HACKED!!!!!!!!!

http://www.39reasons.com/guestbook39/

I'm pretty new at all this. I've done the search for fixing it, but I'm just not sure I understand it enough and don't want to make it worse.

I can still log into my admin pages - but I don't know what to do from there.

looks like they edited the header.php in the templates file or possibly body.php I doubt they did this via the guestbook though. Did you chmod the template files to 777? Possibly this person has an account on the same server as you. Simply remove the cde from the appropriate template file.

He is running version 2.3.1 also.

I upgraded to 2.3.1 after reading all of the suggestions on here. Like I said, I'm pretty new to this so I'm not sure what

Did you chmod the template files to 777

means.

This is what my header template looks like - again, I don't know a lot about coding, but I'm trying to learn.

<html>
<head>
<title>$LANG[FormSelect]</title>
$LANG[metatag]
<meta name="keywords" content="guestbook, php, script, mySQL, free, advance">
<style type="text/css">

</style>
<script language="JavaScript">
<!--
function gb_picture(Image,imgWidth,imgHeight) {
var border = 24;
var img = Image;
var features;
var w;
var h;
winWidth = (imgWidth<100) ? 100 : imgWidth+border;
winHeight = (imgHeight<100) ? 100 : imgHeight+border;
if (imgWidth+border > screen.width) {
winWidth = screen.width-10;
w = (screen.width - winWidth)/2;
features = "scrollbars=yes";
} else {
w = (screen.width - (imgWidth+border))/2;
}
if (imgHeight+border > screen.height) {
winHeight = screen.height-60;
h = 0;
features = "scrollbars=yes";
} else {
h = (screen.height - (imgHeight+border))/2 - 20;
}
winName = (img.indexOf("t_") == -1) ? img.substr(4,(img.length-

) : img.substr(6,(img.length-10));
features = features+',toolbar=no,width='+winWidth+',height='+winHeight+',top='+h+',left='+w;
theURL = '$GB_PG[base_url]/picture.php?img='+Image;
popup = window.open(theURL,winName,features);
popup.focus();
}
//-->
</script>
</head>
<body bgcolor="$VARS[pbgcolor]" link="$VARS[link_color]" vlink="$VARS[link_color]">

Thanks!!!
Pamela

Sorry my mistake. They have editted a post via the admin area. The exploit for the guestbook does not work on your site though so I am curious as to how they got in. Anyway you can delete the post that got editted to fix the problem then change your password. Or if you wish email me the login details and I will deal with it. My email is on my site.

Chmod is changing file permissions. Here is a post explaining it, you might want to read later:

http://proxy2.de/forum/viewtopic.php?t=3520

This post explains how to change permissions from the CPanel:

http://proxy2.de/forum/viewtopic.php?t=3654 (second from last post)

I don't think any of that will help you get rid of the hack. You need to find the offense and delete it... either from one of the template files or the Easy Admin Panel. If you email the login, I could try to find it for you.

Carbonize wrote:Sorry my mistake. They have editted a post via the admin area. The exploit for the guestbook does not work on your site though so I am curious as to how they got in. Anyway you can delete the post that got editted to fix the problem then change your password. Or if you wish email me the login details and I will deal with it. My email is on my site.

Carbonize - you are a genius!!!

I went in through myphpAdmin page - checked the latest entry - and sure enough - that was the problem!!! So I deleted it, and I'm back up and running. Thank you everyone!! And amber... I will read that post you suggested too.

glad to have helped. You could of just as easily deleted the post using the admin section of the guestbook but it was probably easier to identify the entry via phpMyAdmin.

I'm still curious as to how they gained access so as I said change your password.

Actually - that was the first place I went once I knew I still had access to my admin section. But the photo was showing up so huge even in there (like it was on the guestbook itself) that I couldn't get to the message to delete it. It was in message 94 or 95 - and the photo covered everything down to message 80.

And since this happened, I have upgraded to the newer version of the guestbook AND changed my password!

No problems with using the admin section after you upgraded? There is a known bug whereby you end up in a login loop when trying to use the admin section after upgrading from 2.2 to 2.3.1.

No problems. I am able to log in with no problem. Haven't done anything but delete the testing posts - but so far so good.

Glad to hear it. You may also want to use my image verification mod to prevent sutomated spamming of your guestbook. Not that I saw any.

Just a suggestion, why not edit the templates a little so that you could have the guestbook load in the iframe you use for the rest of the site?

Carbonize wrote:Glad to hear it. You may also want to use my image verification mod to prevent sutomated spamming of your guestbook. Not that I saw any.

where would I find that?

Carbonize wrote:Just a suggestion, why not edit the templates a little so that you could have the guestbook load in the iframe you use for the rest of the site?

Would love to..... but don't know how

And I don't want to bother anyone with it. I don't handle the majority of the site, only the extras (guestbook, e-mail, stats and CPanel maintenance) and our "webmaster"

is still learning how to do this as well. There are other things I want to (eventually) figure out how to do - get rid of the "here you can leave your mark" note, replace the "GUESTBOOK" image with our logo, have that link return the viewer back to the main site, fun stuff like that. I know all those answers are on this forum somewhere, I just need to find the time to research them. Plus I need to figure out how to allow visitors to the site the option of signing up on our mailing list...... want to add an online journal for the guys in the band to post into... I could go on and on and on and on.... but I won't

Just want to thank you all again for your help - don't know what I would have done without this forum.

www.carbonize.co.uk/verification.zip for the image verification. Most of the guestbooks text can be editted via the lang/english.php file. The HTML is to be found in the templates folder.

Hi guys,
Okay... so what if we've been hacked and we can't access our Admin?
Our passwords have been changed. How do we hack back in?

We can get into the control panel and php pages, but can't seem to get to anything that resembles the guest entries to be able to delete the damned hacker.

We're at http://grahamgreene.topcities.com/guestbook

Any tips?

Thanks... I hope.
Dusky.