We've been hacked and I don't know the first thing about it

[terracore]

Here is the link to my site:

www.AvianNation.com

And it's been hacked. Any suggestions on how to fix this? I'm afraid to log into my admin panel as I have to enter my password and I don't know who's password that they might have. Obviously it is one of the admins. Right?

This sucks, so any help would be good.

New info:

The site was hacked by ALQAISER and the hack "theme" was some sort of pro-muslim thing complete with graphics and music and some kind of warning.

I'm not sure who they are or their motivation (it's a forum about parrots, hardly controversial). I also don't know how the hack occured. The database seemed untouched. I really know nothing about computers or coding. I was already running the latest version of VB (3.7.3 patch 1) and wasn't sure what to do to fix this problem or get the board running again so I went through the motions like I was upgrading it (even though its already the latest version) and thankfully that seemed to restore everything to normal. Since I don't know the vulnerability that caused this, and may still exist, I did the common sense things like changing passwords, etc. I also deactivated the following mods:

CYB- CHATBOX
CYB- PAYPAL DONATE
CYB- AUTO BIRTHDAY GREETER
WHO HAS VISITED TODAY
PASSIVE VID

If anybody can look at the board aviannation.com and see if there is anything I can do to close a vulnerability let me know. Also if they think one of those mods had anything to do with it? Can I reactivate them?

[UKBusinessLive]

have you a backup made of your site, normally they just change the index.php file, Change this first and see, but if you do regular backups of your server, then upload this backup and you'll find everything will be OK. You need to double check all your FTP accounts and change your Passwords, Also make sure of the types of uploads members can do.

These types of hacking often happen when a hacker uploads a piece of code in the gist of an image

good luck with the backup, or if you have an index.php file add that first see what happens

keep us up to date

[Blaine0002]

What i would reccommend is that you restore one of the mysql databases (that you of course made right?) and remove all addons you have. Request that your other admins change their passwords immediately, or change them for them.

[snakes1100]

Well, unfortunately its hard to tell what method he used to get in, that looks like either a template hack via the db or a file hack, typically global.php seeing as its every page.

If its a tempalte hack, do a search on the DB via phpmyadmin with keywords from the page source of the hacked page.

Logging into your admincp will most likely not work anyways.

I would suggest you globally disable your hacks in config.php, which is most likely the way he got in anyways.

Upload the default vb files and upgrade the site to the latest version of vb.

THERE IS NO NEED TO RESTORE FROM A BACKUP, THIS IS A EASY TO FIX.

[terracore]

New info:

The site was hacked by ALQAISER and the hack "theme" was some sort of pro-muslim thing complete with graphics and music and some kind of warning.

I'm not sure who they are or their motivation (it's a forum about parrots, hardly controversial). I also don't know how the hack occured. The database seemed untouched. I really know nothing about computers or coding. I was already running the latest version of VB (3.7.3 patch 1) and wasn't sure what to do to fix this problem or get the board running again so I went through the motions like I was upgrading it (even though its already the latest version) and thankfully that seemed to restore everything to normal. Since I don't know the vulnerability that caused this, and may still exist, I did the common sense things like changing passwords, etc. I also deactivated the following mods:

CYB- CHATBOX
CYB- PAYPAL DONATE
CYB- AUTO BIRTHDAY GREETER
WHO HAS VISITED TODAY
PASSIVE VID

If anybody can look at the board aviannation.com and see if there is anything I can do to close a vulnerability let me know. Also if they think one of those mods had anything to do with it? Can I reactivate them?

--------------- Added [DATE]1225776663[/DATE] at [TIME]1225776663[/TIME] ---------------

Quote:

Originally Posted by UKBusinessLive

have you a backup made of your site, normally they just change the index.php file, Change this first and see, but if you do regular backups of your server, then upload this backup and you'll find everything will be OK. You need to double check all your FTP accounts and change your Passwords, Also make sure of the types of uploads members can do.

These types of hacking often happen when a hacker uploads a piece of code in the gist of an image

good luck with the backup, or if you have an index.php file add that first see what happens

keep us up to date

The index.php file wasn't the problem- it appeared unchanged. I changed it out with an older backup version and it didn't help.

--------------- Added [DATE]1225776773[/DATE] at [TIME]1225776773[/TIME] ---------------

Quote:

Originally Posted by snakes1100

Well, unfortunately its hard to tell what method he used to get in, that looks like either a template hack via the db or a file hack, typically global.php seeing as its every page.

If its a tempalte hack, do a search on the DB via phpmyadmin with keywords from the page source of the hacked page.

Logging into your admincp will most likely not work anyways.

I would suggest you globally disable your hacks in config.php, which is most likely the way he got in anyways.

Upload the default vb files and upgrade the site to the latest version of vb.

THERE IS NO NEED TO RESTORE FROM A BACKUP, THIS IS A EASY TO FIX.

I did the phpmyadmin you suggested, I could not find any keywords.

You are right, I could not log into the admincp.

I couldn't figure out what you meant by the config.php.

Your comment about easy fix didn't lead directly to a solution but it certainly helped me.

[Digital Jedi]

Quote:

I'm not sure who they are or their motivation (it's a forum about parrots, hardly controversial).

They don't need any. Seldom is it a personal attack. They just see a site, see a vulnerability and abuse it...because they can. Hacking is usually out of the most childish of motivations. The same thing that makes a bully pick on smaller kids in school.

I don't think any of those mods have security vulnerabilities, as quite a large number of sites use them. Make sure all of your sites folders are protected by an index file. Changing your administrators passwords was a good idea as well, in case one of them was compromised.

[UKBusinessLive]

Hi terracore

Just checked this morning and see you got your site back

Quote:

it's a forum about parrots, hardly controversial

Perhaps they don't like parrots

Seriously its good that you managed to fix it, as for your mods I've used CYB's mods on my site and i've never had a problem with them,

Might be an idea to check your file/folders permissions on your server also

FILE permissions shouldn't be higher than 644

FOLDER permissions shouldn't be higher than 755

[AzaDiyaR]

FILE permissions 444

FOLDER permissions 555

never be hacked

[snakes1100]

Quote:

Originally Posted by AzaDiyaR

FILE permissions 444

FOLDER permissions 555

never be hacked

Those file & folder permissions will NOT work on every server, especially cheap anal vhosted servers.

--------------- Added [DATE]1225802852[/DATE] at [TIME]1225802852[/TIME] ---------------

Quote:

Originally Posted by terracore

I did the phpmyadmin you suggested, I could not find any keywords.

You are right, I could not log into the admincp.

I couldn't figure out what you meant by the config.php.

Your comment about easy fix didn't lead directly to a solution but it certainly helped me.

Sorry Terra

To better explain it, typically those hackers are using injection & i would guess there is a security hole in your system some place, either a addon mod or another php file for a script unrelated to vb actually.

1. Search your DB using keywords fro mthe hackers page he has put up on your site, view the page source and search for instance, the name of the hack/group or anyother keyword you find in the source, like "hacked", typically you'll find them in the template table.

2. Seeing as it was every page of your site, if a php file was modified, its typically global.php, not index.php as ALL the pages are changed.

[Alfa1]

Contact your host. browse the logs and make sure to secure all security risks. Even if they do not want to.

Remove all unneeded files and programs from your server.
Close all ports that do not need to be open and restrict ports that only you need to your IP. Only allow ftp from your IP address.

Follow these instructions as well: http://www.vbulletin.com/forum/showthread.php?t=172234

For everything that you install, check http://www.securityfocus.com/vulnerabilities and also search google for the name of the software and the words 'exploit OR vulnerability'