The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
|||||||
|
#1
04-18-2011, 04:29 AM
|
|||
|
|||
Forum hacked need help!
My forum g r o w b o x f o r u m (dot com) was hacked and when you go to the forum the hackers page is displayed. My web hosting service said that I need to delete everything and start over. Unfortunately I do not have a back up, and I cannot afford to lose over 1 years worth of data. All of my information is still in my cpanel, I just cannot figure out how to get the hackers page from being displayed...I guess it was a SQL injection technique.
Please help!! I make part of my living from this forum and need to get it back asap or Im going to be in a horrible situation financially. Thanks 
|
|
#2
04-18-2011, 04:52 AM
|
|||
|
|||
|
Your host should be able to log in root WHM and change your cpanel password and email it to you. Once you log in you can check out the .htaccess file, most likely the hacker added something like "DirectoryIndex hackedfile.html" to it so that is why that file loads for your site. I recommend backing up the database as soon as you log in and do a whole new vb install, but link it to your database. (edit the configuration.php) If anything you might had lost files but not the database (posts, threads, text, etc..) Good luck
|
|
#3
04-18-2011, 04:58 AM
|
|||
|
|||
|
The password was not the issue, but i have changed it anyway. It was an SQL injection technique. Somehow they are redirecting my forum home page to a page they created and possibly uploaded on my server themselves. I just cant figure out which file is causing the redirection and how to delete it. My database and website files are intact, im sure they would have deleted all of it if they could.
--------------- Added [DATE]1303107275[/DATE] at [TIME]1303107275[/TIME] --------------- Quote:
# Comment the following line (add '#' at the beginning) # to disable mod_rewrite functions. # Please note: you still need to disable the hack in # the vBSEO control panel to stop url rewrites. RewriteEngine On # Some servers require the Rewritebase directive to be # enabled (remove '#' at the beginning to activate) # Please note: when enabled, you must include the path # to your root vB folder (i.e. RewriteBase /forums/) #RewriteBase / #RewriteCond %{HTTP_HOST} !^www\.yourdomain\.com #RewriteRule (.*) http://www.yourdomain.com/forums/$1 [L,R=301] RewriteRule ^((urllist|sitemap_).*\.(xml|txt)(\.gz)?)$ vbseo_sitemap/vbseo_getsitemap.php?sitemap=$1 [L] RewriteCond %{REQUEST_URI} !(admincp/|modcp/|cron|vbseo_sitemap) RewriteRule ^((archive/)?(.*\.php(/.*)?))$ vbseo.php [L,QSA] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !/(admincp|modcp|clientscript|cpstyles|images)/ RewriteRule ^(.+)$ vbseo.php [L,QSA] Does anything look out of the ordinary? Im backing up the database as we speak. Just to make sure I understand correctly, I will need to basically reinstall vbulletin and redo all of the graphics/mods?
|
|
#4
04-18-2011, 05:50 AM
|
||||
|
||||
|
Most importantly: you need to find out how they compromised your system and fix that issue. If you just go back to business as it was, what should keep them from doing the same again?
|
|
#5
04-18-2011, 06:26 AM
|
|||
|
|||
|
Im pretty sure they used the exploit described below, I just hadn't installed the patch. I would still like to better understand how it was done, maybe even try it on myself when the backup is installed again.
"A flaw within a side query that is used in the search UI has recently been discovered that affects all versions of vBulletin 4 Forum Classic and vBulletin 4 Publishing Suite. This flaw may enable malicious individuals to inject sql that would allow you to run arbitrary queries on the db via this exploit. To resolve this issue, it has been necessary to release a patch level version on all versions of vBulletin 4.X. "
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 05:11 PM.