Need some help, possibly got hacked...

[vwjunkie]

Hey everyone,
i have been going back and forth with vbulletin support and with my hosting company but I haven't gotten this taken care of yet. When I went to get on my forum today, I found that my screen name and password weren't recognized, and when I went to the lost password page, it said my email wasn't recognized. Upon looking at the forum, I found all my posts now have a different screen name at the top. Nothing has been deleted or changed on the forum though which I thoght was kinda weird, if you bothered to hack it you would expect they would f everything up. Anyway, I was told to load up the tools.php from the "do not load" folder into the admincp directory. I downloaded a ftp server program and got the login/passord details from the hosting company. I did this, and when I go to load the tools.php page its all messed up, comes out in text, keeps asking me for the password. I loaded it in the public html secion under admincp. What am I doing wrong here? If I could just get that to load up I could take care of the rest no problem, but I'm far from a computer wizard or vbulletin expert!

Thanks,
Jason

--------------- Added [DATE]1285626515[/DATE] at [TIME]1285626515[/TIME] ---------------

Also, the screen name that is now what my name used to be, is "netstat_n@" Anyone recognize that?

Jason

[bandare]

my first suggestion is to talk to the hosting company and get the site passworded so whoever changed it can not see the site. You can set a password in the hosting cpanel. I would then see if you have a backup or if the host has a backup of the database from a day or two before. See if that can be restored instead of what you have. You may lose a little data but not too much I hope!

That would be my suggestion but I'm sure others will have a better idea.

Regards and good luck!

[vwjunkie]

Thanks for the suggestion. I just contacted the hosting company to see if they can password protect the site or take it offline while I try to get this figured out. I don't have a backup and they only backup the site if you pay extra. Still no luck getting the tools page to load to reset the password. I don't know why I'm having such difficulty with this. I followed the instuctions and everything I uploaded and did matched what they said, but it just doesn't work...

Jason

--------------- Added [DATE]1285634337[/DATE] at [TIME]1285634337[/TIME] ---------------

550 Can't change directory to /public_html/cpstyles/<: No such file or directory



That is the error message I get after I put in the password for the page when it loads up. I get the dialog box where you are supposed to enter your vbulletin customer number, but the rest of the page is screwed up.


Jason

--------------- Added [DATE]1285635705[/DATE] at [TIME]1285635705[/TIME] ---------------

Also how the hell did someone do this and get past my password? It was letters and numbers and nothing obvious, hell it wasn't even a real word! Or how do I prevent this again?

Thanks,
Jason

[Lynne]

If you are getting a No such file or directory error, then it sounds like they may have deleted your files. I would ftp to the site and reupload all your vbulletin files (make sure you keep a copy of the config.php file).

[vwjunkie]

Thanks for the reply, when you say upload all the files, you mean all the files for the whole thing? Or just files for the admincp section? I'm not very familiar with any of this, the hosting company uploaded the forum to their server for me and I took it from there. This is somewhat over my head but I don't have much choice.

In the mean time I did get the forum password protected so that idiot wont be on there messing with stuff at least.

Jason

[Lynne]

If I were hacked, I would be reuploading ALL my files. I would want to make sure all the files were fresh from my backup that I keep on my computer so there is no possibility that there are any edited files left on my server. What if they guy left some script on there that is going to grab your password as soon as you do log on and all he has to do is point his browser to this script and he gets it?

[vwjunkie]

That would suck. Vbulletin support said the same thing in the response I just got back. I don't have a backup though so I don't know what I'm going to do about that. I know there is a feature to do that but its in the admin cp which I cant get to.

Jason

[Lynne]

I'm talking about replacing your *files*. If you were using all default files, then you can just get a new copy by downloading them from the members area at vbulletin.com (get the same version you were running) and then just copy over them replacing the ones on your server with a fresh copy.

And there is no feature in the admincp to make a backup copy of your files or your database. There are mods that can do this though.

[borbole]

Quote:

Originally Posted by vwjunkie

That would suck. Vbulletin support said the same thing in the response I just got back. I don't have a backup though so I don't know what I'm going to do about that. I know there is a feature to do that but its in the admin cp which I cant get to.

Jason

From your description it looks like the db hasn''t been demaged badly. So make a backup of it in the condition that it is. You can do so from the phpmyadmin in the cp of your host.

Then upload a fresh copy of the latest version, 4.0.7. in your server space and then run the upgrader. That is only if you were using an older version when you got hacked. If you were already using 4.0.7. running the upgrader won''t be necessary. Then get your admin account back. If the way through tools.php didn''t work (what was the exact error you got btw), then do it so from the db directly. Also check the user tables for any other admins that shouldn''t be there and delete them if there will be any.

Change all your passwords again, admin, ftp and cp. Then ask your host to check their logs and see how exactly did the hacker/s managed to get access to your forum. If your host will not be forthcoming, then maybe it is time to start looking for another host.

After you do all this, let us know so we can guide you how to get your posts and theads back.