Website hacked :/

[gregory_clayton]

i was hoping this shit wouldnt happen again :/..happend a few years back on my old forum and on my new one which has been opended 2 months which has finally started tog row jut got hacked this morning.

www.wwehq.com

It doesnt look like any files/tables were deleted. But it is displaying his websites on each page.

If I try to go onto the arcade.php its just the same.

Any idea anyone :/

[lazydesis]

I am sure the database has been modified. It happened to me in the past. Open phpmyadmin and search for the text that's being displayed on your website, or search for the URL to which it is being redirected and you will see that.

Luckily I had a database backup which I restored, and then changed all my passwords. Also I would delete all the files in the public_html dir and reupload the vb files.

There is also a possibility that he might have just modified your config.php file. So take a look at that as well.

[gregory_clayton]

tried searching in phpmyadmin the text isnt found. Makes me wonder if he is using some sort of script to link to that site

--------------- Added [DATE]1301575085[/DATE] at [TIME]1301575085[/TIME] ---------------

bump

[borbole]

What was the text displayed? I get a forum closed message when I loaded your forum?

it would be best to ask your host to check their access logs for around the time that the hack occurred to see how they got access.

What version of vb were you having btw?

[gregory_clayton]

The host has now uploaded a backup of the forum back online. I am awaiting the logs, they are going to transfer them to me later. When it happens I will be sure to paste the bas!£$ds ip for you guys here to ban him too.

I am using Powered by vBulletin™ Version 4.1.2

[DNN]

wow. Let me hurry up and update my stuff too.

[conradk]

Several years ago when the hacking attempts got bad on my site I renamed the admincp directory and created a bogus admincp directory with bogus/broken php files.

and regular backups are a good thing - thanks for the reminder

[Phaedrus]

check your PHP files, if he has access he can add just a couple lines to them that redirect everything to his pages. If such is the case, reload your clean files w/overwrite, then change your password you use to get into your server control panel to something indecipherable.

[Chase]

I highly recommend renaming your admincp and modcp folders and putting a password protection on them as well.

If you change your admincp folder name to something else, make sure you update it in your config.php file as well.

[TheLastSuperman]

• Change cPanel Password (Or Hosting Account Manager password etc)
• Change FTP Passwords
• Change Forum Passwords
• Changes ALL Database Usernames & Passwords then reset in config, remove old user from all DB's etc.
• Check for modified files, compare timestamps etc.
• IF you can access admincp check your template system for edits, revert all modified templates.
• Check for shell files, .php, any new very large image files, anything with a odd name as sometimes it's apparent and sometimes it's not, depends on the hacker per say.
• Check for oddly names modifications or plugins, recently a plugin was the culprit for me on a clients site.

The most important this is restoring from a backup, unless you know what to look for you could miss something so restoring then figuring out how you were compromised should be your number one priority otherwise they'll simply repeat the process .