Site hacked by Myanmar Muslim Cyber Force

[Treeleaf]

I believe it's time to enlist some help to get this resolved. Earlier this evening our forum.php was compromised and is now suffering from some kind of redirection.

So far I've removed the /install folder, deleted accounts created today, changed admin passwords and replaced the rest of the forum directories from backup and still don't have this thing removed.

Please PM me as soon as possible if you are interested in being paid to resolve this.

http://www.treeleaf.org/forums/forum.php

[Zachery]

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

[pjkcards]

Same thing happened to us in the last 6 hours. When you click on our forum.php, it gets redirected to:
http://adf.ly/xxxxx

Reinstalling the forum removes any customizations we made. Is there any other way to handle this?

Thanks.

[Treeleaf]

Okay, I tried the supplied cookbook. No resolution yet.

Help please!

[pjkcards]

I've deleted the install directory, found several admin users and removed their admin permissions, disabled hooks in config.php, but still haven't resolved it yet. I haven't installed a fresh vB version yet since that will remove all my customizations.

I'll update here if I get it working.

Edit: I've also noticed it is the main theme that redirects, and all it child themes. Other themes work fine w/o redirect.

--------------- Added [DATE]1378795611[/DATE] at [TIME]1378795611[/TIME] ---------------

In the FORUMHOME template, it was modified by a hacker account, and was modified to be:
<META HTTP-EQUIV="Refresh" CONTENT="0;URL=http://adf.ly/xxx">

Check that file, and revert it.

[Treeleaf]

I've also chased these fixes with no luck yet.

--------------- Added [DATE]1378824479[/DATE] at [TIME]1378824479[/TIME] ---------------

I'll eat my words, you had it right Pjkcards. Once you get the info out of the template, it's gone. Thanks so much for this.

Bows.

[xenite]

The redirects are being inserted into the database through the ADMINCP. Replacing the scripts won't accomplish anything.

Your best bet is to look at the Admin Log and see which functions the bogus admin accounts accessed. Then go to those tools and look at the most recently changed/added data. This could be notices, templates, plugins -- anything where you can embed HTML code that is executed.

[TheLastSuperman]

Quote:

Originally Posted by pjkcards

I've deleted the install directory, found several admin users and removed their admin permissions, disabled hooks in config.php, but still haven't resolved it yet. I haven't installed a fresh vB version yet since that will remove all my customizations.

I'll update here if I get it working.

Edit: I've also noticed it is the main theme that redirects, and all it child themes. Other themes work fine w/o redirect.

--------------- Added [DATE]1378795611[/DATE] at [TIME]1378795611[/TIME] ---------------

In the FORUMHOME template, it was modified by a hacker account, and was modified to be:
<META HTTP-EQUIV="Refresh" CONTENT="0;URL=http://adf.ly/VRAFS">

Check that file, and revert it.

Quote:

Originally Posted by Treeleaf

I've also chased these fixes with no luck yet.

--------------- Added [DATE]1378824479[/DATE] at [TIME]1378824479[/TIME] ---------------

I'll eat my words, you had it right Pjkcards. Once you get the info out of the template, it's gone. Thanks so much for this.

Bows.

Quote:

Originally Posted by xenite

The redirects are being inserted into the database through the ADMINCP. Replacing the scripts won't accomplish anything.

Your best bet is to look at the Admin Log and see which functions the bogus admin accounts accessed. Then go to those tools and look at the most recently changed/added data. This could be notices, templates, plugins -- anything where you can embed HTML code that is executed.

IF and I mean IF you have the redirect yet your FORUMHOME template is fine in your styles, then they have edited your master style see here - https://vborg.vbsupport.ru/showpost....1&postcount=52

The only way that is possible is by them uploading shell scripts that then allow them to modify files to place the site in debug mode, heck you can do that for one single user via a quick plugin. Check for files such as lol.php and others, also check above your forum root in public_html and others for files such as lol.php or similar names, check timestamps of files as one could be a shell script and yes do replace all your vBulletin files with 100% fresh files, download the same version (patched of course) and then overwrite all files - REMEMBER to delete the /install/ folder before uploading.

[pjkcards]

Today the site was redirected again, then time the homepage.

As for the files they modified: the 4 users modified probably 100 files.

[monkeywarplane]

I just spent about a few hours cleaning up my forum

- changed passwords all over the place
- removing /install directory
- removing redirect from FORUMHOME
- removing admins
- changed passwords for all my admins
- reverted index.php in my /admincp
- they also placed some index.php files in each one of my folders (include, vb, archive,etc) that I had to manually delete. I organized by date modified.

Sigh. Hope that helps some of you guys.

Things look good now, but I am afraid to see what I find when I wake up tomorrow.