Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 03 May 2012, 19:43
revmitchell revmitchell is offline
 
Join Date: Dec 2006
My site has been hacked

Our website has been hacked. http://www.pastors-source.com


When you click on most any link it will automatically redirect you to another site that is labeled as an attack site by AVG. The attack site is:

opoluicenotgo.ru:8080/forum/showthread.php?page=beb2436a164c6222


I do not know how to fix this. I have re-uploaded all the vb files. Not sure where the redirect code could be.
Reply With Quote
  #2  
Old 03 May 2012, 19:58
borbole's Avatar
borbole borbole is offline
 
Join Date: Jan 2010
Check the database. Also do a check up of your server space. And as last but not least ask your host to check their logs to see what happened and how it happened.
__________________
My mods.
Reply With Quote
  #3  
Old 04 May 2012, 08:46
Elbulus Elbulus is offline
 
Join Date: Feb 2006
Been hit by this aswell on my Forum. Let me know if you manage to find anything i've currently reuploaded all VB files and it's still happening.

I did find a odd folder called files in the forum folder which contained loads of HTML web pages for some Russian site deleted those, also found that they had modified all of the .htaccess files they could to apply the redirect.

They also had a file called coms.php which seemed to be linking back somewhere else.

Also another index file was created called index.html which seemed to list everything in the directory.

The site is hosted on my own VPS and it's the only one affected i'm not too sure what i should be looking for in the database anyone have any clues ?

I'm just going to have a look in the logs and see if i can find anything there.

--------------- Added 04 May 2012 at 12:50 ---------------

Turns out i should always attempt to fix things when properly awake, Found 1 last .htaccess file they added and it's all working fine now, no more redirections.
Reply With Quote
  #4  
Old 04 May 2012, 16:38
The Rocketeer's Avatar
The Rocketeer The Rocketeer is offline
 
Join Date: Jun 2010
how did they add the .htaccess file? if its a vbulletin related issue?
Reply With Quote
  #5  
Old 05 May 2012, 15:57
silentsamurai silentsamurai is offline
 
Join Date: Jan 2009
This must be something new that started this week. As of May 2nd this happened to my site as well...

www.camasvalleyfundays.com

I am currently in the process of re-uploading my entire file database back to 4/1/12. If that doesn't work I have no idea what to do from here. I've looked on .php file and dont see anything out of place or additions with opoluicenotgo.ru written in it.

if you click that link it goes to my forums, but my index is missing and if you go to google and search camas valley fun days, click the first link you get that opoluicenotgo.ru link saying its a virus....No bueno
Reply With Quote
  #6  
Old 06 May 2012, 19:58
alirex's Avatar
alirex alirex is offline
 
Join Date: Nov 2007
Just a small suggestion , this all happen with me too actually this all happen on an iframe with height=0px and width=0px it was injected by some means i dont know but almost all my sites got effected one time only. After that so far not.

So its good to find the 0px by 0px iframe in your styles i am sure u will solve this issue urself.
Reply With Quote
  #7  
Old 07 May 2012, 17:30
syrus.xl's Avatar
syrus.xl syrus.xl is offline
 
Join Date: Jun 2005
Searching for malicious URL's normally will not give you the right answers.

Check under Plugins & Modifications > Plugin Manager then under Product: vBulletin look for any plugin with a hook_location of ajax_start. If you see anything there click Edit, if it looks like a load of strange characters it is probably the base64 encoded SHELL. Delete this ASAP

The previous poster suggested looking for 0px by 0px iFrames, this is one way SQL Injection may look in some source code or your templates, but it can also be hidden in your database. Search your database using phpMyAdmin, and use the following wildcards:

%base64%
%iframe%

The trouble with the iframe code now is it is ussed by vBulletin legitimately, therefore be careful. Any base64 is normally associated with malicious coding, and normally found in your Template table, and the datastore.

Sometimes you can remove such code just by resaving any template that you know you have not altered in anyway.

Last edited by syrus.xl; 08 May 2012 at 10:47.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 09:43.

Layout Options | Width: Wide Color: