Forum Hacked

I have forum.php but not forums.php?

I take it you have no suspicious plugins?

There was a plugin I deleted it, sorry I meant forum.php
Im at a bit of a loss as to how this all happened.

I have been hacked by Indonesian defacer too. Is there a way to go through ftp to delete the plugin file? Where is that directory found?

Can it not be done from the plug in manager?

I have tried to upgrade my site but the install page won't work as it is now showing the indonesian defacers message. All pages are showing this now, so I can't finish upgrading at all now, so trying to figure out how to remove the indonesian defacers plugin via ftp.

Is it not worth rolling back to an old backup of the site?

​This problem is the reason I didn't want to upgrade until I figured out how to get rid of the hacker instead of just trying to upgrade and hope for the best. I've asked my host to instate the backup that was there this morning so I can at least get in to the site. They said the last backup they have was infected in both the files and the database. This is a mess.

Don't you download the backups from your site to your PC?

An obvious suggestion but I do it regularly..

I removed the plugin they installed using the plug in manager in admin CP.

If you use vbseo, make sure it's the latest version (3.6.1) and its config file is read-only.

See - previous post - after doing the upgrade again - and it seems to clear out the hackers trash - this time I renamed both admincp and modcp so there was no access to the backend - two days later they have returned and the forum.php is again being redirected to there trash - says they are using a different method to get in and trash sites - install directory removal and admincp/modcp is not the answer

Our forum was hacked recently as well. Each time I followed the recommended instructions to secure the server, nothing helped. Hackers would:

1. Add a notification which redirects the site to the hackers site
2. Create a home page template which pulls a flash file and plays a song (was quite a good one actually) and states: "Site hacked by... "

If your forum is hacked, before you delete the admins that the hackers create, make sure you go: User groups -> Administrator Permissions and take a look at the foot print of the hackers to see what they have modified. I noticed they visit the subscription pages (although we have none), the template pages and the plugin pages. This and the apache logs will give you a clear picture of what has been done to your forum (assuming the hackers do not delete these admin users first).

The first exploit was a simple sql injection using the perl script from here: http://aunglat.blogspot.com/2012/12/...-forums_9.html
The second is some home grown command line programme, similarish to the above, that exploits, I would imagine linux permissions on vulnerable servers. View this to see how it is done: http://www.youtube.com/watch?v=D49VFxudw-U

If you have been hacked, google your site and the word "hack" and see if it appears on a hackers website. Mine was listed with these turds: http://www.zone-hack.com/ranking.html It appears it is a sport to hack vb sites and you get a rank and score for doing so...

One of the last hacks to my site was quite interesting, they uploaded a tool, similar to the one in the video, which they could then use to hack other sites...

After your have secured your site, make sure you check your file permissions...

I have always though that the config.php file is weakness in VB.

With my VB forum, I have created an encryption class which lives in one of the includes folders (where php, Zend, etc, live on your server /var/etc/php). This means I can call it simply by: require_once 'encryption.class.php'; and the file is no where on the server for anyone to find and inspect. In the same folder as the class file is a unique key which the class file uses. In my forum hosting account, below public I have a folder and an encrypted username and password for my database (AES256 username and password text file). In my new vb config.php file I include the encryption class and for username and password: $config['MasterServer']['password'] = getPassword(); / $config['MasterServer']['username'] = getUsername();

For fun, I have hidden the location of these variables in the file and where they typically are, I have a dummy (misspelt) variable with a dummy username and password linked to a working database. So if anyone does get access to the config file, chances are they will be messing with the wrond DB . Anyway, obscurity is not a form of security, but I thought it would be fun to do...

Since the forum was hacked no one can register on our forum, we get a server 500 error.
Any ideas?
If I turn the plugin system off in options it allows it . we are using the vbstopforumspam plugin.

Copy a fresh copy of the vb code to the server...

If the plugins are causing the issue, then you have a stray / modified plugin file...

It happen to my forum today. Hacked by Saudi injector. I will request a restore from my hosting company and delete the install folder. Hope it works.