z6joker9 Wrote:I can't because when I do, it auto forwards. How do I make it not do that?
Hi z6joker9,
Could you please send me your raw access logs to your site via PM? I can forward those to the proper people, in hopes of preventing a future attack.
Disable the javascript in your browser and try again.
In IE.
Open Internet Explorer.
Select Internet Options from the Tools menu.
In Internet Options dialog box select the Security tab.
Click Custom level button at bottom right. The Security settings dialog box will pop up.
Under Scripting category check Active Scripting, Allow paste options via script and Scripting of Java applets
Check radio boxes.
Click OK twice to close out.
in Firefox
Open Firefox
Go to tools
Go to Options
Go to Content tab
Unselect Javascript checkbox.
Or just go to
http://www.wiiloaded.com/admin/
I can't edit the forum to take the script out because in Admin CP it shows the forums when you click edit forum.
And without javascript on, I can see it but I cannot edit it because I cannot click the buttons?
Next question. What else could be affected, if anything? From the looks of the administrator log, he made himself an admin (without getting into my account?), edited the description of a forum to cause the problem, and then deleted his account. How could he have done this? Did I leave something CHMODed wrong?
There is an possible way todo this in versions below 1.1.4. don't know if that is what he did but it might be.
Well when I look at your forum now the script is gone.
No, the script is hidden because the forum is hidden. How do I access it to fix it?
Do you know the forum ID of the forum the person edited? If you do, you can access the edit page through this:
wiiloaded.com/admin/forums.php?action=edit&fid=
FORUMID
Edit: If you don't know your forum ID, you can:
- Disable javascript as explained above
- Go into the ACP and mouseover the said forum and look at the fid at the end of the URL (example: yoursite.com/forums/forums.php?fid=1, where 1 is the forum ID)
- Re-enable javascript and go to the link I explained above, entering the forum id you just found.
My site was exploited also and this is how I fixed it:
I was running version 1.13, so I downloaded the 1.17 version and uploaded all the files except settings and config.php. I then went to
www.myurl.com/admin and logged in to ensure the update worked. it did. This did not fix the issue, but it was good to do anyway to help this from happening again.
I went to PHPMyAdmin, selected my database, and went to the search function. I then searched for
%king%. I looked through a bunch of HTML code,
<meta http-equiv="refresh" content="0;URL=http://k... ...
which I forgot to copy/paste, but look for "refresh" and then delete them, it should be in mybb_templates. It will ask you to confirm so press yes. This is what I got:
DELETE FROM `mybb_templates` WHERE `tid` =385 LIMIT 1 ;
DELETE FROM `mybb_templates` WHERE `tid` =397 LIMIT 1 ;
DELETE FROM `mybb_templates` WHERE `tid` =760 LIMIT 1 ;
DELETE FROM `mybb_templates` WHERE `tid` =761 LIMIT 1 ;
DELETE FROM `mybb_templates` WHERE `tid` =796 LIMIT 1 ;
DELETE FROM `mybb_templates` WHERE `tid` =916 LIMIT 1 ;
I then refreshed my site and it seems to be fixed.. I will keep you posted with other bug fixes if needed.
How can I secure my site so this does not happen any more?
I hope this helps someone to fix their site.