Announcement

Collapse
No announcement yet.

Hacked / Site redirection.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Hacked / Site redirection.

    I was informed today my site www.owlszone.com had been hacked with the site now being redirected as soon as the forum loads.

    I've had to put in a standard index.htm with an announcement we're under maintenance just so it does not load the forum and redirect.
    I've removed the index.htm for the time being to allow a MOD to see whats happening

    I contacted my host who informed me that:-
    A scan of your account has found the malicious or infected files present.

    *******************************************************************

    /wp.php: {HEX}gzbase64.inject.unclassed.17.UNOFFICIAL FOUND
    /admincp/control_examples/up.php: {HEX}php.uploader.max.541.UNOFFICIAL FOUND
    /admincp/control_examples/k2/.htaccess: EIG.Hacktool.HTAccess.DirIndex-1.UNOFFICIAL FOUND
    /up.php: {HEX}php.uploader.max.541.UNOFFICIAL FOUND
    /images/icons/configweb/config.root: SiteLock-PHP-CPANEL-b.UNOFFICIAL FOUND
    /images/icons/configweb/.htaccess: EIG.Hacktool.HTAccess.Root-1.UNOFFICIAL FOUND
    /images/icons/pro/.htaccess: EIG.Hacktool.HTAccess.DirIndex-1.UNOFFICIAL FOUND
    /images/icons/PRO/.htaccess: EIG.Hacktool.HTAccess.DirIndex-1.UNOFFICIAL FOUND
    /images/icons/webr00t.php: APEXDEF.PHP-Mailer.Alajam.2N.UNOFFICIAL FOUND
    /images/icons/sym/.htaccess: EIG.Hacktool.HTAccess.DirIndex-1.UNOFFICIAL FOUND
    /images/icons/symlink_3.php: EIG.Hacktool.HTAccess.DirIndex-1.UNOFFICIAL FOUND
    /images/icons/proshell.php: EIG.PHP.WebShell.Procoderz-1.UNOFFICIAL FOUND
    /images/icons/2.php: {HEX}php.uploader.max.541.UNOFFICIAL FOUND
    /api.php: PHP.Hide FOUND
    They have advised that i delete my site and start again changing passwords.
    Easier said than done as there seems to be a number of "new" folders in my root FTP that contain copies of my forum which FTP won't let me delete! (thats a job for the provider to sort out though!)

    I have a couple of questions i hope someone might be able to point me in the right direction of.

    Firstly,
    If I do erase the root in my FTP, is there an easy way to reinstall keeping my existing database? (making the restore a little like an upgrade)
    I assume that is sat uninfected so won't need to start totally again
    I know I'll need a new clean copy of the source files which i've just downloaded from the member area.

    Secondly,
    Is there an easy way to get the forum style back from my backup or will it just be easier to install the stlye again from scratch.

    Hope someone can help, there seems to be a lot of hacking of sites lately

    Mike

    Last edited by mikeyg; Thu 26th Sep '13, 11:46am.

  • #2
    Update
    I reinstalled my VB but as soon as i linked to my database, the problem was still there.
    contacted my host asking them to check if the database had faults and they replied:-
    Thank you for contacting Support. I apologize for the inconvenience.

    Your site appears to be re-directing after it loads to http://astrafamily.com/ which is getting blocked for phishing. Checking the Database does show that there are 5 instances of a metarefresh tag that is causing this.They are in the templates table.

    <META http-equiv="refresh" content="0;URL=http://astrafamily.com/nn/6e7fd6a7df67asfdasd7asfd7asfd67asfd6fd7as6fds7adfas76dfas67dfas7dfas6d7sfad67afsd6as7fdasd/df7saf6dsfad76fasd6f7sadfsa67dfsa76dfas7fdas6fds7fds67adfas7d6fassdasd/g6f67f76fi76f6df75fd85d5f8d58d86d55d5555./.d78e6d/gd67agd6asgd8asgd78gas8dasg7dsagd8s7adgsa78dga8sdga78sgda78sdgas8dsgadas////">';

    If you remove those entries, it should clean this up.
    Really could do with some assistance,
    How do I "remove" these entries?

    Also, I've got a .GZ dump of my database from a known good point via my host which I thought I could just use but when I go into phpmyadmin and select import, I link to the .gz file but it just says "no file selected"

    Comment


    • #3
      My site has been hacked with that same AstraFamily site redirect and after I did an upgrade, changed passwords, followed all the other instructions to fix the hack. I tried relinking to my database and it was still an issue. I called the host and he said it was embedded in the sql database. I paid to have them roll back to a previous clean database but it's still in progress, so no solution on my end yet.


      Yours says its in the template table- just like mine, I hate hackers!


      Usually your tech support can help you import that .gz dump

      I just wanted to rant, sorry.

      Comment


      • #4
        I also got hacked and when gong to the forum page all visitors got redirected to another site.
        After deleting the install directory and a new admin that suddenly showed up I still had the problem, however I found that it was a few templates that was edited. It wasn't that hard to find those templates and revert them to the default.
        I hope this helps.

        /Anders
        Anders Pettersson
        Don't send me requests by PM to email you the Swedish language file that I have done. My translation is only available here at vbulletin.com to licensed users.
        If you want updates on when a new version of the Swedish language packs (forum & suite) are available, subscribe to this discussion.
        Don't PM me for support on how to install language files etc. please post in the appropriate forum, that will most likely give you help quicker.

        Comment


        • #5
          First you need to follow our advisory about deleting the install folder off your forums.
          Then please read the following two blog posts:
          http://www.vbulletin.com/forum/blogs...ve-been-hacked
          http://www.vbulletin.com/forum/blogs...vbulletin-site
          Also please see these recent security announcements:
          vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
          vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

          Comment

          Working...
          X