Hacked again..!!

This is what I see when I attempt to logon via the web front end after entering my logon details.

Tapatalk still works..
«13

Comments

  • SteevoSteevo Super Moderator
    edited November 2013
    It's quite likely that anyone who attempts to logon via the web will have their credentials compromised.
  • RooRoo Posting Freak
    edited November 2013
    Why is this site copping it so often? A couple of other forums I know of are quicker and always online....
  • SteevoSteevo Super Moderator
    edited November 2013
    Opinions vary and range from poor maintenance to hosting issues.
  • MaverickMaverick Supporting Member
    edited November 2013
    Are they Jeep forums? Lol
  • CalibratedCalibrated Administrator
    edited November 2013
    I've just removed a bunch of files that don't belong there. No idea how they've got in, as the permissions shouldn't allow them access and admin passwords have been changed since the last hack.
  • tintinztintinz Super Moderator
    edited November 2013
    Hi Ash maybe you look at reinstalling the site from scratch and restore database from backup then apply every vbulletin security update released to data and for the administrator password and Cpanel password use random password generator which has a mixture of letters numbers and capitals there lots of random password generators online. Once all of the above is done reset everyone password (minor inconvenience I know) so at least we have fixed any compromised passwords

    Cheers
    Tin
  • SteevoSteevo Super Moderator
    edited November 2013
    There's still an issue. Click the logon button on the default page. Either the logon.php page is missing or something its referring to or redirecting to is missing.
  • DrewDrew Super Moderator
    edited November 2013
    I'd be thinking the hosting provider had been compromised, given the frequency this forum is being exploited, and the rating the provider has based on the number of client sites that have been compromised....

    I don't have any of my white hat tools anymore, but I have mates who could confirm my suspicions

    Sent from my GT-I9505 using Tapatalk
  • SteevoSteevo Super Moderator
    edited November 2013
    Yep, logon.php is no longer there.

    Posted via Tapatalk 4.0.24 beta for Android
  • SteevoSteevo Super Moderator
    edited November 2013
    Ashley,

    Do you realise that no one can logon to the forum via their web browser.?

    At a minimum you need to copy the logon.php file from the distribution package to get it happening again.

    Someone then needs to spend some time reviewing all the files and folders to remove the junk,followed by a review of the ftp logs to hopefully determine how this keeps happening.

    Posted via Tapatalk 4.0.24 beta for Android
  • RooRoo Posting Freak
    edited November 2013
    Thanks for keeping on to this Steve. Go Super Mods.!!!
  • Tornado_ALIVETornado_ALIVE Forum Addict
    edited November 2013
    Haven't been able to log in via a web browser for a long time (since the first hack). I am sure the forum has lost quiet a few members due to this. Pretty ordinary, particularly from the forum sponsors point of view. Ash, you really need to invest some time into this to get it sorted properly. It has been managed VERY ordinarily up to now.
  • RokMeisterRokMeister Senior Member
    edited November 2013
    It has been managed VERY ordinarily up to now.

    It's being managed?? ;)
  • CalibratedCalibrated Administrator
    edited November 2013
    Just fixed the logon issue.

    Steve (and others) I am in South Africa at the moment, and only have limited internet access (tethering off my iPhone). Doing what I can, when I can.
  • Scorp69Scorp69 Supporting Member
    edited November 2013
    Site has been down for 3 days now....incredible. The site host Jumba have just turned it on and have reportedly said that unless safe-guards are built in to stop phishing that they will suspend it for good - meaning that we could lose access to the site permanently. Please Ash, you need to take drastic steps to get this sorted once and for all, and I plead with you to call Steve and Tin and work with them to get it sorted before it's too late!...please...?
  • bauercobauerco Vendor
    edited November 2013
    Incredible, all these problems considering Ash's back ground is in IT.


    Mark

    Amarok Club of Victoria
    MY12 Reflex Silver Highline
    94 F250 Supacab 7.5lt 6" suspension lift 3" body lift
  • tintinztintinz Super Moderator
    edited November 2013
    I have been online with Uber tonight to get this sorted and Matt is correct Uber has informed me that this is the 6th time this month the site has been warned as a phising site. Unless Ash patches the required patches and demonstrates that he knows where the exploit is coming from they will not un-suspend the site for us in the future when it happens again.

    Screen%20shot%202013-11-25%20at%209.05.49%20PM.png
  • CalibratedCalibrated Administrator
    edited November 2013
    bauerco wrote: »
    Incredible, all these problems considering Ash's back ground is in IT.


    Mark

    Amarok Club of Victoria
    MY12 Reflex Silver Highline
    94 F250 Supacab 7.5lt 6" suspension lift 3" body lift

    IT is a very very broad industry. My background was not in web management.
    tintinz wrote: »
    I have been online with Uber tonight to get this sorted and Matt is correct Uber has informed me that this is the 6th time this month the site has been warned as a phising site. Unless Ash patches the required patches and demonstrates that he knows where the exploit is coming from they will not un-suspend the site for us in the future when it happens again.

    Screen%20shot%202013-11-25%20at%209.05.49%20PM.png

    There are no new patches from VBulletin. We are running the latest versions of everything.
  • SteevoSteevo Super Moderator
    edited November 2013
    At least one person was able to exploit the the install/update files that were left on the server. Since then there's been issue after issue as it's quite likely that access details relative to FTP and/or other credentials have been compromised.
  • Scorp69Scorp69 Supporting Member
    edited November 2013
    Ash, several years ago you did a great thing by starting this forum, and I am sure you will do everything in your power to make sure it prevails.

    You have two of the best IT minds (Steve and Tin) in the business as your main moderators....and they WANT to help. Please call them to make a plan on how to keep the forum alive. They WANT TO HELP. They need more access, they need the relevant passwords etc. Rest assured, they will sort it out. TRUST them....please. (After you have given them the 'tools' and access they need, then please leave it up to them to sort it out. I know it's hard to 'let go of control', but that might be what is required to ensure the survival of the forum given the warnings to close us down permanently!

    You will get a lot of respect if you do this Ash....please?
  • MattyDeeMattyDee Supporting Member
    edited November 2013
    Have no idea what this all means... But let's please not lose the forum!


    Candy White VeeDub. | ACV
  • ozcaddyozcaddy Supporting Member
    edited November 2013
    MattyDee wrote: »
    Have no idea what this all means... But let's please not lose the forum!


    Candy White VeeDub. | ACV
    Matty pretty much what it boils down to is we got a bug and the man with the can of Mortein is not able/capable or does not want to eliminate the bug or pass the can over to others who have the skills and ability to make the bug disappear and the forum run like a well oiled Amarok
  • DrewDrew Super Moderator
    edited November 2013
    Uber need to look at their service... A large number their clients have been hacked... Sometimes it's easier to move to a different provider, rather than cop it in the neck from the people you pay to provide a service...

    Sent from my GT-I9505 using Tapatalk
  • SteevoSteevo Super Moderator
    edited November 2013
    Now that the suspension has been lifted someone needs to change all the access info and refresh the base code as it's likely someone has altered one or more pages.


    Sent from my iPhone 5S
  • DrewDrew Super Moderator
    edited November 2013
    Steevo wrote: »
    Now that the suspension has been lifted someone needs to change all the access info and refresh the base code as it's likely someone has altered one or more pages.


    Sent from my iPhone 5S


    Yep... Full database backup, blow away the lot, reinstall and restore the database... Tin had previously provided the vbulletin link on how to do it...

    Sent from my GT-I9505 using Tapatalk
  • brookes2622brookes2622 Supporting Member
    edited November 2013
    I want my $50 back!
  • RooRoo Posting Freak
    edited November 2013
    I want my $50 back!

    I'm now glad I kept mine!! Was very close to handing it over when all this started...
  • tintinztintinz Super Moderator
    edited November 2013
    Also if you come through the website and notice images missing and the theme a bit screwed ... Steevo has pointed out that this hack issue has caused the AUSAMAROK theme to be corrupt so to get back to normal looking un-missing images please change your settings to default style.

    Go to Settings, General Settings (under my account), under miscellaneous select forum skin and choose Default Style and click save ... voila no more missing icons with ? Displayed.

    At work I have screen shots of where we have been used as a Phising site so when I get in I will upload it here. All Uber wants is that Ash can demonstrate to them that he knows where the breach is and show them he has got a plan to fix these or else we will be suspended for good and its goodbye forum hello UK Amarok forum.

    As suggested in the past we need a full database backup, then a full re-install of Vbulletin, restore of database and reset of all admin passwords. Delete the /install directory. Ash, Drew is correct I have linked an article on this process a while back in the forum and will dig it up for you.

    cheers
    Tin
  • brookes2622brookes2622 Supporting Member
    edited November 2013
    Calibrated wrote: »
    IT is a very very broad industry. My background was not in web management.

    Then perhaps you should listen to those who's background it is.
  • yojimboyojimbo Senior Member
    edited November 2013
    Could I suggest in case something like this happens again that AusAmarok forum members who have facebook accounts, "like" the Amaroks Down Under page: facebook.com/amaroksdownunder
    It is a good way to keep in touch when the forum blacks out.

    Also, have any of the forum admins thought about taking a snapshot of the forum and moving it to a new host with a new domain name as the current situation appears unsustainable?
Sign In or Register to comment.