Guestbook - almost extremely hacked

Hi, I cant find any solution to my problem so here it goes:

My guestbook at:
http://www.farbrortorsten.com/gastbok/
is hacked.

I still have my password and I can login to admin, but I cannot use the easy admin-page. When I try a black page with stupid text is shown for a while, then I get sent/redirected to www.cia.gov

HTML was and still is disabled.

Smilys were and are still on. All letters "e" is now shown as a vometing smily, and if change that in general settings a visit to my guestbook page will show the black page (mentioned above) instead of my brown page.

After the attack I upgraded to version 2.3.1 but these problems remains. HELP PLEASE!

Torsten wrote:Hi, I cant find any solution to my problem so here it goes:

My guestbook at:
http://www.farbrortorsten.com/gastbok/
is hacked.

I still have my password and I can login to admin, but I cannot use the easy admin-page. When I try a black page with stupid text is shown for a while, then I get sent/redirected to www.cia.gov

HTML was and still is disabled.

Smilys were and are still on. All letters "e" is now shown as a vometing smily, and if change that in general settings a visit to my guestbook page will show the black page (mentioned above) instead of my brown page.

After the attack I upgraded to version 2.3.1 but these problems remains. HELP PLEASE!

Immediately after you open up your easy admin page to remove their post, press the "ESC" key you may need to do it several times to stop any sequences that they have coaded in. Once you are sure that the redirect is stalled by the Esc key, then delete normally. Keep HTML Disabled first and foremost - and do a search on this forum for other spam protective measures. For example, I ended up including the words meta and script in my forbidden word section.

Good luck and let us know how it goes.

Thanks, but I could only delete the last input. Now, before the easy admin page has loaded the edit and delete buttons the black hacker page arrives and sends me to www.cia.gov

This screen shows how far I can come now:
http://www.farbrortorsten.com/temp/gb.jpg
When I try to go to record number 102, 103 or 104 that black hacker page comes too quickly.

I'm afraid I need another trick!

Re-upload all the gb files again overwriting the ones there.
Make backups of your templates before that.
Re-upload original templates. Make modifications to the templates again.
Look at the stickies in the support forum on how to patch your gb.

Auron and I posted about the same time - I would hold off actually uploading the gb again until you try the following

Okay - the only other way to delete the post then is to go into your MySQL tables thru your Website's control panel (most use CPanel) -

You will need to open the SQL tables for the guestbook - Some call it "MySQL Databases" or "MySQL Tools" while others call it "phpMyAdmin" -

Look for the AGBook's tables to open then look inside that for "book_data"

Once you open up book_data, you may need to click on "Browse" to find the list of table entries for your guestbook - you should be able to delete that one particular entry from there.

Some hackers have found a workaround within 2.3.1 that allows them to insert javascript codes, meta tags and redirects... I won't explain how it is done, but suffice it to say, I've found that making certain words "forbidden" helps. for example, they used the smilies to enforce a redirect on your guestbook

Good luck - and let us know if you need more help.

OK for some reason everyone of your posts is messed up. They all now contain the puke smiley. Very bizarre. I wonder how they accessed your admin as you are not susceptible to the exploit. You should be able to login and access easy admin with no problems.

EDIT - Oh I see somebody made it so that the puke face was posted wherever there was an e.

ET wrote:Auron and I posted about the same time - I would hold off actually uploading the gb again until you try the following

Okay - the only other way to delete the post then is to go into your MySQL tables thru your Website's control panel (most use CPanel) -

You will need to open the SQL tables for the guestbook - Some call it "MySQL Databases" or "MySQL Tools" while others call it "phpMyAdmin" -

Look for the AGBook's tables to open then look inside that for "book_data"

Once you open up book_data, you may need to click on "Browse" to find the list of table entries for your guestbook - you should be able to delete that one particular entry from there.

Some hackers have found a workaround within 2.3.1 that allows them to insert javascript codes, meta tags and redirects... I won't explain how it is done, but suffice it to say, I've found that making certain words "forbidden" helps. for example, they used the smilies to enforce a redirect on your guestbook height="15">nt="10;URL=http://www.cia.gov">

Good luck - and let us know if you need more help.

reuploading files doesn't matter since all the entries are stored in the db.
its just a case of fixing the smilie tags/whatever, and removing the offending entry/ies.

Smiley codes are stored in SQL. Give me admin access and I'll fix it in minutes.

Allright!

Thank you so much, especially ET! You outclassed the tech support of the company that hosts my site (they couldn't help me much)!

I removed the crap through that phpMyAdmin thingy, and now my guestbook looks good.

By some reason I had to remove the message (the previous record number 102), written by myself, to get back the normal look of the guestbook. But since they could changed so the puke smily appeared by the letter "e" maybe they can mess with the last input/record as well.

I thought I already before the hacker attack had some good curse words to stop bad code, but I now have improved that list.

Thanks again!

http://www.FarbrorTorsten.com/english.htm

Auron wrote:
reuploading files doesn't matter since all the entries are stored in the db.
its just a case of fixing the smilie tags/whatever, and removing the offending entry/ies.

Auron - help me with the thinking here - how does loading the templates, etc, change the smilie tags and remove the offending entry? If I don't understand the thinking behind this, others may not understand it either....

Torsten wrote:
By some reason I had to remove the message (the previous record number 102), written by myself, to get back the normal look of the guestbook. But since they could changed so the puke smily appeared by the letter "e" maybe they can mess with the last input/record as well.

Now that is interesting!!! Maybe chmod your templates files/dir back to 644 (rw-r--r--) for added security? I haven't seen them actually mess up other entries like that before.

Anyways, glad you were able to fix the problem.

I'm wondering if they don't have access to either your guestbooks admin or MySQL database.

ET wrote:

Auron wrote:
reuploading files doesn't matter since all the entries are stored in the db.
its just a case of fixing the smilie tags/whatever, and removing the offending entry/ies.

Auron - help me with the thinking here - how does loading the templates, etc, change the smilie tags and remove the offending entry? If I don't understand the thinking behind this, others may not understand it either....

one of the exploits of gb 2.3.1 was that they could access other files on the server, for example change some of the gb files like config.php etc.

Auron wrote:
one of the exploits of gb 2.3.1 was that they could access other files on the server, for example change some of the gb files like config.php etc.

Thanks for helping me understand better. Appreciated

ET wrote:

Auron wrote:
one of the exploits of gb 2.3.1 was that they could access other files on the server, for example change some of the gb files like config.php etc.

Thanks for helping me understand better. Appreciated

np, the thread where carb talked about is around here.
maybe in the stickies? not sure though.