jforjustice.co.uk/banksters - Hacked

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Tim Mousel
    Senior Member
    • May 2000
    • 281
    • 5.0.0

    [Forum] jforjustice.co.uk/banksters - Hacked

    I upgraded to the latest version of vbulletin last night and now when I try to view my forum it gets redirected to jforjustice.co.uk/banksters. Has this happened to anyone else and if so, how do you fix it? I can't see how the redirection is happening. My .htaccess doesn't appear to be doing it and I don't see that any of the vb files were changed.

    Thanks,

    Tim
    Five Star Review Script - Add reviews to your website!
    Mixed Martial Arts - Houston MMA Training
    Women's Self-Defense - Courses and DVDs available
  • Wayne Luke
    vBulletin Technical Support Lead
    • Aug 2000
    • 73979

    #2
    Most common causes of redirecting in my experience are files that were edited on your server or a plugin on a common hook.

    You'll need to run the Suspect File Versions Diagnostic for any files that do not contain the expected contents. You can do this under Maintenance -> Diagnostics.

    You'll also need to review your plugins in the Plugin Manager under Plugins / Products to make sure they do not contain redirect code. The code is often hidden in base64 code and looks like Gibberish. Any plugin with base64 code should be considered suspect enough to be disabled and/or deleted.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment

    • Tim Mousel
      Senior Member
      • May 2000
      • 281
      • 5.0.0

      #3
      Thanks for the reply Wayne. Unfortunately, I can't even get into the admin without being redirected. I'm going to upload the files again to hopefully overwrite the problem file.
      Five Star Review Script - Add reviews to your website!
      Mixed Martial Arts - Houston MMA Training
      Women's Self-Defense - Courses and DVDs available

      Comment

      • Wayne Luke
        vBulletin Technical Support Lead
        • Aug 2000
        • 73979

        #4
        To temporarily disable the plugin system, edit config.php and add this line right under <?php

        define('DISABLE_HOOKS', true);
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API

        Comment

        • Tim Mousel
          Senior Member
          • May 2000
          • 281
          • 5.0.0

          #5
          Originally posted by Wayne Luke
          To temporarily disable the plugin system, edit config.php and add this line right under <?php

          define('DISABLE_HOOKS', true);
          That really helped. I am now able to log in and see my plugins. There is a new one:

          Location: global_start
          Title: AnonymousPleaseNoteWeMadeItEasyToFix
          header('Location: http://jforjustice.co.uk/banksters');

          Any idea of how they could have added that or how to prevent it in the future?

          Thanks,

          Tim
          Five Star Review Script - Add reviews to your website!
          Mixed Martial Arts - Houston MMA Training
          Women's Self-Defense - Courses and DVDs available

          Comment

          • Wayne Luke
            vBulletin Technical Support Lead
            • Aug 2000
            • 73979

            #6
            They could add it with access to the database or through your AdminCP. Make sure your AdminCP has restricted access via .htaccess which uses a different username and password or even IPAddress restriction.



            Make sure your database doesn't allow remote connections except what is absolutely necessary. Your hosting provider can help with this.

            Make sure that tools like PHPMyAdmin and Adminer are not accessable via the Web without .htaccess protection.

            Make sure you use a different password for your AdminCP, FTP, Hosting Control Panel, Database and Email.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud demonstration site.
            vBulletin 5 API

            Comment

            • Tim Mousel
              Senior Member
              • May 2000
              • 281
              • 5.0.0

              #7
              Thank you very much.
              Five Star Review Script - Add reviews to your website!
              Mixed Martial Arts - Houston MMA Training
              Women's Self-Defense - Courses and DVDs available

              Comment

              • bradical
                New Member
                • Mar 2006
                • 11
                • 3.5.x

                #8
                Originally posted by Wayne Luke
                To temporarily disable the plugin system, edit config.php and add this line right under <?php

                define('DISABLE_HOOKS', true);
                Does this work the same with vB 3.8.6? I had my site get hacked to with the same issue, however, it looks like the line of code does not stop my plugins.

                Comment

                • Wayne Luke
                  vBulletin Technical Support Lead
                  • Aug 2000
                  • 73979

                  #9
                  Should work in 3.8.6. Hasn't changed since 3.6
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud demonstration site.
                  vBulletin 5 API

                  Comment

                  • bradical
                    New Member
                    • Mar 2006
                    • 11
                    • 3.5.x

                    #10
                    Originally posted by Wayne Luke
                    Should work in 3.8.6. Hasn't changed since 3.6
                    Interesting. I still can't login to the admincp even after adding that code. Any other ideas?

                    Thanks!

                    Comment

                    • dlloyd
                      New Member
                      • Jul 2008
                      • 3

                      #11
                      Originally posted by bradical
                      Interesting. I still can't login to the admincp even after adding that code. Any other ideas?

                      Thanks!

                      FYI, they nuked the salt field for all admin users. Fix that and you should be alright.

                      Comment

                      • cobradude
                        Senior Member
                        • Mar 2001
                        • 147

                        #12
                        I was hit by this too. What should the "salt" field be? mine was "lol" and it isn't friggin funny. WHat a bunch of A-holes there are out there!

                        Comment

                        • DAMINK
                          Senior Member
                          • Jun 2010
                          • 330
                          • 4.0.0

                          #13
                          Originally posted by cobradude
                          I was hit by this too. What should the "salt" field be? mine was "lol" and it isn't friggin funny. WHat a bunch of A-holes there are out there!
                          I might be wrong here but i thought it was a random 30 character string made up of special characters and normal ones?
                          FTW Forum <- Home of the damned!

                          Comment

                          • cobradude
                            Senior Member
                            • Mar 2001
                            • 147

                            #14
                            I'm still hosed here. I still cannot log into the admin CP even when I set "define('DISABLE_HOOKS', true);" in config.php.

                            I found in the database the reference to "header('Location: http://jforjustice.co.uk/banksters');" in the plugins table and I removed that manually. That said, there's still a reference in datastore, and when I remove that line, I can navigate, but the site seems to be a bit dorked up as plugins don't seem to be working...and I get an error when I go to the admin login. Is there something special that needs to be done to remove from the datastore appropriately?

                            Have been up all night dealing with this, so I'm a little punchy...let me know if I'm not making sense. Any help is appreciated.

                            Comment

                            • dlloyd
                              New Member
                              • Jul 2008
                              • 3

                              #15
                              Originally posted by cobradude
                              I'm still hosed here. I still cannot log into the admin CP even when I set "define('DISABLE_HOOKS', true);" in config.php.

                              I found in the database the reference to "header('Location: http://jforjustice.co.uk/banksters');" in the plugins table and I removed that manually. That said, there's still a reference in datastore, and when I remove that line, I can navigate, but the site seems to be a bit dorked up as plugins don't seem to be working...and I get an error when I go to the admin login. Is there something special that needs to be done to remove from the datastore appropriately?

                              Have been up all night dealing with this, so I'm a little punchy...let me know if I'm not making sense. Any help is appreciated.
                              Assuming you have no old DB dumps or backups, you need to alter the DB, I am sure there is a cleaner way to do this but you can run this in php:
                              PHP Code:
                              md5(md5("password")."salt"); 
                              Then plug both the text you used for salt and the hash that is output into the database into the salt and password fields respectively.
                              Make up a short string for salt temporarily, then use VBulletin to reset your password once successfully logged in.

                              To fix the data store caching, just go to the plugins panel and disable any plugin, then go back and immediately re-enable it.

                              Make sure to remove the disable hooks line from config when done.
                              Last edited by dlloyd; Sun 18 Mar '12, 8:47am.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...