Another site hacked question

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Elyk
    Senior Member
    • Sep 2003
    • 292
    • 4.2.x

    Another site hacked question

    Anyone been hacked lately by SiK HackerZ?
    Anyone know what they have been doing lately and what they may have added?

    I just had a site hacked today by SiK HackerZ where he has a redirect to a page that says pay him green. I cant get to the admincp though I still have access via ftp to the server. Also waitng for site owner so I can get their download to overwrite the vb files.

    Site is yorkiepartners.com
  • Jake Bunce
    Senior Member
    • Dec 2000
    • 46598
    • 3.6.x

    #2
    In many cases I find the hackers have inserted their code into the templates to deface the site. If your case fits the profile then you need to run this query on your database in phpmyadmin:

    DELETE FROM template
    WHERE template LIKE '%base64%'

    Then run the "install/upgrade.php" script on your forum to reimport the XML. That will get rid of the defacement.

    The following canned response has general instructions for dealing with these situations:

    _____

    1) Fixing the damage:

    You need to restore a backup from before the forum was hacked. If you don't have a backup then you should ask your host if they have one.

    2) Preventing future attacks:

    Here are some security tips to help prevent this in the future:



    3) Finding out exactly how they hacked you:

    If an admin or mod account was hijacked then you might find evidence of their activities in the vBulletin logs:

    Admin CP -> Statistics & Logs

    It can be difficult to track down exactly how the hacker got in. You will need to consult with your host to examine the server logs for evidence of intrusion. Otherwise you can just follow the above security tips to help prevent future attacks.

    Another thing I have been seeing lately is vBulletin forums on shared servers being hacked through other hosting accounts on the same shared server. Unfortunately there isn't anything you can do to protect against this unless you move to a VPS or dedicated server.

    Comment

    • Elyk
      Senior Member
      • Sep 2003
      • 292
      • 4.2.x

      #3
      Ran the query, did nothing and found nothing.

      Uploaded all files and ran install/upgrade and completed it, still cant log into admincp as page goes back to admincp login box where you enter username and password.

      Any suggestions of what to do next.

      LOL, Jerks now have a count down timer on their page saying site pruning in 7 hours 1 minute as we wont pay them $150 via paypal.

      Comment

      • Cap'n Refsmmat
        Member
        • Jun 2006
        • 30

        #4
        What's your website? I might be able to figure out what's going on.

        When it kicks you back to the admincp login box, does it actually tell you that your login failed or does it not even do that -- just throw you right back? Check to see if there are any .htaccess files sitting around that you didn't put there. Maybe they're forcing admincp links to redirect to login.php with .htaccess rules.

        You could also try contacting PayPal about the use of their system to collect payments for extortion...

        Comment

        • steven s
          Senior Member
          • Jul 2004
          • 3722
          • 3.8.x

          #5
          If you look at the page source,
          what does this tell you?

          <!--
          var SESSIONURL = "";
          var SECURITYTOKEN = "guest";
          var IMGDIR_MISC = "";
          var vb_disable_ajax = parseInt("0", 10);
          // -->


          var SECURITYTOKEN = "guest"; guest?

          And their content is all between

          <!-- main error message -->
          <!-- / main error message -->
          ...steven
          www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
          bmwcca.org/forum | m135i.net
          "I tried to clean this up but this thread is beyond redemption." - Steve Machol

          Comment

          • Elyk
            Senior Member
            • Sep 2003
            • 292
            • 4.2.x

            #6
            Originally posted by Cap'n Refsmmat
            What's your website? I might be able to figure out what's going on.

            When it kicks you back to the admincp login box, does it actually tell you that your login failed or does it not even do that -- just throw you right back? Check to see if there are any .htaccess files sitting around that you didn't put there. Maybe they're forcing admincp links to redirect to login.php with .htaccess rules.

            You could also try contacting PayPal about the use of their system to collect payments for extortion...
            Its yorkiepartners.com. It kicks back to just the login box.

            Comment

            • Cap'n Refsmmat
              Member
              • Jun 2006
              • 30

              #7
              It looks like they've just changed your admin password. (I tried logging in myself and got a bad password message.) Do you have phpMyAdmin access to the database? Let me work out an SQL query here...

              Try these queries:
              SELECT salt FROM user WHERE username = 'yourusername'

              Take the value you get and put it in this:
              UPDATE user SET password = MD5(CONCAT(MD5('newpassword'), 'saltyougotbefore')) WHERE username = 'yourusername'

              Make 'newpassword' be your new password, in single quotes, and of course 'saltyougotbefore' would be the answer from the first query, in single quotes.

              Then try logging in.
              Last edited by Cap'n Refsmmat; Sat 8 Aug '09, 2:38pm.

              Comment

              • Elyk
                Senior Member
                • Sep 2003
                • 292
                • 4.2.x

                #8
                Originally posted by 1996 328ti
                If you look at the page source,
                what does this tell you?

                <!--
                var SESSIONURL = "";
                var SECURITYTOKEN = "guest";
                var IMGDIR_MISC = "";
                var vb_disable_ajax = parseInt("0", 10);
                // -->


                var SECURITYTOKEN = "guest"; guest?

                And their content is all between

                <!-- main error message -->
                <!-- / main error message -->
                This is whats there between <!-- main error message --> and <!-- / main error message -->[/QUOTE]

                <!-- main error message -->


                <div style="margin: 10px"><SCRIPT LANGUAGE=JAVASCRIPT>
                <!-- Nifty Title Descrambler Script
                if (document.all||document.getElementById){
                var thetitle=document.title
                document.title=''
                }

                var data="0SDASADdfsfssdfsaSADSADasfgdgdfas4545fasdfasddfaSADasdfadasdfghd **** ALL ds s DONT COPY MY HTML, OK ? :PPP hahah:P:P:Pdsadfas H4ck3d by d3-st4lli0n gaf gfmnlljoorihmijhajlazicjebesveredomesdahgfsdhadfasd645SDAdas654dfas5641A643795876385076572 467075758SDASdfsdafasdfDsadasfdasfalfafdsf4323423423i875843783584878578ASADdfsfssdfsaSADSA Dasfgdgdfas4545fasdfasddfaSADasdfadasdfghd :PPP hahah:P:P:Pdsadfas H4ck3d by d3-st4lli0n gaf gfmnlljoorihmijhajlazicjebesveredomesdahgfsdhadfasd645SDAdas654dfas5641A643795876385076572 467075758SDASdfsdafasdfDsadasfdasfalfafdsf4323423423i875843783584878578345234234-2352342423423gafGADsdsafdssd4as6546dasSASDa645564645das4d56s65a4dsa6aSd5DS345234234-2352342423423gafGADsdsafdssd4as6546dasSASDa645564645das4ASADdfsfssdfsaSADSADasfgdgdfas4545 fasdfasddfaSADasdfadasdfghd **** ALL ds s DONT COPY MY HTML, OK ? :PPP hahah:P:P:Pdsadfas H4ck3d by d3-st4lli0n gaf gfmnlljoorihmijhajlazicjebesveredomesdahgfsdhadfasd645SDAdas654dfas5641A643795876385076572 467075758SDASdfsdafasdfDsadasfdasfalfafdsf4323423423i875843783584878578345234234-2352342423423gafGADsdsafdssd4as6546dasSASDa645564645das4d56s65a4dsa6aSd5DSd56s65a4dsa6aSd5 ASADdfsfssdfsaSADSADasfgdgdfas4545fasdfasddfaSADasdfadasdfghd **** ALL ds s DONT COPY MY HTML, OK ? :PPP hahah:P:P:Pdsadfas H4ck3d by d3-st4lli0n gaf gfmnlljoorihmijhajlazicjebesveredomesdahgfsdhadfasd645SDAdas654dfas5641A643795876385076572 467075758SDASdfsdafasdfDsadasfdasfalfafdsf4323423423i875843783584878578345234234-2352342423423gafGADsdsafdssd4as6546dasSASDa645564645das4d56s65a4dsa6aSd5DSASADdfsfssdfsaSA DSADasfgdgdfas4545fasdfasddfaSADasdfadasdfghd **** ALL ds s DONT COPY MY HTML, OK ? :PPP hahah:P:P:Pdsadfas H4ck3d by d3-st4lli0n gaf gfmnlljoorihmijhajlazicjebesveredomesdahgfsdhadfasd645SDAdas654dfas5641A643795876385076572 467075758SDASdfsdafasdfDsadasfdasfalfafdsf4323423423i875843783584878578345234234-2352342423423gafGADsdsafdssd4as6546dasSASDa645564645das4d56s65a4dsa6aSd5DSDS";

                var done=1;
                function statusIn(text){
                decrypt(text,22,22);
                }

                function statusOut(){
                self.status='';
                done=1;
                }

                function decrypt(text, max, delay){
                if (done){
                done = 0;
                decrypt_helper(text, max, delay, 0, max);
                }

                }

                function decrypt_helper(text, runs_left, delay, charvar, max){
                if (!done){
                runs_left = runs_left - 1;
                var status = text.substring(0,charvar);
                for(var current_char = charvar; current_char < text.length; current_char++){
                status += data.charAt(Math.round(Math.random()*data.length));
                }
                document.title = status;
                var rerun = "decrypt_helper('" + text + "'," + runs_left + "," + delay + "," + charvar + "," + max + ");"
                var new_char = charvar + 1;
                var next_char = "decrypt_helper('" + text + "'," + max + "," + delay + "," + new_char + "," + max + ");"
                if(runs_left > 0){
                setTimeout(rerun, delay);
                }
                else{
                if (charvar < text.length){
                setTimeout(next_char, Math.round(delay*(charvar+3)/(charvar+1)));
                }
                else
                {
                done = 1;
                }
                }
                }
                }

                //if IE 4+ or NS 6+
                if (document.all||document.getElementById)
                statusIn(thetitle)
                // -->
                </SCRIPT>


                <center><b><script language="JavaScript">
                TargetDate = "8/08/2009 10:00 PM";
                BackColor = "pink";
                ForeColor = "navy";
                CountActive = true;
                CountStepper = -1;
                LeadingZero = true;
                DisplayFormat = "Site pruning in %%H%% Hours, %%M%% Minutes, %%S%% Seconds.";
                FinishMessage = "Site pruning started.............Deleting all threads. users and database!";
                </script>
                <script language="JavaScript" src="http://scripts.hashemian.com/js/countdown.js"></script></b><br>
                <font size=6><b><font color=blue>H4ck3d</font></b><br>
                <b><font color=green>Own3d by SiK H4ck3r</font></b><br>
                <b> Contact <font color=red>[email protected]</font> to get your site back<br>Nuffin was deleted ;D just edited your index for fun!</b></font><br>
                <img src="http://i25.tinypic.com/116rner.png">
                <br>
                <b><font color=green size=5>Process is very simple:<br>
                Either You contact vBulletin and they can suck my dick huh<br>
                OR
                You can contact me and we can talk about some GREEN, upto you!</b></font>
                </center>

                <SCRIPT LANGUAGE=JAVASCRIPT>
                <!-- Nifty Title Descrambler Script
                if (document.all||document.getElementById){
                var thetitle=document.title
                document.title=''
                }

                var data="0SDASADdfsfssdfsaSADSADasfgdgdfas4545fasdfasddfaSADasdfadasdfghd **** ALL ds s DONT COPY MY HTML, OK ? :PPP hahah:P:P:Pdsadfas H4ck3d by d3-st4lli0n gaf gfmnlljoorihmijhajlazicjebesveredomesdahgfsdhadfasd645SDAdas654dfas5641A643795876385076572 467075758SDASdfsdafasdfDsadasfdasfalfafdsf4323423423i875843783584878578ASADdfsfssdfsaSADSA Dasfgdgdfas4545fasdfasddfaSADasdfadasdfghd :PPP hahah:P:P:Pdsadfas H4ck3d by d3-st4lli0n gaf gfmnlljoorihmijhajlazicjebesveredomesdahgfsdhadfasd645SDAdas654dfas5641A643795876385076572 467075758SDASdfsdafasdfDsadasfdasfalfafdsf4323423423i875843783584878578345234234-2352342423423gafGADsdsafdssd4as6546dasSASDa645564645das4d56s65a4dsa6aSd5DS345234234-2352342423423gafGADsdsafdssd4as6546dasSASDa645564645das4ASADdfsfssdfsaSADSADasfgdgdfas4545 fasdfasddfaSADasdfadasdfghd **** ALL ds s DONT COPY MY HTML, OK ? :PPP hahah:P:P:Pdsadfas H4ck3d by d3-st4lli0n gaf gfmnlljoorihmijhajlazicjebesveredomesdahgfsdhadfasd645SDAdas654dfas5641A643795876385076572 467075758SDASdfsdafasdfDsadasfdasfalfafdsf4323423423i875843783584878578345234234-2352342423423gafGADsdsafdssd4as6546dasSASDa645564645das4d56s65a4dsa6aSd5DSd56s65a4dsa6aSd5 ASADdfsfssdfsaSADSADasfgdgdfas4545fasdfasddfaSADasdfadasdfghd **** ALL ds s DONT COPY MY HTML, OK ? :PPP hahah:P:P:Pdsadfas H4ck3d by d3-st4lli0n gaf gfmnlljoorihmijhajlazicjebesveredomesdahgfsdhadfasd645SDAdas654dfas5641A643795876385076572 467075758SDASdfsdafasdfDsadasfdasfalfafdsf4323423423i875843783584878578345234234-2352342423423gafGADsdsafdssd4as6546dasSASDa645564645das4d56s65a4dsa6aSd5DSASADdfsfssdfsaSA DSADasfgdgdfas4545fasdfasddfaSADasdfadasdfghd **** ALL ds s DONT COPY MY HTML, OK ? :PPP hahah:P:P:Pdsadfas H4ck3d by d3-st4lli0n gaf gfmnlljoorihmijhajlazicjebesveredomesdahgfsdhadfasd645SDAdas654dfas5641A643795876385076572 467075758SDASdfsdafasdfDsadasfdasfalfafdsf4323423423i875843783584878578345234234-2352342423423gafGADsdsafdssd4as6546dasSASDa645564645das4d56s65a4dsa6aSd5DSDS";

                var done=1;
                function statusIn(text){
                decrypt(text,22,22);
                }

                function statusOut(){
                self.status='';
                done=1;
                }

                function decrypt(text, max, delay){
                if (done){
                done = 0;
                decrypt_helper(text, max, delay, 0, max);
                }

                }

                function decrypt_helper(text, runs_left, delay, charvar, max){
                if (!done){
                runs_left = runs_left - 1;
                var status = text.substring(0,charvar);
                for(var current_char = charvar; current_char < text.length; current_char++){
                status += data.charAt(Math.round(Math.random()*data.length));
                }
                document.title = status;
                var rerun = "decrypt_helper('" + text + "'," + runs_left + "," + delay + "," + charvar + "," + max + ");"
                var new_char = charvar + 1;
                var next_char = "decrypt_helper('" + text + "'," + max + "," + delay + "," + new_char + "," + max + ");"
                if(runs_left > 0){
                setTimeout(rerun, delay);
                }
                else{
                if (charvar < text.length){
                setTimeout(next_char, Math.round(delay*(charvar+3)/(charvar+1)));
                }
                else
                {
                done = 1;
                }
                }
                }
                }

                //if IE 4+ or NS 6+
                if (document.all||document.getElementById)
                statusIn(thetitle)
                // -->
                </SCRIPT></div>


                <!-- / main error message -->

                Comment

                • Elyk
                  Senior Member
                  • Sep 2003
                  • 292
                  • 4.2.x

                  #9
                  Originally posted by Cap'n Refsmmat
                  It looks like they've just changed your admin password. (I tried logging in myself and got a bad password message.) Do you have phpMyAdmin access to the database? Let me work out an SQL query here...
                  Yes, have access to phpMyAdmin

                  Comment

                  • Cap'n Refsmmat
                    Member
                    • Jun 2006
                    • 30

                    #10
                    Just updated my post above. Try what I suggested. (make sure you include the WHERE clause in the second query that I accidentally left out )

                    Comment

                    • steven s
                      Senior Member
                      • Jul 2004
                      • 3722
                      • 3.8.x

                      #11
                      Originally posted by Cap'n Refsmmat
                      Just updated my post above. Try what I suggested.
                      Wouldn't uploading the tools.php file create a new admin login?

                      Edit: You can see that they also changed the general settings.

                      Owned by SiK HackerZ
                      vBulletin 3.8.3 Admin Control Panel
                      ...steven
                      www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
                      bmwcca.org/forum | m135i.net
                      "I tried to clean this up but this thread is beyond redemption." - Steve Machol

                      Comment

                      • Cap'n Refsmmat
                        Member
                        • Jun 2006
                        • 30

                        #12
                        I don't know, I've never done that before. I always tinker through phpMyAdmin.

                        Comment

                        • Elyk
                          Senior Member
                          • Sep 2003
                          • 292
                          • 4.2.x

                          #13
                          Yup, it worked using tools.php. Wierd thing was when i got into admincp the forum was turned off and where you add the reason they had the above stuff I posted added there.

                          Comment

                          • steven s
                            Senior Member
                            • Jul 2004
                            • 3722
                            • 3.8.x

                            #14
                            Looks like you are annoying them.
                            Ban their ip and you need to try to figure out how they got in.
                            ...steven
                            www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
                            bmwcca.org/forum | m135i.net
                            "I tried to clean this up but this thread is beyond redemption." - Steve Machol

                            Comment

                            • Cap'n Refsmmat
                              Member
                              • Jun 2006
                              • 30

                              #15
                              As long as "annoying" doesn't mean "inciting to delete your database", that's a good thing. They probably have admin access via someone's account (or an account they made admin), so it'd be good to go through all administrators in the usergroups panel and see if there's a bonus one in there, and have the valid administrators change their passwords...

                              (vaguely related note: why doesn't vB save sent PMs in the sent folder by default? it has me confused for a minute there)

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...