Tkurd.com Hijacked MY forum URL

[SkydivingForums]

Hi there,

I was hoping someone can shed some light on this for me. I'm very frustrated because someone has hacked my forum URL. My forum gets redirected to Tkurd.com and says "hacked by forrmatXformat."

Does anyone know anything about this bastard?

I hope someone can help me on how they did this, or how I can get my URL back! I talked to my hosting and they are working on it.

The IP adress I think that TKURD uses is from godaddy 97.74.144.191 which is confusing.

Any help will be greatly appreciated....

[AnthonyCea]

What forum software are you using, version please ?

Who is hosting your website ?

[SkydivingForums]

vbulletin 3.8.4 w/update 1 - hosted with websitepalace

[AnthonyCea]

You will have to look at your logs in great detail, each hit to find out how this moron got in, this guy is a hacker, his forum is about hacking, so he found a hole in your web host or in the applications you are running on the server.

PS: Never post a live link anywhere unless you want the person you are trying to expose to have instant access to your conversations online.

I removed your live link to his site.

[AnthonyCea]

See this post by a security expert on Remote File Includes these hacker bot operators run, also see the entire thread to see the types of attacks the hacker bot operators run 24/7/365.

I guess you will have to install a firewall or start watching the logs a lot closer over at your place.

[SkydivingForums]

Is this all I can do? Is there a list of IP's to ban or something? This sucks...thanks for your help, any other advice would be awesome as this is all new to me. My forum is still there, you just can't access the main page.

[AnthonyCea]

Your host should be able to solve the problem for you, if not you will have to hire a coder to do it for you.

Just post your progress in this thread, like I said, the only way you will be able to find this morons IP's is to get the history of IP hits on your website from your host going back to a few days before this happened and looking at each URL and IP that hit your server, then banning suspect IP's at the server level.

Ask your host the best way to ban at the server level, many times they do not like you to ban a ton of IP's from c-panel so you will have to ban them in your .htaccess file most likely, that or install a malicious IP filtering firewall and ban them there.

Learn about software firewall IP filters

[SkydivingForums]

Found out that this IP: 150.70.84.154 hacked my admin in VB and modified a template with a malicious code. I wish there was a way to strike back at these F**ckers. Now I have to find this crap and delete it.

I banned that IP 2 weeks ago and they still managed to hack my forum!!

[AnthonyCea]

Thanks for the report, hackers have many IP's available to them, we have hacker bot networks that have hit here with hundreds of them, all you can do is install a firewall and watch your logs.

Is your host offering you help to get back up ?

Did they provide you with logs of IP's hitting your server ?

PS: I ran an IP search against the forum database on 150.70.84.154 and look what came up...

http://www.forumpostersunion.com/sho....154#post42396

A thread you started when you first joined, you caught these guys in the act back then, but they may have hit you from another IP range, so you might want to keep digging through your logs and look for a similar user agent.

[AnthonyCea]

Another thing, you are going to have to change all your passwords in C-Panel and for your forum administration password.

This hacker may have been using a dictionary attacker script that automatically figures out passwords.

[SkydivingForums]

Looks like when you asked me if I was being proactive, I just had a hunch or got lucky, huh? LOL..I banned that IP from VB when I told you about it but the banning did not work. Maybe when I banned them a few weeks ago they got mad and decided to mess with me! I now added the IP to my host as well, so hopefully that will stop them from repeated the same thing, any other ideas?

All taken care of...passwords, etc. I have a fire wall in the software on my computer and a firewall on my router, is that what you mean?

I have been doing a lot of research on others like me. A lot of them say that the hacks do not go through the admin, but it does not hurt to drop a .htaccess file on your hosting. I guess I will never know how and where these morons gained access. Maybe the code was injected and made invisible, because I looked for hours trying to find it. I went right to the place the host told me... but nothing visible!

I'm finally relieved that I was able to fix the template and gain control of my main page again. Thanks to a great fix-it tool that a developer made to compare templates and scan all of them. Once I uploaded the tool to my host it only took me 10 seconds...and waala...back in action! Great creation of a php tool.

Has this happened to this forum yet?

[AnthonyCea]

No, you need to look at a firewall that uses a real time database, a software firewall on your web server.

See the links I already gave you.

[SkydivingForums]

...I gotcha..checking it out right now...so have you had to go through this before?

[AnthonyCea]

Here is a great software firewall that has a lot of tools to filter out malicious IP's.

No, with all the hackers that attack us for years, they have never defaced the site, but not for lack of trying everyday !!

If you need help it is all in our SpamKill.org forum, just keep reading the threads, but here is a thread that is of specific help to forum owners stop spam botnets and comment spammers.

[SkydivingForums]

I was just reading all the info that I downloaded from rfxn, but it is a lot of info, so I did not see what the process is of installing...I did not see the instructions for installing... I will look some more. Trying to find an easy process.

I will search for the correct software to upload to my server.

Are all of them free?...thanks again!

[AnthonyCea]

Follow all the links I gave you and learn a bit more before you do anything.

PS: There is nothing easy about running a server, if you don't know how to install scripts and configure them you will have to hire a coder, if you need help I can hook you up with a few names.

[SkydivingForums]

Thanks for all your help. I have made a lot of changes since my forum was hacked and all of them are very valuable to forum owners and operators. First off, there is a handy mod tool that you can find on VB.org that compares the child and mother templates and will delete the malicious code that was injected. You upload this mod application to your forum folder and access it from a web browser and it scans all of your template files and keeps the good ones and overwrites the bad ones with the good ones, awesome invention! After you get rid of the malicious code and your forums are back to normal, these are the things that have kept my forum safe from these attacks since then.

- Switched from a shared IP address to a dedicated IP address.
- Installed the stopforumspam mod from VB.org (catches 5-10 spammers a day)
- Created and Installed a firewall file (.htaccess) in the Admin folder of my forums directory that includes an encrypted password in the (.htpasswd) to open the Admin directory on the host from a web browser. This creates another password (another layer to go through) to access your Admin folders in your forums directory.
- Created and installed another .htaccess file that contains the rejection of all hacking attempts (blacklist) in the main root directory of the host, above all the forum files; my index of of my host, highest level.

I hope this helps others who have experienced the same as I did.
The .htacces files are the biggies, especially the one that is in the Admin directory of your forums.

[kabo0m]

Thanks for referring me to a thread that linked to this thread. I have learned a lot. In another thread I was asking about the IP 150.70.84.151 and 150.70.84.154 because they keep visiting my forums even after I banned 150.70.84.*

After reading what has happened to you (thread starter) that worried me because my fiance's old forums got hacked exactly like that 2 years ago when he used to use phpBB (we have since both switched to SMF for better security). I never want that to happen to my medical site so this information is very useful. Still, it seems overwhelming at times to know how to keep up with the scammers, spammers and hackers out there..

[AnthonyCea]

Yeah, it is sad when you start out wanting to run a chat forum, then learn you have to become a virtual IT security expert just to keep your site from being DDoSed, defaced, hacked and spammed to death by a multitude of morons.

[kabo0m]

Yeah but I am still learning. I tried to edit my own .htaccess but accidentally blocked myself from my site somehow and my host had to get me out of that jam .. so now I don't touch that.

[AnthonyCea]

You should not do anything that has to do with coding if you are not a programmer, get a technical administrator to help you with running the server and to help you run the sites on the server until you really know the code and how scripts really work.

[kabo0m]

Quote:

Originally Posted by AnthonyCea

You should not do anything that has to do with coding if you are not a programmer, get a technical administrator to help you with running the server and to help you run the sites on the server until you really know the code and how scripts really work.

Ah okay. Yeah I get my fiance to help with a lot of programming but he is not familiar with the .htaccess neither so he doesn't touch it. I am the administrator of my forums but I only know as much as I have learned from security forums and first hand how to stop spammers. I really don't know the really technical stuff though. I will ask the host admin. I have his email, I just hate to bug him about things he doesn't think are really necessary.

Thanks for you help!

[AnthonyCea]

You need to find a technical administrator to partner with, even if you have to pay per hour for services, your host is not always going to help you do the tasks that need to be done, like updating scripts, installing plugins and hacks, coding for SEO and all the rest.

[kabo0m]

Quote:

Originally Posted by AnthonyCea

You need to find a technical administrator to partner with, even if you have to pay per hour for services, your host is not always going to help you do the tasks that need to be done, like updating scripts, installing plugins and hacks, coding for SEO and all the rest.

Yeah, when I find a job I will. At least my fiancé is good at updating scripts, installing plugins and hacks. Don't really know anything about SEO though. I've been out of work because of health issues but when my fiancé's forums got hacked we knew nothing and now 2 other forums have come to us for help. So that makes us feel like we must be doing something right so far on our own.

But yeah, I never thought about hiring a technical administrator. I just tried to learn how to do it myself. My fiancé however has ran servers for 10 years though so he knows a little (not really about forums in particular, but learning).

[AnthonyCea]

Well, just keep learning and get yourself a good firewall installed, if you keep reading the threads here you will find some solutions, most all of them are listed and linked to in our threads.

[SkydivingForums]

Hello,

A little programming practice with a htaccess file takes a little time, here are the resources that helped me:


Read this first: http://www.vbulletin.org/forum/showthread.php?t=220914


Directions:

http://www.phpfusion-mods.net/articl...?article_id=23

Htaccess Tools password generator: http://www.htaccesstools.com/htpasswd-generator/


Even though I have learned programming by practice, search, school, etc., I used the above information to help secure my forums.

You can upload the files you create to your host and you can delete them easily if you get locked out like you said, just delete the file you uploaded.

You can experiment with adding your own IP address to the htaccess file to see if it works, like you mentioned, deleting the file you uploaded will eliminate your problem you create, you shouldn't need the host to help delete it, unless you are unable to delete it.

The one that goes in the admin folder keeps intruders out big time. The one in the main directory, you can always keep adding IP's for denial.

Good luck with your adventures, I spent a lot of time previously and found that the URL's above helped me the most.....impacted the stop of hacker bots and etc.

I have some more URL's.....I have to look for them...they are about securing 3 more folders in your forums directory on your host that pertain to keeping unauthorized intruders from access......same thing that VB.com and VB.org does.

[SkydivingForums]

You should ban IP 150.70 .....immediately, since this was the start of the take over of my forums, I had to reclaim my forums main URL because of this IP!

[AnthonyCea]

Remember that this IP range was a Blacklisted spambot and hacker hangout when we originally discussed this, so we banned this IP c-network long ago, but others will surely be thankful you keep warning about it.

Problem is, these morons have a vast network of IP ranges worldwide to keep you watching, believe me, they are not done, so don't think you will ever be safe, hackers just look for a new exploit hole just like a Rat will until you plug the hole or get a cat !!

[SkydivingForums]

When they change their IP, then everything starts all over with banning another IP, you just have to have a system that stays up to date and watches for new IP's or suspicious IP's.

These are the 150's I currently have banned and that they keep moving to closer IP ranges to try and fool everyone:

Deny from 150.70.84.154
Deny from 150.70.84.43
Deny from 150.100.255.255
Deny from 150.26.0.0
Deny from 150.70
Deny from 150.100
Deny from 150.26

[kabo0m]

Same one I mentioned here:
http://www.forumpostersunion.com/sho...5086#post55086

Was the security program I downloaded really a trojan?? Or was someone targeting a security flaw of the program or something? Didn't want my own forums to get hacked so was glad it stopped once I uninstalled that. Scary..

[AnthonyCea]

Yes, that is an old trick hackers use, it is called "malware" where they put out "fake anti-spyware software", in fact spammers use this "free download of anti-spyware" software as a hook to get computer users to download their zombie take over script, they can also get a copy of your hard drive that way.

The only good anti-spyware software that is free is SpyBot Search & Destroy or Spyware Blaster to be honest.

[kabo0m]

Quote:

Originally Posted by AnthonyCea

Yes, that is an old trick hackers use, it is called malware where they put out fake anti-spyware, in fact spammers use this "free download of anti-spyware" software as a hook to get computer users to download their zombie take over script, they can also get a copy of your hard drive that way.

But I downloaded it right from the Trend Micro site (and the url was not misspelled).

This was the link I got it from:

http://us.trendmicro.com/us/trendwat...ction-network/

I never got any fake pop up windows and haven't fallen for any of the typical things old bingo mom's fall for

[AnthonyCea]

I have used Spyware Blaster and SpyBot Search & Destroy for years in conjunction with each other, you only need one anti-virus program, like I told you I am using ESET smart security which claims to offer comprehensive real time protection against malware, but I do run SpyBot for the hell of it (a scan) about once every two weeks.

You know it could have been something else that caused this problem, you should run SpyBot to see if you have anything on your machine.

You do know that Trend Micro was hacked a while back, so maybe you should use www.nod32.com anti-virus like I do.

[kabo0m]

Quote:

Originally Posted by AnthonyCea

You do know that Trend Micro was hacked a while back, so maybe you should use www.nod32.com anti-virus like I do.

Ah now THAT would explain it then. This was in Dec / Jan when this happened to me. But then when I saw the threads talking about this I remembered I recognized that IP from somewhere and checked on my old threads..

Haven't had any issues ever since uninstalling that but I have run everything I could think of to ensure my computer is clean. Also ran HijackThis as well.

Thx for the Spyware Blaster link. I had looked at that before and downloaded it but never installed it because later when I went to look at my downloaded programs to check out I could not remember who recommended it to me. Now I remember .. it was you. Okay I could try that. Since I already have SpyBot Search & Destroy I thought that was good enough? After all, how many anti-spyware programs does one need anyway? Thought it was just like anti-virus.. With Anti-Virus I just have one and occasionally also do online scans just to make sure my computer AV is not compromised or missing something.

Definitely never want my forums hacked like my fiancé's were before. That was hell..

[AnthonyCea]

Spyware Blaster prevents malware from loading if you run the program according to instructions, Spybot Search & Destroy also will if you run the immunize program module within that software.

You have to learn how these programs work, and how they can work together, that means you have to research the data out there on the web and proceed in a way that you are comfortable with.

[kabo0m]

Quote:

Originally Posted by AnthonyCea

Spyware Blaster prevents malware from loading if you run the program according to instructions, Spybot Search & Destroy also will if you run the immunize program module within that software.

You have to learn how these programs work, and how they can work together, that means you have to research the data out there on the web and proceed in a way that you are comfortable with.

Oh okay thx. I wasn't doing that. Thought you just install it and there ya go.

[kabo0m]

Ah yes I remember where I heard about Spyware Blaster from now (because I found where I already had it on my computer and I did actually put a shortcut to where I Saw it). It was here: http://www.bleepingcomputer.com/tuto...utorial49.html

Thanks for recommending it as that encourages me to try it out.

[AnthonyCea]

Spyware Blaster is a great piece of software, but you still need to enable the modules you want to use so it will protect you, you also need to start it up when you start your computer.

With my current set up (ESET AV and anti-malware) I don't run Spybot at start up any longer, just update the profiles and scan about once every few weeks.

You don't want too many real time programs running at the same time, so I don't know if I would run Spyware Blaster and Spybot at the same time either.

You never want two anti virus programs running at the same time or your computer will not function at all.

You have to figure out what is right for you depending on what you have on your machine as far as software is concerned and what real time programs you have scanning your files.

[kabo0m]

Yeah I already have too much on start up and wonder what I should eliminate as it is .. will send you a PM of the list I have come up if you wish?

[AnthonyCea]

You have to run msconfig and take programs off of start up that you don't need to run, that or remove the programs altogether if you don't need them any longer.