it, afaik there is no fixed version for vb 3.0.x boards.

[popowich]

Quote:

Originally Posted by Paul M

If you have the topXstats mod installed then remove it, afaik there is no fixed version for vb 3.0.x boards.

I upgraded over the weekend to the c version for 3.6.

Is that one actually OK or should I remove it in case there are additional problems?

I also saw a reference to flashchat in another forum having a problem.

Should flashchat be removed too?

Any others?

-Raymond

[HabboHall]

Hey! Sorry if this was posted in the few pages, I didnt look through.
I had the same problem as you, I got hacked.

Now, this is how I got rid of the redirect:

As your forum loads, click 'stop' in the browser toolbar, before it redirects. Scroll down the page, until you find a post with some code as its title. Delete it. Thats it.

[Kirk Y]

I wish people would stop saying they got hacked. Your board was exploited through a modification that had a hole in it.
It was never infiltrated by some unknown assailant, quit being so dramatic.

[rolandogomez]

I understand about whether you were "hacked" or not. We where, via FlashChat, they inserted a file called 17-2.

Do a Google on "suidsafe exploit" and you'll see they are all over the Internet today with this thing. They were caught as they were going to root level, we pulled the server off line, deleted all the compromised files, then upgraded all our systems with new hard drives. The reason they were caught so fast, they tried running a "cron" that failed, so I got an email with the cron error--happened to be on line when they had done it.

A friend of mine with another popular photo forum was hacked with the same exploit on shared server the week prior, also running FC and VB 3.5. I'm not a programmer, but I can tell you my server provider, Rackspace.com did a fanatical job, we had to replace hard drives to be sure too.

Today a few hours ago with another attempt, via a "registered users only" forum, they tried to insert this: ">""********<**** **********=********* content="0;url=http://hastabeyinler.com/a"> **** > which I have part of in the "censored words" section as this, >>>> {http-equiv} "Refresh" """" By adding " >>>> {http-equiv} "Refresh" """" " (w/o the quote marks) it will add another layer of defense. The attemped hacker today went by the name of "dreamer" and the email is lll_dreampool_lll@hotmail.com and for his city he put "Ankara" and his IP was 85.101.1.4 resolves near there in a place called Kocaeli.

Oh well, we get attacked daily, and yes, we've been through hackers before, but we keep putting up layer after layer, someday perhaps they will all go away? (yea right).

For those worried about Turkish IP's, I've attached a list in the format you'd put in the banned IP list. Becareful, not sure if they block other IP's that are legit. For an even more precise list, go here, http://www.dnsstuff.com/pages/testbed.htm
and enter "Turkey" or whatever country you want--be careful in banning an entire country from your site--they can still use other methods and other IP's from other countries. This is just a "layer" of protection but will not stop them.

Oh, on the Cyb Topstats, we made it where the "form" where you can change the amount of results is only visible by "paid" members. Here is the code (crossing my fingers I can post this right)

Code:

<if condition="is_member_of($bbuserinfo, X, X, X, X, X,)">
			<form method="post">
			<input type="hidden" name="resultsnr" value="$resultsnr" />		
			<div class="smallfont">$vbphrase[cyb_results_more]<br /><input type="text" class="bginput" style="font-size:11px" name="resultsnr" value="$resultsnr" size="2" />&nbsp;<input type="submit" class="button" value="$vbphrase[cyb_results_more_show]" accesskey="s" /></div>
			<else />
							<b><font size="2" color="red" face="Arial,Helvetica,Geneva,Swiss,SunSans-Regular"> You must be a paid member for more stats options, up to 150 top results.</font></b></if></form>
							</td>
		<else />
			<td width="100%" class="alt1" align="center">
			$vbphrase[cyb_more_disabled]
			</td>
		</if>

Note: Replace "X" with your forum field ID's as appropriate. In the end, you can prevent, it just gets harder everyday. Wishing everyone the best, rg sends!