Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 18 Apr 2011, 05:29
ebp123 ebp123 is offline
 
Join Date: Mar 2010
Forum hacked need help!

My forum g r o w b o x f o r u m (dot com) was hacked and when you go to the forum the hackers page is displayed. My web hosting service said that I need to delete everything and start over. Unfortunately I do not have a back up, and I cannot afford to lose over 1 years worth of data. All of my information is still in my cpanel, I just cannot figure out how to get the hackers page from being displayed...I guess it was a SQL injection technique.

Please help!! I make part of my living from this forum and need to get it back asap or Im going to be in a horrible situation financially.

Thanks
Reply With Quote
  #2  
Old 18 Apr 2011, 05:52
frankie. frankie. is offline
 
Join Date: Jan 2009
Your host should be able to log in root WHM and change your cpanel password and email it to you. Once you log in you can check out the .htaccess file, most likely the hacker added something like "DirectoryIndex hackedfile.html" to it so that is why that file loads for your site. I recommend backing up the database as soon as you log in and do a whole new vb install, but link it to your database. (edit the configuration.php) If anything you might had lost files but not the database (posts, threads, text, etc..) Good luck
Reply With Quote
  #3  
Old 18 Apr 2011, 05:58
ebp123 ebp123 is offline
 
Join Date: Mar 2010
The password was not the issue, but i have changed it anyway. It was an SQL injection technique. Somehow they are redirecting my forum home page to a page they created and possibly uploaded on my server themselves. I just cant figure out which file is causing the redirection and how to delete it. My database and website files are intact, im sure they would have deleted all of it if they could.

--------------- Added 18 Apr 2011 at 06:14 ---------------

Originally Posted by frankie. View Post
Your host should be able to log in root WHM and change your cpanel password and email it to you. Once you log in you can check out the .htaccess file, most likely the hacker added something like "DirectoryIndex hackedfile.html" to it so that is why that file loads for your site. I recommend backing up the database as soon as you log in and do a whole new vb install, but link it to your database. (edit the configuration.php) If anything you might had lost files but not the database (posts, threads, text, etc..) Good luck
Thanks for the help. I logged into my cpanel and my my htaccess file shows the following:

# Comment the following line (add '#' at the beginning)
# to disable mod_rewrite functions.
# Please note: you still need to disable the hack in
# the vBSEO control panel to stop url rewrites.
RewriteEngine On

# Some servers require the Rewritebase directive to be
# enabled (remove '#' at the beginning to activate)
# Please note: when enabled, you must include the path
# to your root vB folder (i.e. RewriteBase /forums/)
#RewriteBase /

#RewriteCond %{HTTP_HOST} !^www\.yourdomain\.com
#RewriteRule (.*) http://www.yourdomain.com/forums/$1 [L,R=301]

RewriteRule ^((urllist|sitemap_).*\.(xml|txt)(\.gz)?)$ vbseo_sitemap/vbseo_getsitemap.php?sitemap=$1 [L]

RewriteCond %{REQUEST_URI} !(admincp/|modcp/|cron|vbseo_sitemap)
RewriteRule ^((archive/)?(.*\.php(/.*)?))$ vbseo.php [L,QSA]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !/(admincp|modcp|clientscript|cpstyles|images)/
RewriteRule ^(.+)$ vbseo.php [L,QSA]


Does anything look out of the ordinary? Im backing up the database as we speak. Just to make sure I understand correctly, I will need to basically reinstall vbulletin and redo all of the graphics/mods?

Last edited by ebp123; 18 Apr 2011 at 06:14. Reason: Auto-Merged DoublePost
Reply With Quote
  #4  
Old 18 Apr 2011, 06:50
cellarius's Avatar
cellarius cellarius is offline
 
Join Date: Aug 2005
Real name: Sven
Most importantly: you need to find out how they compromised your system and fix that issue. If you just go back to business as it was, what should keep them from doing the same again?
__________________
Please note that there will be no further updates to my addons, especially they will not be upgraded for vB5. I'm leaving vB, since IB choose to go the banana-way yet again.

http://www.roma-antiqua.de
Reply With Quote
  #5  
Old 18 Apr 2011, 07:26
ebp123 ebp123 is offline
 
Join Date: Mar 2010
Im pretty sure they used the exploit described below, I just hadn't installed the patch. I would still like to better understand how it was done, maybe even try it on myself when the backup is installed again.

"A flaw within a side query that is used in the search UI has recently been discovered that affects all versions of vBulletin 4 Forum Classic and vBulletin 4 Publishing Suite. This flaw may enable malicious individuals to inject sql that would allow you to run arbitrary queries on the db via this exploit. To resolve this issue, it has been necessary to release a patch level version on all versions of vBulletin 4.X. "
Reply With Quote
  #6  
Old 18 Apr 2011, 19:39
Stefan118 Stefan118 is offline
 
Join Date: Dec 2010
I see that you have managed it.
I can see your forum perfectly.
Reply With Quote
  #7  
Old 18 Apr 2011, 23:24
venom2124's Avatar
venom2124 venom2124 is offline
 
Join Date: Feb 2009
Yeah had the same issue and they never got into my database so all I had to do was erase all the forum files and reload them like a new install.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 21:49.

Layout Options | Width: Wide Color: