My site has been hacked

[revmitchell]

Our website has been hacked. http://www.pastors-source.com


When you click on most any link it will automatically redirect you to another site that is labeled as an attack site by AVG. The attack site is:

opoluicenotgo.ru:8080/forum/showthread.php?page=beb2436a164c6222


I do not know how to fix this. I have re-uploaded all the vb files. Not sure where the redirect code could be.

[borbole]

Check the database. Also do a check up of your server space. And as last but not least ask your host to check their logs to see what happened and how it happened.

[Elbulus]

Been hit by this aswell on my Forum. Let me know if you manage to find anything i've currently reuploaded all VB files and it's still happening.

I did find a odd folder called files in the forum folder which contained loads of HTML web pages for some Russian site deleted those, also found that they had modified all of the .htaccess files they could to apply the redirect.

They also had a file called coms.php which seemed to be linking back somewhere else.

Also another index file was created called index.html which seemed to list everything in the directory.

The site is hosted on my own VPS and it's the only one affected i'm not too sure what i should be looking for in the database anyone have any clues ?

I'm just going to have a look in the logs and see if i can find anything there.

--------------- Added [DATE]1336135859[/DATE] at [TIME]1336135859[/TIME] ---------------

Turns out i should always attempt to fix things when properly awake, Found 1 last .htaccess file they added and it's all working fine now, no more redirections.

[The Rocketeer]

how did they add the .htaccess file? if its a vbulletin related issue?

[silentsamurai]

This must be something new that started this week. As of May 2nd this happened to my site as well...

www.camasvalleyfundays.com

I am currently in the process of re-uploading my entire file database back to 4/1/12. If that doesn't work I have no idea what to do from here. I've looked on .php file and dont see anything out of place or additions with opoluicenotgo.ru written in it.

if you click that link it goes to my forums, but my index is missing and if you go to google and search camas valley fun days, click the first link you get that opoluicenotgo.ru link saying its a virus....No bueno

[alirex]

Just a small suggestion , this all happen with me too actually this all happen on an iframe with height=0px and width=0px it was injected by some means i dont know but almost all my sites got effected one time only. After that so far not.

So its good to find the 0px by 0px iframe in your styles i am sure u will solve this issue urself.

[syrus.xl]

Searching for malicious URL's normally will not give you the right answers.

Check under Plugins & Modifications > Plugin Manager then under Product: vBulletin look for any plugin with a hook_location of ajax_start. If you see anything there click Edit, if it looks like a load of strange characters it is probably the base64 encoded SHELL. Delete this ASAP

The previous poster suggested looking for 0px by 0px iFrames, this is one way SQL Injection may look in some source code or your templates, but it can also be hidden in your database. Search your database using phpMyAdmin, and use the following wildcards:

%base64%
%iframe%

The trouble with the iframe code now is it is ussed by vBulletin legitimately, therefore be careful. Any base64 is normally associated with malicious coding, and normally found in your Template table, and the datastore.

Sometimes you can remove such code just by resaving any template that you know you have not altered in anyway.