Hacked AGAIN- this time by W3 idiots! Help!

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Allthumbz
    Senior Member
    • Oct 2011
    • 190

    Hacked AGAIN- this time by W3 idiots! Help!

    I restored the site, deleted the INSTALL directory, removed the extra admins, did EVERYTHING you said and a group called W3 idiots hacked and deleted all my files. Help!
    Nelson
    www.Hobby-Machinist.com
  • Mark.B
    vBulletin Support
    • Feb 2004
    • 24286
    • 6.0.X

    #2
    If they have deleted files they have most likely got in through the server. You need to establish via your host how they did this.
    MARK.B
    vBulletin Support
    ------------
    My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
    My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

    Comment

    • Allthumbz
      Senior Member
      • Oct 2011
      • 190

      #3
      I changed ALL my passwords too. This is outrageous.
      Nelson
      www.Hobby-Machinist.com

      Comment

      • donald1234
        Senior Member
        • Oct 2011
        • 1953
        • 4.1.x

        #4
        Looks like a server hack as mentioned, no database error, I would be worried about that, what hosting do you have can you check if the database is present, do you have a back up?

        Comment

        • Allthumbz
          Senior Member
          • Oct 2011
          • 190

          #5
          I contacted knownhost and they said there was no server breach. I back up the database every morning, and my backup of the 16th is there. They deleted all my downloads and everything else that was in the files section of the site directory (public_html),

          I asked knownhost for a full vps restore, BUT, I don't understand HOW they could do this. I had changed passwords, and they raised permissions and switched me over to suPHP. How the heck could they have done this?

          It's starting to irk me know all these hacks of my site.
          Nelson
          www.Hobby-Machinist.com

          Comment

          • Mark.B
            vBulletin Support
            • Feb 2004
            • 24286
            • 6.0.X

            #6
            There are no known exploits in the default software that would allow this to happen so either:

            1. They got in through the server
            2. They got in through an insecure plugin or addon
            3. They left something behind from the original attack that you missed.

            Of course the hosts will tell you there is no server breach. That doesn't necessarily mean there wasn't one though.
            MARK.B
            vBulletin Support
            ------------
            My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
            My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

            Comment

            • Allthumbz
              Senior Member
              • Oct 2011
              • 190

              #7
              Knownhost has been an excellent server for us. I would hate to lose them. In your experience, Mark, what questions should I ask or what should I look for in order to ascertain that this was a server accessed hack and force them to take action?

              Having done everything that was suggested, and still getting hacked, I am getting upset, and so are my 5000 users.
              Nelson
              www.Hobby-Machinist.com

              Comment

              • DemOnstar
                Senior Member
                • Nov 2012
                • 1912

                #8
                Originally posted by Mark.B
                There are no known exploits in the default software that would allow this to happen so either:

                They left something behind from the original attack that you missed.
                When did you delete the INSTALL folder?
                Just to try and narrow things down a little...


                Comment

                • donald1234
                  Senior Member
                  • Oct 2011
                  • 1953
                  • 4.1.x

                  #9
                  Looks like your server has went down altogether now.

                  Firefox can't establish a connection to the server at www.hobby-machinist.com.

                  Comment

                  • alzaabi
                    Member
                    • Mar 2012
                    • 44
                    • 4.1.x

                    #10
                    please read this and follow my steps here
                    i think u need to delete the skin and re-upload new one

                    When I click subscription manager I get by x00x_BOT Linux host.******.com 2.6.32-042stab078.28 #1 SMP Mon Jul 8 10:17:22 MSK 2013 x86_64 Thoughts?

                    Comment

                    • Allthumbz
                      Senior Member
                      • Oct 2011
                      • 190

                      #11
                      Originally posted by alzaabi
                      please read this and follow my steps here
                      i think u need to delete the skin and re-upload new one

                      http://www.vbulletin.com/forum/forum...7-hacked-maybe
                      These were your instructions:
                      Yesterday, 7:13am
                      please go to the admincp and follow these steps

                      1- go to the plugin and delete the first 2 or 3 plugin ( i recommend u to tell me what these 3 plugin you see there)
                      2- download vbulletin and reupload it by FTP
                      3- delete the skin from the admincp and reinstall the skin (remove any skin that is affected)
                      4- delete the install folder in the FTP

                      you are safe now .. and wait for the vbulletin to announce something


                      Forgive my ignorance, but what is the "skin" in the admincp? Is that the style?

                      I checked ALL the plugins, and there were NO new ones that I did not recognize.
                      I downloaded a fresh install of VB 4.2.1 and that did not do it.
                      I deleted the INSTALL folder.
                      I deleted any stray admins.
                      I had the web host raise the protections using suPHP.

                      As for looking at ALL the files, not being a techie, it is unlikely I would know what to look for inside the file.
                      Can someone clue me in as to what I might see that I should delete in the directories or files?


                      We are still down my web host is trying to do a restore from yesterday.

                      Thanks.

                      Nelson
                      www.Hobby-Machinist.com

                      Comment

                      • alzaabi
                        Member
                        • Mar 2012
                        • 44
                        • 4.1.x

                        #12
                        yes the skin i mean by style !! your style
                        that happened to me ... i removed the styles and reinstalled them

                        Comment

                        • Allthumbz
                          Senior Member
                          • Oct 2011
                          • 190

                          #13
                          ok, thanks. I will try that if they ever restore my site. I am waiting since 11:04AM EST for them to restore it and it is now 3:19PM.

                          I think there was a server attack and they just don't want to say so. How else could every single one of my files have been deleted from the server when the permissions were set too high to permit it?

                          Nelson
                          www.Hobby-Machinist.com

                          Comment

                          • donald1234
                            Senior Member
                            • Oct 2011
                            • 1953
                            • 4.1.x

                            #14
                            If all your files were deleted from the server and they were, I saw the index file earlier, indeed it looks like your whole forum inc database was gone you or your host will need to do a complete restore from an earlier back up, thats why it will be taking so long. What type of hosting do you have, do you have a cpanel?

                            Comment

                            • Bluedues
                              New Member
                              • Nov 2012
                              • 1
                              • 4.2.X

                              #15
                              Wow w3 Idiots have been busy today. They hacked our site http://toontownvalley.com early this morning. Since I was at work and not really able to deal with this I threw up a html webpage and deleted our whole forum off the server to stop them. ( I have a complete backup of everything). I checked the SQL server and there was an extra 11th database user so I deleted it. It came right back. I then deleted the 10 database users we have for the site then deleted their user and that worked. I checked for extra admins, found one and deleted it. I changed my host passwords and renamed the SQL database. Later tonight when I get home I will be uploading all the files and creating 10 new database users with different usernames and passwords. I also demoted all admins to registered users from within the SQL server in case it is a compromised password. I will be starting ToonTown Valley back up later tonight with plugins disabled. I hope this works for us and hopefully we caught it early.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...