the forum is:
WARNING: Click this link at your own risk. May contain traces of viruses and the likes.
[link removed]
i only see a question mark on index
the site opens the following sites sometimes:
bbchotnews.com
gmodules.com
beststats.net
and some other sites.
I can still access the Admin
I have uploaded all new mybb files
but while upgrading, i get error:
==================
Warning:There are still 1 plugin(s) active. Active plugins can sometimes cause problems during an upgrade procedure.
==================
While i have deactivated all plugins.
This might be a hidden plugin, which the hacker has installed which does not allow me to ugrade.
PLEASE TELL ME WHAT TO DO.
I know you guys say to upgrade, but i can't!
And i did another mistake.
I was running Mybb 1.2.11 an i uploaded the files which the old mybb version forums should use.
Anyway i'm uploading the other "changed_files".
Any help which be much appreciated.
I put months in building the forum...
The hacker has installed a malicious code on the site which makes a "file.exe" appear on my desktop which appears again after some time after deletion
Do you have a backup of the server
before the attack?
Rolling back the server, then applying the 1.2.12 update might be your best plan of action, IMHO. You'll lose any new posts, but it's better than having your server compromised.
Also would need to change
any passwords you use, as well.
Firstly, I'm presuming that you're hosting your server on your own computer?
If so - easy thing - delete any malicious files found. Pull out your network cable if you fear that they may gain remote control (or something of that sorts), and clean up your computer by scanning for viruses etc.
After that, go to your AdminCP and disable all found plugins. There won't be "hidden" plugins, unless your cache is somehow messed up.
You can always ignore the warning, and upgrade anyway.
ZiNga BuRgA Wrote:Firstly, I'm presuming that you're hosting your server on your own computer?
If so - easy thing - delete any malicious files found. Pull out your network cable if you fear that they may gain remote control (or something of that sorts), and clean up your computer by scanning for viruses etc.
After that, go to your AdminCP and disable all found plugins. There won't be "hidden" plugins, unless your cache is somehow messed up.
You can always ignore the warning, and upgrade anyway.
Nope, i'm not, i searched the sites which my site was connecting with and i found them to be malicious servers or something..
What about the "still 1 plugin is activated" while i have deactivated all plugins....
Ensure that you have a hard copy of both your database and all your files on server before re-installing the backup of your forum. Then report the hacking to your host.
Sherlock Wrote:ZiNga BuRgA Wrote:Firstly, I'm presuming that you're hosting your server on your own computer?
If so - easy thing - delete any malicious files found. Pull out your network cable if you fear that they may gain remote control (or something of that sorts), and clean up your computer by scanning for viruses etc.
After that, go to your AdminCP and disable all found plugins. There won't be "hidden" plugins, unless your cache is somehow messed up.
You can always ignore the warning, and upgrade anyway.
Nope, i'm not, i searched the sites which my site was connecting with and i found them to be malicious servers or something..
What about the "still 1 plugin is activated" while i have deactivated all plugins....
I think you missed a plugin that is still active. Go back and check again. The code reads directly off the same thing that the plugins acp page uses.
The only explanation is that you
deleted a plugin file before deactivating it.
And if that is the case then it is safe to say you can ignore the warning. (After all, it is only a warning).
When i press NEXT, nothing happens, and i can see that the page is connecting to suspicious sites and then finally opens the same upgrade page, i can't seem to continue.
I've managed to upgrade but still the index seems hacked????
plz help
Hi Sherlock,
Quote:The hacker has installed a malicious code on the site which makes a "file.exe" appear on my desktop which appears again after some time after deletion
Do you still have the "file.exe" somewhere? If so, can you send it to miekiemoes
![[Image: at.gif]](https://camo.mybb.com/05fc109c21843d87b248a9fb208b02555b6aedd3/687474703a2f2f636f6d6d756e6974792e6d7962626f6172642e6e65742f696d616765732f69636f6e732f61742e676966)
malware-research.co.uk for further analysis.
Thank You very much
Edit: I also suggest you disconnect from the internet, because it appears that you got infected through the exploit - and god knows what it has installed..
Use a clean computer to change all your login and passwords, because as long as your computer is infected, whatever changes you make to your forum from the infected computer, they can modify it again since they most probably got your password etc now.
And make sure your Antivirus is up to date...
miekiemoes Wrote:Hi Sherlock,
Quote:The hacker has installed a malicious code on the site which makes a "file.exe" appear on my desktop which appears again after some time after deletion
Do you still have the "file.exe" somewhere? If so, can you send it to miekiemoes malware-research.co.uk for further analysis.
Thank You very much
Edit: I also suggest you disconnect from the internet, because it appears that you got infected through the exploit - and god knows what it has installed..
Use a clean computer to change all your login and passwords, because as long as your computer is infected, whatever changes you make to your forum from the infected computer, they can modify it again since they most probably got your password etc now.
And make sure your Antivirus is up to date...
I can see that my other sites have been hacked too!
I have more than 100 established sites running on my server.
That must be the way he got my server password.....
But how do i fix my forum?
Sherlock, please take your sites offline ASAP!!!!! Not sure why you have not done this already. This is irresponsible if your sites are infected and download malicious content and you keep them online - everyone who clicks the link get infected as well. Add a .htaccess so no one can temporary visit them as long as they are infected.
The link you posted here to your forum/site also downloaded this file.exe to my desktop (luckily I've watched it in a VMware)
Mods, or Sherlock, can you edit your first link to your site, so no-one can click the link?
Thanks.