Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 13 May 2011, 18:14
Chmura Chmura is offline
 
Join Date: May 2005
Forum got Hacked - Need help recovering

My forum was hacked a few hours ago. I haven't made a backup of the database in a month and I don't know if my files are backed up, will need to check my laptop that's at a different location later.
I don't know what to look for to find the "Hacked by" file.
It's not in index.php or forum.php where do I find this?
They also sent emails to every single member (17,500+) on my forum.
What steps do I need to take to recover from this?
I was running on 4.1.2

I can't login as admin and they banned all members
Cyb Advanced Forum Rules is NOT installed on my forum

Last edited by Chmura; 13 May 2011 at 18:46.
Reply With Quote
  #2  
Old 13 May 2011, 18:57
K!nG K!nG is offline
 
Join Date: Dec 2010
was it just hacked or they also deleted all the files and database from the server ???? my forum was hacked but they just deleted all my sites directories but luckily they didn't delete the databse. chek n see if you are lucky enough & i would suggest just upload all new files or the last backup that u have.
Reply With Quote
  #3  
Old 13 May 2011, 19:03
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Real name: Lynne
Download your version of vb from vbulletin.com and upload all the default files (keep a copy of your includes/config.php file!). Unless you modified them, then the default ones you download should be fine.

My thoughts - if you have no idea what to look for in your database, then you are better off using a backup.

Please learn from this and make more frequent backups or ALL your data.
__________________
Former vBulletin.org Staff Member

Try a search before posting for help. Many users won't, and don't, help if the question has been answered several times before.
W3Schools -
Online vBulletin Manual
If I post some CSS and don't say where it goes, put it in the additional.css template.
I will NOT help via PM (you will be directed to post in the forums for help.)
Reply With Quote
  #4  
Old 13 May 2011, 21:41
Chmura Chmura is offline
 
Join Date: May 2005
I have talked to the hackers and they gave me these tips:

have a 20 character long password upper lower case, numbers, symbols
delete group.php
change the directory of admincp and modcp

As for the forum nothing appears to be deleted, I'm working on restoration right now.

Last edited by Chmura; 13 May 2011 at 22:58.
Reply With Quote
  #5  
Old 13 May 2011, 23:19
CK CK is offline
 
Join Date: Dec 2007
Real name: http://xenforo.com/
You've spoken to the hackers, tell us more.
Reply With Quote
  #6  
Old 13 May 2011, 23:32
dale09 dale09 is offline
 
Join Date: Nov 2009
Originally Posted by ChemicalKicks View Post
You've spoken to the hackers, tell us more.
I was curious about this as well. Did he schedule a dinner with them? lol
Reply With Quote
  #7  
Old 13 May 2011, 23:36
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Real name: Rob
Originally Posted by Chmura View Post
I have talked to the hackers and they gave me these tips:

have a 20 character long password upper lower case, numbers, symbols
delete group.php
change the directory of admincp and modcp

As for the forum nothing appears to be deleted, I'm working on restoration right now.
As far as changing the admincp and modcp names, it is actually easier and secure enough to just password protect those directories in your htaccess file. Finding out the names to those directories isn't really that hard for someone to do.
Reply With Quote
  #8  
Old 14 May 2011, 00:12
Chmura Chmura is offline
 
Join Date: May 2005
Originally Posted by dale09 View Post
I was curious about this as well. Did he schedule a dinner with them? lol
Hahah
I found the kids YouTube channel by the username he left on the defaced page and contacted him. Soon we started chatting on MSN and it turns out it was his buddy whom I also talked to that did the hacking. They somehow decrypted my password and got access to my admin cp where one of them messed with my usergroups, admin etc. Fortunately they didn't delete anything, gave me the admin login and helped me get everything back to normal. After that I followed the tips they gave me to secure the forum.

Originally Posted by Boofo
As far as changing the admincp and modcp names, it is actually easier and secure enough to just password protect those directories in your htaccess file. Finding out the names to those directories isn't really that hard for someone to do.
Great idea! Will do that too.
Reply With Quote
  #9  
Old 14 May 2011, 00:27
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Real name: Rob
I also have the install directory password protected just in case they want to try and play with anything in there.
Reply With Quote
  #10  
Old 14 May 2011, 00:32
MagicThemeParks's Avatar
MagicThemeParks MagicThemeParks is offline
 
Join Date: Sep 2009
Sorry to hijack, but what's the easiest way to password protect the directories, Boofo?
Reply With Quote
  #11  
Old 14 May 2011, 00:46
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Real name: Rob
I use a program from Coffeecup software called "Coffeecup Website Access Manager". It allows you to password protect any directories easily. I'm sure there are other programs out there that will do the same thing.
Reply With Quote
  #12  
Old 14 May 2011, 00:53
g0dfather1984's Avatar
g0dfather1984 g0dfather1984 is offline
 
Join Date: May 2008
Thank you Boofo for the advice. I'm also taking it.

(Sorry about hijacking the thread.)
Reply With Quote
  #13  
Old 14 May 2011, 21:50
Chmura Chmura is offline
 
Join Date: May 2005
Does anyone know how to revert this change?
"spainish"

Reply With Quote
  #14  
Old 15 May 2011, 01:55
skol skol is offline
 
Join Date: Oct 2008
Originally Posted by Chmura View Post
Hahah
I found the kids YouTube channel by the username he left on the defaced page and contacted him. Soon we started chatting on MSN and it turns out it was his buddy whom I also talked to that did the hacking. They somehow decrypted my password and got access to my admin cp where one of them messed with my usergroups, admin etc. Fortunately they didn't delete anything, gave me the admin login and helped me get everything back to normal. After that I followed the tips they gave me to secure the forum.


Great idea! Will do that too.

They didn't decrypt your password,they used a keylogger..Probably something you clicked on in your emails..Or downloaded..
Reply With Quote
  #15  
Old 17 May 2011, 20:08
Chmura Chmura is offline
 
Join Date: May 2005
Originally Posted by skol View Post
They didn't decrypt your password,they used a keylogger..Probably something you clicked on in your emails..Or downloaded..
I'm very careful about these things, I highly doubt that's what happened.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 16:08.

Layout Options | Width: Wide Color: