Another site hacked question

**Jake Bunce** · Sat 8 Aug '09, 12:31pm

In many cases I find the hackers have inserted their code into the templates to deface the site. If your case fits the profile then you need to run this query on your database in phpmyadmin:

DELETE FROM template
WHERE template LIKE '%base64%'

Then run the "install/upgrade.php" script on your forum to reimport the XML. That will get rid of the defacement.

The following canned response has general instructions for dealing with these situations:

_____

1) Fixing the damage:

You need to restore a backup from before the forum was hacked. If you don't have a backup then you should ask your host if they have one.

2) Preventing future attacks:

Here are some security tips to help prevent this in the future:

How To Make My Forums More Secure - vBulletin Community Forum

http://www.vbulletin.com/forum/showthread.php?t=194701

3) Finding out exactly how they hacked you:

If an admin or mod account was hijacked then you might find evidence of their activities in the vBulletin logs:

Admin CP -> Statistics & Logs

It can be difficult to track down exactly how the hacker got in. You will need to consult with your host to examine the server logs for evidence of intrusion. Otherwise you can just follow the above security tips to help prevent future attacks.

Another thing I have been seeing lately is vBulletin forums on shared servers being hacked through other hosting accounts on the same shared server. Unfortunately there isn't anything you can do to protect against this unless you move to a VPS or dedicated server.

**Elyk** · Sat 8 Aug '09, 1:57pm

Ran the query, did nothing and found nothing.

Uploaded all files and ran install/upgrade and completed it, still cant log into admincp as page goes back to admincp login box where you enter username and password.

Any suggestions of what to do next.

LOL, Jerks now have a count down timer on their page saying site pruning in 7 hours 1 minute as we wont pay them $150 via paypal.

**Cap'n Refsmmat** · Sat 8 Aug '09, 2:16pm

What's your website? I might be able to figure out what's going on.

When it kicks you back to the admincp login box, does it actually tell you that your login failed or does it not even do that -- just throw you right back? Check to see if there are any .htaccess files sitting around that you didn't put there. Maybe they're forcing admincp links to redirect to login.php with .htaccess rules.

You could also try contacting PayPal about the use of their system to collect payments for extortion...

**steven s** · Sat 8 Aug '09, 2:22pm

If you look at the page source,
what does this tell you?



var SECURITYTOKEN = "guest"; guest?

And their content is all between

**Elyk** · Sat 8 Aug '09, 2:26pm

Originally posted by Cap'n Refsmmat

What's your website? I might be able to figure out what's going on.

When it kicks you back to the admincp login box, does it actually tell you that your login failed or does it not even do that -- just throw you right back? Check to see if there are any .htaccess files sitting around that you didn't put there. Maybe they're forcing admincp links to redirect to login.php with .htaccess rules.

You could also try contacting PayPal about the use of their system to collect payments for extortion...

Its yorkiepartners.com. It kicks back to just the login box.

**Cap'n Refsmmat** · Sat 8 Aug '09, 2:30pm

It looks like they've just changed your admin password. (I tried logging in myself and got a bad password message.) Do you have phpMyAdmin access to the database? Let me work out an SQL query here...

Try these queries:
SELECT salt FROM user WHERE username = 'yourusername'

Take the value you get and put it in this:
UPDATE user SET password = MD5(CONCAT(MD5('newpassword'), 'saltyougotbefore')) WHERE username = 'yourusername'

Make 'newpassword' be your new password, in single quotes, and of course 'saltyougotbefore' would be the answer from the first query, in single quotes.

Then try logging in.

**Elyk** · Sat 8 Aug '09, 2:30pm

Originally posted by 1996 328ti

If you look at the page source,
what does this tell you?



var SECURITYTOKEN = "guest"; guest?

And their content is all between

This is whats there between  and [/QUOTE]



<div style="margin: 10px"><SCRIPT LANGUAGE=JAVASCRIPT>

</SCRIPT>

<center><b><script language="JavaScript">
TargetDate = "8/08/2009 10:00 PM";
BackColor = "pink";
ForeColor = "navy";
CountActive = true;
CountStepper = -1;
LeadingZero = true;
DisplayFormat = "Site pruning in %%H%% Hours, %%M%% Minutes, %%S%% Seconds.";
FinishMessage = "Site pruning started.............Deleting all threads. users and database!";
</script>
<script language="JavaScript" src="http://scripts.hashemian.com/js/countdown.js"></script></b><br>
<font size=6><b><font color=blue>H4ck3d</font></b><br>
<b><font color=green>Own3d by SiK H4ck3r</font></b><br>
<b> Contact <font color=red>[email protected]</font> to get your site back<br>Nuffin was deleted ;D just edited your index for fun!</b></font><br>
<img src="http://i25.tinypic.com/116rner.png">
<br>
<b><font color=green size=5>Process is very simple:<br>
Either You contact vBulletin and they can suck my dick huh<br>
OR
You can contact me and we can talk about some GREEN, upto you!</b></font>
</center>

<SCRIPT LANGUAGE=JAVASCRIPT>

</SCRIPT></div>

**Elyk** · Sat 8 Aug '09, 2:33pm

Originally posted by Cap'n Refsmmat

It looks like they've just changed your admin password. (I tried logging in myself and got a bad password message.) Do you have phpMyAdmin access to the database? Let me work out an SQL query here...

Yes, have access to phpMyAdmin

**Cap'n Refsmmat** · Sat 8 Aug '09, 2:36pm

Just updated my post above. Try what I suggested. (make sure you include the WHERE clause in the second query that I accidentally left out

)

**steven s** · Sat 8 Aug '09, 2:39pm

Originally posted by Cap'n Refsmmat

Just updated my post above. Try what I suggested.

Wouldn't uploading the tools.php file create a new admin login?

Edit: You can see that they also changed the general settings.

Owned by SiK HackerZ
vBulletin 3.8.3 Admin Control Panel

**Cap'n Refsmmat** · Sat 8 Aug '09, 2:43pm

I don't know, I've never done that before. I always tinker through phpMyAdmin.

**Elyk** · Sat 8 Aug '09, 3:02pm

Yup, it worked using tools.php. Wierd thing was when i got into admincp the forum was turned off and where you add the reason they had the above stuff I posted added there.

**steven s** · Sat 8 Aug '09, 3:32pm

Looks like you are annoying them.

Ban their ip and you need to try to figure out how they got in.

**Cap'n Refsmmat** · Sat 8 Aug '09, 3:41pm

As long as "annoying" doesn't mean "inciting to delete your database", that's a good thing. They probably have admin access via someone's account (or an account they made admin), so it'd be good to go through all administrators in the usergroups panel and see if there's a bonus one in there, and have the valid administrators change their passwords...

(vaguely related note: why doesn't vB save sent PMs in the sent folder by default? it has me confused for a minute there)

vBulletin 3 End of Life

Another site hacked question

Another site hacked question

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment