Hacked - any help?

Hi. My guestbook wsa hacked, something about Popo and a black screen. I looked around in PHPMyAdmin and could find it. I brought up admin.php and got the right screen but couldn't get into the 'easy admin' to delete any posts (black screen again). I did delete some in PHPMyAdmin. But I changed the userID and password to test and 123 and now I can't get into then admin at all. Argh!

Now I have two problems. Can't get into admin and still need to fix the hack! Can someone please help?

http://www.obsessed-with-music.com/koobtseug/

Thank you so much...

stevendude

Well you appear to have patched against the 2.2 logiin exploit and have HTML disabled so al I can assume is they got access some other way. When you say you cannot access the admin what do you mean? The link for the admin is http://www.obsessed-with-music.com/koobtseug/admin.php and if they have changed the username and password then goto www.carbonize.co.uk/AG and download the password reset script.

Thank you. I did already know the URL for the admin. I get the login screen when I go there. I came to this message board yesterday and looked at some previous messages to try to figure this out. I went into PHPMyAdmin and ran a SQL statement that was supposed to reset the userid/password to test/123. But I can not get in using that.

This is what is in book_auth:
1 test 773359240eb9a1d9 7d8b85294e2e060b83f596a4fc5561ce 20051015110401

I assume that password equates to 123. But when I use test and 123 it doesn't let me in.

Thanks for your help. What to try next?

stevendude

As I said goto www.carbonize.co.uk/AG and download the reset script.

OK, thanks, I did as you suggested. I downloaded and ran the script at www.carbonize.co.uk/AG. I cut and pasted my database password in the config.inc.php file under $GB_DB["pass"], and I pasted the password into the field on the reset screen. When I clicked submit, I got: "Could not reset the username and password because: " and then nothing else.

What can I try next?

Thank you much for your time, I appreciate it.

stevendude

Go into phpMyAdmin and select the correct datatabse (if you have more than one). You should then have a lst of all the tables in that database in the left hand pane. Look for book_auth and click it. You should now see the structure of book_auth in the right hand pane. Click the browse tab. Now in the row marked password type your new password into the far right text box. The third coloumn is marked Function/ Select password on the password row. Whilst you are in this table type in a new username as well then click Go and that should be it.

Yes! Thank you! That did work, now I can get into the admin functions. I can click on every option but when I click on 'Easy Admin', I see the screen start to load and then it goes to the black screen with the hack. It is all black and says:

H4Cked By PoPo

BHS-Team

Please help once more,

Thanks,

stevendude

email me the admin login details and I will delete it. webmaster@carbonize.co.uk

Thanks. I just emailed the info to you. If possible can you let me know how you fixed it so in case it happens again I won't have to bother you. I really appreciate your time helping though.

Thank you...

stevendude

fixed

stevendude wrote:Thanks. I just emailed the info to you. If possible can you let me know how you fixed it so in case it happens again I won't have to bother you. I really appreciate your time helping though.

Thank you...

stevendude

It isnt hard. You just go into the database and delete it there.

I just got the delete url from the source code.

Thank you thank you thank you!!!

What is the best way to avoid this in the future? I don't want to lose any data.

Thanks,

stevendude

goto www.carbonize.co.uk/AG and download the 2.2 login exploit patch.