hacked by url123.info

**Bmastro** · 07-09-2012 12:14 PM

Originally Posted by eliteguias

prevenir de nada sirve si el problema ya está dentro

Probably this is my problem. I'm not able to find the malevolous code.

**eliteguias** · 07-09-2012 12:18 PM

bmastro I couldn't find the problem, but... I download a new copy of vbulletin from vbulletin.com and re-upload all archives (the same with vbseo) and.... problem solved (I hope so...).

The same as with your computer "do you have a virus?" don't try to delete it, just.... reinstall windows.

**Sparkiller** · 07-09-2012 01:34 PM

Another hack, here's again the log entry from the same time i got the warning mail:

unassigned-87.236.194.191.coolhousing.net - - [09/Jul/2012:18:34:43 +0200] "GET /forum/search.php HTTP/1.1" 200 782 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0"

Again the search.php is accessed. The only difference is that they didn't use TOR to hide the tracks.

**belcamino** · 07-09-2012 01:53 PM

How do you clean forum cache?

**Bmastro** · 07-10-2012 01:59 AM

Originally Posted by Sparkiller

TOR to hide the tracks.

???
I never received the warning mail! Maybe because of this TOR?

**Sparkiller** · 07-10-2012 03:01 AM

Originally Posted by Bmastro

???
I never received the warning mail! Maybe because of this TOR?

I'm using the "Suspicious Activity Tracker" from the vbseo team, which sends a mail everytime the datastore table is changed:

http://www.vbseo.com/f5/faqs-rogue-p...62/#post326304

(You need to enter your email adress at the vb options after installation to receive the mail.)

And i also installed the "Check 4 hack" pluging from vbulletin.org which resets the datastore table automatically:

http://www.vbulletin.org/forum/showthread.php?t=265866

But that's all just a bandaid which doesn't solve the problem.

**Bmastro** · 07-10-2012 03:15 AM

Originally Posted by Sparkiller

I'm using the "Suspicious Activity Tracker" from the vbseo team, which sends a mail everytime the datastore table is changed:

http://www.vbseo.com/f5/faqs-rogue-p...62/#post326304

(You need to enter your email adress at the vb options after installation to receive the mail.)

Yes, I have it, but no response from it.

Originally Posted by Sparkiller

And i also installed the "Check 4 hack" pluging from vbulletin.org which resets the datastore table automatically:

Check 4 Hack - Finds infected Datastore Entries - vBulletin.org Forum

But that's all just a bandaid which doesn't solve the problem.

This is new for me, thanks.

BTW, is it possible that now the hacker enters the forum using the file install/upgrade.php?
Probably he previously discovered the license number and now he can do what he wants.

P.S. And surely the hacker is a VBulletin and VBSeo user, and he has the latest versions of the programs. Maybe he is also reading this thread.

**Sparkiller** · 07-10-2012 03:20 AM

Originally Posted by Bmastro

Yes, I have it, but no response from it.

Did you enter a mail adress in the corresponding vb options menu? (top entry)

BTW, is it possible that now the hacker enters the forum using the file install/upgrade.php?
Probably he previously discovered the license number and now he can do what he wants.

I checked the time of the email with my server log and the only fitting entries tried to access search.php in the root:

http://www.vbseo.com/f3/hacked-url12...tml#post332574

But i'm no expert, so i'm not sure if that means anything. And i don't think knowing the license no. gives the hacker automatically access to anything?

**Bmastro** · 07-10-2012 03:24 AM

Originally Posted by Sparkiller

Did you enter a mail adress in the corresponding vb options menu? (top entry)

Yes I did, but no answer till now.

**Sparkiller** · 07-10-2012 03:28 AM

Originally Posted by Bmastro

Yes I did, but no answer till now.

Did you get hacked again since entering the email adress? It's only send out at the same moment the datastore table is changed by the culprit.

Or perhaps the mail was automatically moved into your spam folder.

**Bmastro** · 07-10-2012 03:36 AM

Originally Posted by Sparkiller

Did you get hacked again since entering the email adress?

Yes, 2 times.

Originally Posted by Sparkiller

Or perhaps the mail was automatically moved into your spam folder.

WTF! Maybe you're right.

Edit: No, I checked. No messages from VBSEO Suspicious Activity Tracker

**Ducati1** · 07-10-2012 04:46 AM

And here we go again.

Can anyone tell me how I can delete this code from the faq.php?

**Bmastro** · 07-10-2012 04:59 AM

Yes, your forum has the redirection.
I've seen that you run VB Version 4.1.11, would you consider to install the last one (4.2.0 patch level 2)?

BTW is it possible to delist from the web that website? or the other (myfilestore.com)?

**Ducati1** · 07-10-2012 06:54 AM

I know that it does have the redirect issues

I just wanted to know how to remove the malicious code from the two displayed files.

I have another forum running 4.2 and the users hated the activity stream to be honest...

**Bmastro** · 07-10-2012 07:24 AM

Originally Posted by Ducati1

I know that it does have the redirect issues

I know that you know.

I wrote in such a way because when I went to your forum I did not notice any redirection... because my browser already had the cookie of url123.info! Then, when I cleaned the browser, I saw the problem.

Have you tried upgrading VBulletin to clean the forum?

hacked by url123.info

LinkBack

Thread Tools

Display

Similar Threads

vBulletin 3.x Hacked

hacked??

Posting Permissions