Hacked by a Wanna-be...

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • dsimms
    Senior Member
    • Aug 2010
    • 186

    [Forum] Hacked by a Wanna-be...

    My forum has been hacked by a wanna-be hacker...honestly I would not even give him the title of hacker...
    He left a site that makes $200+/day and injected into a forum that does not do that much...This tells me
    his skill set is about limited to sql injection...or some type of injection. He is more of a fly in my face then a hacker.

    Can someone tell me how to cure this, or how to find out what file he injected too?
    I can not login to admin as it just routes me back to the home page where you
    see his "I wanna be a hacker by injecting VB forums" What a Lamo Loser....

    I guess i could uploaded the latest VB files, but unlesss it was a VB file injected, then
    it will do me no good in the end if it is a 3rd party mod or something.

    Thanks Guys...
  • Steve Machol
    Former Customer Support Manager
    • Jul 2000
    • 154488

    #2
    Not really enough info to know what he did or how. Fill out a support ticket at:



    Please include a complete description of the problem and be sure to include the login info to your Admin CP, phpMyAdmin and FTP in the 'Sensitive Data' field.
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment

    • dsimms
      Senior Member
      • Aug 2010
      • 186

      #3
      Originally posted by Steve Machol
      Not really enough info to know what he did or how. Fill out a support ticket at:



      Please include a complete description of the problem and be sure to include the login info to your Admin CP, phpMyAdmin and FTP in the 'Sensitive Data' field.
      They do not know much either.

      I think this would be a good time for a modder to create some type of hack mod that would restore files
      in any event a hack has been detected, and create a log on exactly what has been changed....

      The question now is, how can I access admincp? of course the hacker does not want me to
      access admincp, because if I could, then I could disable mods that could defeat his hack...
      is there a way around this hackers hack so that I can get direct access to admincp?

      Comment

      • Steve Machol
        Former Customer Support Manager
        • Jul 2000
        • 154488

        #4
        If by 'they' you mean us, you have not provided the info I requested last night in your support ticket so we can help. We are still waiting on this.
        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
        Change CKEditor Colors to Match Style (for 4.1.4 and above)

        Steve Machol Photography


        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment

        • dsimms
          Senior Member
          • Aug 2010
          • 186

          #5
          Originally posted by Steve Machol
          If by 'they' you mean us, you have not provided the info I requested last night in your support ticket so we can help. We are still waiting on this.
          maybe I am the only one trying to figure this out...

          I give ftp access as last resort...

          I was hoping at least with your experience, then you would be helpful where to start
          since VB probably sees stuff like this all the time...

          I renamed my /includes/ directory and the hacker page went blank...so could the
          problem be in the includes directory?

          Yes, I try to figure a lot of this out myself
          before having to give ftp access out to anyone....

          Comment

          • Steve Machol
            Former Customer Support Manager
            • Jul 2000
            • 154488

            #6
            It could be any number of dozens of things. If I had a simple solution for you I would have already provided it instead of asking you to create a ticket.
            Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
            Change CKEditor Colors to Match Style (for 4.1.4 and above)

            Steve Machol Photography


            Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


            Comment

            • dsimms
              Senior Member
              • Aug 2010
              • 186

              #7
              Originally posted by Steve Machol
              It could be any number of dozens of things. If I had a simple solution for you I would have already provided it instead of asking you to create a ticket.
              Its why I posted here in hopes to get clues.

              I disrupted /includes/ and the hack page went blank.
              I disrupted includes/ini.php and again the hack page went blank.

              any ideas with this?

              Comment

              • borbole
                Senior Member
                • Feb 2010
                • 3074
                • 4.0.0

                #8
                What version of vb do you have? What damage is done to your site? Can you post the link?

                Did you contact the host and asked them to check their access logs to see how exactly that hacker got access to your site?

                Comment

                • dsimms
                  Senior Member
                  • Aug 2010
                  • 186

                  #9
                  Originally posted by borbole
                  What version of vb do you have? What damage is done to your site? Can you post the link?

                  Did you contact the host and asked them to check their access logs to see how exactly that hacker got access to your site?
                  I can not remember the latest version, but it was not the very recent latest...I try to stay a step back in case their
                  are problems with the latest updates, so I never install the latest, so it would be a verson or so back....

                  damage? Forum home shows hacked by...I could be wrong, but is the index showing the page from an unknown
                  location of some modified file with code injection; I am not exactly sure how pages are shown as "hacked by"

                  I have looked at some logs, I only see my IP...

                  I doubt they had full access, ftp, etc...I am not sure exactly how a hacker injects coding into a file, but my guess
                  is if they had full access, then they could just deleted EVERYTHING, then leave their custom index....seeing that
                  the files and directories that I know are in place tells me that did not have such access to delete everything....
                  then I noticed the rest of the entire site was untouched also...this tells me their skill set maybe limited to injection only.

                  If i was a hacker, I would have deleted everything, I would have uploaded a custom
                  index shooting you the finger, then brag about how good of a hacker I am....

                  I surely would not embrass myself by injecting code, then claim I am the best hacker....

                  Comment

                  • Paul M
                    Former Lead Developer
                    vB.Com & vB.Org
                    • Sep 2004
                    • 9886

                    #10
                    They cannot help you unless you provide the access requested, so best to decide - do you want someone to look into it or not ?
                    Baby, I was born this way

                    Comment

                    • dsimms
                      Senior Member
                      • Aug 2010
                      • 186

                      #11
                      Originally posted by Paul M
                      They cannot help you unless you provide the access requested, so best to decide - do you want someone to look into it or not ?
                      Right now I am looking for the public's help. Maybe they can provide more info, maybe they can say look here, or there,
                      maybe they know something that I have not ran across yet. If you can not tell me how to by-pass so i can get to admincp, then fine...

                      Do you always run your computer or car right to the shop, or do you try to figure it out before you have to run them in?
                      and you try to figure things out by asking for help, ask on computer forums, car forums, VB forum, etc...

                      Comment

                      • borbole
                        Senior Member
                        • Feb 2010
                        • 3074
                        • 4.0.0

                        #12
                        Originally posted by dsimms
                        I can not remember the latest version, but it was not the very recent latest...I try to stay a step back in case their
                        are problems with the latest updates, so I never install the latest, so it would be a verson or so back....

                        damage? Forum home shows hacked by...I could be wrong, but is the index showing the page from an unknown
                        location of some modified file with code injection; I am not exactly sure how pages are shown as "hacked by"

                        I have looked at some logs, I only see my IP...

                        I doubt they had full access, ftp, etc...I am not sure exactly how a hacker injects coding into a file, but my guess
                        is if they had full access, then they could just deleted EVERYTHING, then leave their custom index....seeing that
                        the files and directories that I know are in place tells me that did not have such access to delete everything....
                        then I noticed the rest of the entire site was untouched also...this tells me their skill set maybe limited to injection only.

                        If i was a hacker, I would have deleted everything, I would have uploaded a custom
                        index shooting you the finger, then brag about how good of a hacker I am....

                        I surely would not embrass myself by injecting code, then claim I am the best hacker....

                        If the contents have not been damaged then clean up the hack code from your index file and then update your forum to the latest version of your branch. Then change all your log in infos as well for just in case (forum admin, ftp and log in info for your host), do a thorough scan of your server space for anything that shouldn''t be there. And also don''t forget to ask your host to check their access logs.

                        Comment

                        • KW802
                          Senior Member
                          • Jul 2003
                          • 1165
                          • 3.8.11

                          #13
                          Originally posted by dsimms
                          Right now I am looking for the public's help. Maybe they can provide more info, maybe they can say look here, or there,
                          maybe they know something that I have not ran across yet. If you can not tell me how to by-pass so i can get to admincp, then fine...

                          Do you always run your computer or car right to the shop, or do you try to figure it out before you have to run them in?
                          and you try to figure things out by asking for help, ask on computer forums, car forums, VB forum, etc...
                          At this point you haven't given any information to help anybody point you in the right direction. Using your car analogy, you don't know the type of car you're using (the vB version #), you won't show the car damage to anybody, and you can't give any information about the problem other than something with your car is making a funny noise (a defaced vB page). You're not going to find too many mechanics (the public vB forums) willing to talk you through the dozens (if not hundreds) of possible problems that it could be without at least some bit of information to use as a starting point nor will your car manufacturer (vB).

                          At this point your "wanna-be" hacker seems like he is doing pretty well since he hit your site and you haven't done anything about it yet.
                          [URL="http://coolscifi.com"]Cool Sci-Fi[/URL="http://coolscifi.com"] | [URL="http://awalkerbit.me"]Walking Dead[/URL="awalkerbit.me"]

                          Comment

                          • Loco.M
                            Senior Member
                            • Mar 2005
                            • 4319
                            • 3.5.x

                            #14
                            Originally posted by dsimms
                            I renamed my /includes/ directory and the hacker page went blank...so could the
                            problem be in the includes directory?
                            Nope, the problem is you changed the includes folder.
                            Just picking random folders/files to change isn't going to fix the problem.
                            You haven't even posted the url for us to check out...
                            The only solution at this point is to fill out the support ticket as suggested this morning.
                            Is there a reason why you don't want to hand over your url or login info to the vb staff?
                            They looked at 100's of forums everyday, if not 1,000's..

                            I agree.. it looks like the "wannabe-hackers" have done a pretty good job.

                            Did you at least place a blank index file in your root, or have you been broadcasting to all your members and guest that your forum has been hacked?
                            -- Web Developer for hire
                            ---Online Marketing Tools and Articles

                            Comment

                            • whitey10tc
                              Senior Member
                              • Jan 2011
                              • 415
                              • 4.0.x

                              #15
                              My question first would be, how bad is it? Is the db intact? Can you access the forum from tapatalk or vb mobile app?
                              You can try uploading a new index.php and see if that helps. Or just reupload new files. easiest solution might be asking the host to restore from a previous backup.
                              www.cdmagurus.com
                              www.cellphone-gurus.com

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...