Hacked by Syrians

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Allthumbz
    Senior Member
    • Oct 2011
    • 190

    Hacked by Syrians

    My site now looks like this (below). I have no idea what happened. Please help!

    Nelson
    >> Hacked By SeCuR!TY DR@G0N <<

    SeCuR!TY ** DR@G0N
    Syria Al-Assad




    Syrian Army

    Nelson
    www.Hobby-Machinist.com
  • Levelbest
    Senior Member
    • Aug 2005
    • 114
    • 5.7.X

    #2
    That would make two of us. I know after looking that I still had the install directory in place (now deleted). How best to go about fixing this?

    Comment

    • jeremyalyea
      New Member
      • Feb 2007
      • 8
      • 3.6.x

      #3
      I was also hacked. Running 4.2.0. Please reply with any ideas on how this hacker is accessing vbulletin installs. And any fixes.

      Comment

      • hurricane_sh
        Senior Member
        • Mar 2005
        • 171

        #4
        Read vBulletin announcement and other threads, this has been discussed many times.

        Comment

        • Allthumbz
          Senior Member
          • Oct 2011
          • 190

          #5
          Which announcements and which threads discuss HOW TO FIX this? Please list the URLs for us.
          Thank you.
          Nelson
          www.Hobby-Machinist.com

          Comment

          • InvisionTech
            Senior Member
            • Dec 2004
            • 135
            • 3.7.x

            #6
            DELETE the /install/ directory.

            PoS coding... WHO does this? I've had one forum hacked number of times before I discovered this fix... there is no email, no security alert and only notice you receive is when you login to admincp.
            Last edited by InvisionTech; Fri 13 Sep '13, 7:34pm.
            Wise man says...
            Virtualization.net | DefenceTalk.com | World Affairs Talk.com | AutoTalk.com | SinoDefenceForum.com | Solutions.pro | PakistanTalk.com

            Comment

            • InvisionTech
              Senior Member
              • Dec 2004
              • 135
              • 3.7.x

              #7
              ...and don't forget to delete the admin usernames that the bastards create.

              PoS coding!
              Wise man says...
              Virtualization.net | DefenceTalk.com | World Affairs Talk.com | AutoTalk.com | SinoDefenceForum.com | Solutions.pro | PakistanTalk.com

              Comment

              • Allthumbz
                Senior Member
                • Oct 2011
                • 190

                #8
                I'm not a techie. I couldn't clear this message the hackers put on no matter what I did. I backed up the old site on my computer and tried downloading the 4.2.2 alpha and tried to upgrade and use the fresh install to remove the hacking. No go. It remained and after I ran upgrade.php I got a huge number of errors. Finally, I asked my web server to restore from this morning. We will see fi that works. I will delete the install folder once it is restored. This is a TERRIBLE thing. My site has been hacked 3 times in 3 days now.
                Nelson
                www.Hobby-Machinist.com

                Comment

                • InvisionTech
                  Senior Member
                  • Dec 2004
                  • 135
                  • 3.7.x

                  #9
                  They may have created plugins, etc. delete those and also edited existing plugins. So you have to do some digging... and revert your templates. FORUMHOME and FORUMDISPLAY, etc.

                  I know how you feel, one of my website (just a forum) was hacked multiple times over the past 4 days... this exploit existed in 4.0 to 5.0+ so I am not sure what vbulletin team is smoking, obviously, its not the imported stuff. No wonder there are vbulletinsucks websites.
                  Wise man says...
                  Virtualization.net | DefenceTalk.com | World Affairs Talk.com | AutoTalk.com | SinoDefenceForum.com | Solutions.pro | PakistanTalk.com

                  Comment

                  • wave-rice
                    Senior Member
                    • Feb 2011
                    • 445
                    • 5.5.x

                    #10
                    I've followed up in your ticket. For others, I would strongly recommend reading these two announcements, here and here. This blog post by Zachery also gives some insight on how to go about fixing the damage and this one details how to secure your site further.
                    Aakif Nazir

                    Comment

                    • Allthumbz
                      Senior Member
                      • Oct 2011
                      • 190

                      #11
                      Originally posted by InvisionTech
                      They may have created plugins, etc. delete those and also edited existing plugins. So you have to do some digging... and revert your templates. FORUMHOME and FORUMDISPLAY, etc.

                      I know how you feel, one of my website (just a forum) was hacked multiple times over the past 4 days... this exploit existed in 4.0 to 5.0+ so I am not sure what vbulletin team is smoking, obviously, its not the imported stuff. No wonder there are vbulletinsucks websites.
                      Not being a tech, I don't know what to look for in the plugins. I checked them, and they are all under existing program and modifications groups. Nothing looks unusual. My web host said they used something called a "symlink" to redirect my site elsewhere. Does anyone know what that is?
                      Nelson
                      www.Hobby-Machinist.com

                      Comment

                      • DemOnstar
                        Senior Member
                        • Nov 2012
                        • 1912

                        #12
                        Check here http://www.vbulletin.com/forum/forum...ect-got-hacked

                        Here http://www.vbulletin.com/forum/forum...pe-hack-method

                        Here http://www.vbulletin.com/forum/blogs...ve-been-hacked

                        and here http://www.vbulletin.com/forum/blogs...vbulletin-site


                        Comment

                        • saleemkhan16
                          New Member
                          • Jun 2013
                          • 10
                          • 4.2.X

                          #13
                          Originally posted by Allthumbz
                          My site now looks like this (below). I have no idea what happened. Please help!

                          Nelson
                          >> Hacked By SeCuR!TY DR@G0N <<

                          SeCuR!TY ** DR@G0N
                          Syria Al-Assad




                          Syrian Army
                          Hay buddy same situation happened with me today my home page was hacked by some one scripts.tk type website and only homepage was not working other sub pages on website was working fine go to your hosting account just check new files added simply delete those files

                          For your information it was little file with .dat extension
                          Alrazaak.com

                          Comment

                          • jrh369
                            New Member
                            • Mar 2010
                            • 13
                            • 4.0.0

                            #14
                            We've been hit with this same hack. I deleted the install directory but no change. I can't login to the admin cp since it redirects me immediately.

                            Comment

                            • Seareef
                              New Member
                              • Dec 2007
                              • 18

                              #15
                              In AdminCP go to styles & templates / Search Templates / and search SeCuR!TY - you will see which templates are infected.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...