www.coloradoevo.com My Site was hacked about a week ago, no backup copies available from the server hosts as they just updated their software and the only copy is the hacked version. I went and upgraded my site to 4.1.9 from 4.1.5 and installed everything but the site still won't return to its original state. I can't even log into the Admin PanelEvery folder I visit takes me to the same main page.... like a redirectPlease visit my site above and see if you can help me outthanksSteve
Site Hacked
Collapse
X
-
Tags: None
-
Check your .htaccess file and index.html file"Our greatest weakness lies in giving up. The most certain way to succeed is always to try just one more time!"
"It's important to only think about what you desire, not what you fear to achieve your ultimate goal!!"
"When doors close, tear down the walls. Never give up!" -
doesn't look like the .htacess file was changed, and I have no index.html, just php
where are you Steve MacholLast edited by sdfontanini; Wed 21 Dec '11, 10:09pm.Comment
-
Have you tried deleting the index.php and reuploading it. Also check the www or public_html root directory for an index html or php file and delete it as well.Comment
-
-
Here are the steps to check for hacks:
1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.
2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.
3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type
4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.
5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.
6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.
Query for step 4 and 5 -
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';
7) Run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';
It checks the templates for compromising code.
8) Check .htaccess to make sure there are no redirects there. This isn't a vBulletin issue but customers really don't understand that.
After a few quick checks, it looks like a basic template replacement scheme. Step 7 should expose such a scheme.Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
I have tried reuploading all my files, as he left a .tar backup in my directory, also tried to upgrade to 419 without sucessComment
-
Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
Comment
-
I can't even access the vbadmin panel. And I've searched for the HTML index file w no luckComment
-
Comment
-
Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
I get a 404 Error in my browser when I go to www.coloradoevo.com/admincp
This is getting frustrating...
I can not find any index.html files in my root folder, not sure how this thing is working... completely baffledComment
-
Updated again to 4.1.9 and it looks like I now have access to the AdminCP
But where to go from here???Comment
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Comment