Announcement

Collapse
No announcement yet.

Hacked AGAIN- this time by W3 idiots! Help!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Hacked AGAIN- this time by W3 idiots! Help!

    I restored the site, deleted the INSTALL directory, removed the extra admins, did EVERYTHING you said and a group called W3 idiots hacked and deleted all my files. Help!
    Nelson
    www.Hobby-Machinist.com

  • #2
    If they have deleted files they have most likely got in through the server. You need to establish via your host how they did this.
    MARK.B | vBULLETIN SUPPORT

    TalkNewsUK - My vBulletin 5.5.2 Demo
    AdminAmmo - My Cloud Demo

    Comment


    • #3
      I changed ALL my passwords too. This is outrageous.
      Nelson
      www.Hobby-Machinist.com

      Comment


      • #4
        Looks like a server hack as mentioned, no database error, I would be worried about that, what hosting do you have can you check if the database is present, do you have a back up?

        Comment


        • #5
          I contacted knownhost and they said there was no server breach. I back up the database every morning, and my backup of the 16th is there. They deleted all my downloads and everything else that was in the files section of the site directory (public_html),

          I asked knownhost for a full vps restore, BUT, I don't understand HOW they could do this. I had changed passwords, and they raised permissions and switched me over to suPHP. How the heck could they have done this?

          It's starting to irk me know all these hacks of my site.
          Nelson
          www.Hobby-Machinist.com

          Comment


          • #6
            There are no known exploits in the default software that would allow this to happen so either:

            1. They got in through the server
            2. They got in through an insecure plugin or addon
            3. They left something behind from the original attack that you missed.

            Of course the hosts will tell you there is no server breach. That doesn't necessarily mean there wasn't one though.
            MARK.B | vBULLETIN SUPPORT

            TalkNewsUK - My vBulletin 5.5.2 Demo
            AdminAmmo - My Cloud Demo

            Comment


            • #7
              Knownhost has been an excellent server for us. I would hate to lose them. In your experience, Mark, what questions should I ask or what should I look for in order to ascertain that this was a server accessed hack and force them to take action?

              Having done everything that was suggested, and still getting hacked, I am getting upset, and so are my 5000 users.
              Nelson
              www.Hobby-Machinist.com

              Comment


              • #8
                Originally posted by Mark.B View Post
                There are no known exploits in the default software that would allow this to happen so either:

                They left something behind from the original attack that you missed.
                When did you delete the INSTALL folder?
                Just to try and narrow things down a little...


                Comment


                • #9
                  Looks like your server has went down altogether now.

                  Firefox can't establish a connection to the server at www.hobby-machinist.com.

                  Comment


                  • #10
                    please read this and follow my steps here
                    i think u need to delete the skin and re-upload new one

                    http://www.vbulletin.com/forum/forum...7-hacked-maybe

                    Comment


                    • #11
                      Originally posted by alzaabi View Post
                      please read this and follow my steps here
                      i think u need to delete the skin and re-upload new one

                      http://www.vbulletin.com/forum/forum...7-hacked-maybe
                      These were your instructions:
                      Yesterday, 7:13am
                      please go to the admincp and follow these steps

                      1- go to the plugin and delete the first 2 or 3 plugin ( i recommend u to tell me what these 3 plugin you see there)
                      2- download vbulletin and reupload it by FTP
                      3- delete the skin from the admincp and reinstall the skin (remove any skin that is affected)
                      4- delete the install folder in the FTP

                      you are safe now .. and wait for the vbulletin to announce something


                      Forgive my ignorance, but what is the "skin" in the admincp? Is that the style?

                      I checked ALL the plugins, and there were NO new ones that I did not recognize.
                      I downloaded a fresh install of VB 4.2.1 and that did not do it.
                      I deleted the INSTALL folder.
                      I deleted any stray admins.
                      I had the web host raise the protections using suPHP.

                      As for looking at ALL the files, not being a techie, it is unlikely I would know what to look for inside the file.
                      Can someone clue me in as to what I might see that I should delete in the directories or files?


                      We are still down my web host is trying to do a restore from yesterday.

                      Thanks.

                      Nelson
                      www.Hobby-Machinist.com

                      Comment


                      • #12
                        yes the skin i mean by style !! your style
                        that happened to me ... i removed the styles and reinstalled them

                        Comment


                        • #13
                          ok, thanks. I will try that if they ever restore my site. I am waiting since 11:04AM EST for them to restore it and it is now 3:19PM.

                          I think there was a server attack and they just don't want to say so. How else could every single one of my files have been deleted from the server when the permissions were set too high to permit it?

                          Nelson
                          www.Hobby-Machinist.com

                          Comment


                          • #14
                            If all your files were deleted from the server and they were, I saw the index file earlier, indeed it looks like your whole forum inc database was gone you or your host will need to do a complete restore from an earlier back up, thats why it will be taking so long. What type of hosting do you have, do you have a cpanel?

                            Comment


                            • #15
                              Wow w3 Idiots have been busy today. They hacked our site http://toontownvalley.com early this morning. Since I was at work and not really able to deal with this I threw up a html webpage and deleted our whole forum off the server to stop them. ( I have a complete backup of everything). I checked the SQL server and there was an extra 11th database user so I deleted it. It came right back. I then deleted the 10 database users we have for the site then deleted their user and that worked. I checked for extra admins, found one and deleted it. I changed my host passwords and renamed the SQL database. Later tonight when I get home I will be uploading all the files and creating 10 new database users with different usernames and passwords. I also demoted all admins to registered users from within the SQL server in case it is a compromised password. I will be starting ToonTown Valley back up later tonight with plugins disabled. I hope this works for us and hopefully we caught it early.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X