Hack attempt on the forum http://www.indianwebmaster.org

Loans - Remortgages - Loans - Repair Bad Credit - Credit Card

View Full Version : Hack attempt on the forum http://www.indianwebmaster.org

invincible.vib

Nov 3rd 2006, 3:29 pm

Hie Guys...

Someone tried to hack my site http://www.indianwebmaster.org and has put redirect to www.mustim.tr.cx
Whenever Im trying to open the site http://indianwebmaster.org it is redirecting to http://www.indianwebmaster.org/www.mustim.tr.cx

Any idea how to fix this redirect?

Regards.
Vibhash.

Finale

Nov 3rd 2006, 4:31 pm

Reinstall your forum software?

invincible.vib

Nov 3rd 2006, 6:08 pm

Well i fixed that prob...reinstalling is the extreme case!!!
I just removed instances of "mustim" from the DB and now the forum comes up fine:)
Seems he signed up and exploited any of vbulletin code, i checked vbforum site and they seem to say its server problem on most issues rather than to accept that there can be security holes in php based codes.
I think any mods or pluggin needs an update!

I've also found this info in DB regarding the user mustim (may be username "hacked"
IP ADDRESS : 88.229.10.160

So finally i got my forum up and running:)
(But i still don't know how it was hacked, so need to put some time in resolving that security loophole!)

roy77

Jan 6th 2007, 7:44 pm

glad to see that you solved the problem, check your fourm security, so it wont happen next time :)

thuonghieu

Jan 6th 2007, 8:45 pm

I still access your site. Maybe your PC infect malware. Check it

hans

Jan 22nd 2007, 1:33 am

if you know the user account thru which changes were made - then search your entire access_log files from the past MANY months back and extract any access to that account using

zgrep "mustim" access_log.gz >mustim_access.txt

replace "mustim" by a precise work that always occurs in the URL string for all logins and replace the precise access_log file-name

then find the first visits of the user "mustim"
where did he first visit your site
referral ( exact Google search string ! if he used G before hitting your site)
then walk thru his path of site visit
where - what precise folder - did he place his files

his files may have file names equal to common files existing on your site - I found on my site after a hacker intrusion a year ago files such as index.php - but that file contained hacker script and NOTHING like common index files!! I also found other common file names such as php-info.php and other similar common files that usually always reside on a server - hence files that never arise any suspicion - unless you open them and see that the script content is totally different from what it normally would be.

finding exact entry and weak security hole may be a matter of dozens of hours of researching all kinds of access_log, messages-log, warn-log, error_log files

Good luck