Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 10-18-2012, 08:33 PM
TrevorS TrevorS is offline
 
Join Date: Apr 2012
Posts: 9
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Forum hacked, keeps redirecting to to deface page after i deleted it

My vBulletin forum was "hacked" (actually one of my admins emails just wasnt secure >.>) They uploaded 2 shells and a deface page, which i deleted, yet it still tries to redirect to the deface page, and is in an endless loop of refreshing.

Basically when it was first hacked, when i went to mydomain.com it redirected to mydomain.com/deface.html

I then deleted deface.html, but it still tries to redirect to mydomain.com/deface.html

I DO NOT have a .htaccess file, I've looked and it is not there. I have tried to make my own, and it would not work, I even made sure to CHMOD it, but still no success.

does anyone know how to fix this?
Reply With Quote
  #2  
Old 10-18-2012, 08:39 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Try running this script: https://vborg.vbsupport.ru/showthread.php?t=281080

Also, look in the Plugin Manager and see if there are any plugins you don't recognize.
Reply With Quote
  #3  
Old 10-18-2012, 08:44 PM
TrevorS TrevorS is offline
 
Join Date: Apr 2012
Posts: 9
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I cant access my control panel because every page redirects.
Reply With Quote
  #4  
Old 10-18-2012, 08:46 PM
In Omnibus's Avatar
In Omnibus In Omnibus is offline
 
Join Date: Apr 2010
Location: Inside A Blade Server
Posts: 840
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Have you tried disabling hooks globally via the config.php file?

define('DISABLE_HOOKS', true);
Reply With Quote
Благодарность от:
Max Taxable
  #5  
Old 10-18-2012, 09:06 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yeah that. And while it doesn't hurt to run that other script, if your admincp is redirecting it's got to be something other than a template.
Reply With Quote
  #6  
Old 10-18-2012, 10:43 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Did you try using a database backup? If your database was also compromised, then that may be a good option.
Reply With Quote
  #7  
Old 10-19-2012, 12:24 AM
TrevorS TrevorS is offline
 
Join Date: Apr 2012
Posts: 9
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Lynne View Post
Did you try using a database backup? If your database was also compromised, then that may be a good option.
database was not touched, only an admin account that wasnt even super admin. all they did was upload 2 shellls, a deface page, and whatever redirects every page.
Reply With Quote
  #8  
Old 10-19-2012, 01:51 AM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You cannot upload a file without ftp/server access, so what makes you think someone wasn't able to access the server and the database?
Reply With Quote
  #9  
Old 10-19-2012, 08:25 AM
betterthanyours betterthanyours is offline
 
Join Date: May 2012
Posts: 193
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Just throwing this out there, you should make sure the NameServers were not changed and that there are no forwarders
Reply With Quote
  #10  
Old 10-19-2012, 11:33 AM
TrevorS TrevorS is offline
 
Join Date: Apr 2012
Posts: 9
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Lynne View Post
You cannot upload a file without ftp/server access, so what makes you think someone wasn't able to access the server and the database?
They uploaed a shell through the adminCP, then uploaded a deface page through that, i checked the 'last modified' date of all the files in my FTP, only the shell and the deface page were added.

Quote:
Originally Posted by betterthanyours View Post
Just throwing this out there, you should make sure the NameServers were not changed and that there are no forwarders
nameserves were not changed
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:05 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06979 seconds
  • Memory Usage 2,254KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (1)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete