My forum www.orchidgeeks.com has been hacked by Russian hackers When you go to orchidgeeks.com/forum (I think you might have to be logged in to view it) the page re-directs to http://dengesiz-team.org/vb.htm. How do I remove or fix this? I need help asap as non of my members can really post a message.
Use the back-up, and if any files were edited, re-upload them and set the permission so they can't be writen over. And make sure they don't have any of your passwords. aka...changing passwords might be a good idea.
Well, actually Dengesiz is turkish, if you check out the flag and language on their site . This happened to me, too, one week ago, same Team, they're script kiddies from turkey. They hacked my vBulletin 3.6.0 musician board (over 40 000 members). However, it has not been a vBulletin flaw and they were just able to change the index.php. Flashchat has various security flaws and they were able to get in through Flashchat (with vBulletin integration). I'd recommend everyone to get rid of Flashchat, don't use it together with vBulletin or don't use it at all. I'm sorry for the author but it's just crappy coded.
Yes they're from Turkiye. they r using a vulnerability from a mod. if u will delete topx stat mod i think it will be normal. OR censor this {">"">>>><meta} OR go to topXstats_thread_bit and change all things to <tr> <td nowrap="nowrap"><div class="smallfont"><strong><if condition="$getstats_thread[newpost]">$newpostprefix<else />$oldpostprefix</if> <a href="showthread.php?$session[sessionurl]goto=newpost&t=$getstats_thread[threadid]">$getstats_thread[titletrimmed]</a></stong></div></td> <if condition="$getstats_thread[isdeleted]"> <td colspan=3" align="left" nowrap="nowrap"><div class="smallfont"><phrase 1="member.php?$session[sessionurl]u=$getstats_thread[del_userid]" 2="$getstats_thread[del_username]">$vbphrase[thread_deleted_by_x]</phrase></div></td> <else /> <td nowrap="nowrap"><div class="smallfont"><a href="member.php?$session[sessionurl]u=$getstats_thread[userid]">$getstats_thread[musername]</a></div></td> <td align="right" nowrap="nowrap"><div class="smallfont">$getstats_thread[views]</div></td> <td align="right" nowrap="nowrap"><div class="smallfont">$getstats_thread[replycount]</div></td> </if> </tr>
The mods I'm running are Photopost, top x stats, vBadvanced CMPS, vBSEO...Hmm I will check out the index.php file How do hackers "hack" do they guess at your usernam and password?
Yeah, I had one of my sites hacked into by they say russians. Fixed it, and damn if they did not do it again the same day! So went back, fixed it again, and changed all my passwords to gibberish. So far, site up and okay. Am guessing that is what they do, is run a program to hunt down usernames and passwords.
Thanks UguG, someone else has suggested I do this over at the vB forum. I uninstalled the topstats for now and so far everything seems to be okay
Best thing to do is to lock your forum, and not let visitors in for about 2-3 days, Hackers usually are satisfied with that result and move on to the next target. Do not provoke them by posting things like, "we have fixed the hacking problem, or our forums are secured now" that would just bring down more hacking. Hacking is the so simple, a 14 year old who can follow instructions can do it, and the worst thing is that software vulnerabilities are found very easily on the internet as well. Be glad you have VBulletin, their code is crappy and inneficient but at least most hackers like it and use it for their forums and for some reason don't hack as much as IPB and phpBB.
I just read somewhere there is a security exploit in top x stats. You may want to check that, probably how you got hacked. Also an exploit in flashchat. Fixes for both have been released.
One of my VB forums was also hacked by turkish hackers tonight. It was a redirection hack. They used html in a post. You can read more about the hack here
Had several more redirect hack attempts. All from ip 85.xxx.xxx.xxx which are coming from Turkey. Disabling all BBcode html in posts seems to have solved the problems.