https://proxy2.de/forum/posts/list/3.php JForum - http://www.jforum.net
My guestbook at:
[url]http://www.farbrortorsten.com/gastbok/[/url]
is hacked.

I still have my password and I can login to admin, but I cannot use the easy admin-page. When I try a black page with stupid text is shown for a while, then I get sent/redirected to www.cia.gov

HTML was and still is disabled.

Smilys were and are still on. All letters "e" is now shown as a vometing smily, and if change that in general settings a visit to my guestbook page will show the black page (mentioned above) instead of my brown page.

After the attack I upgraded to version 2.3.1 but these problems remains. HELP PLEASE!
]]> https://proxy2.de/forum/posts/preList/4254/14270.php https://proxy2.de/forum/posts/preList/4254/14270.php GMT
My guestbook at:
[url]http://www.farbrortorsten.com/gastbok/[/url]
is hacked.

I still have my password and I can login to admin, but I cannot use the easy admin-page. When I try a black page with stupid text is shown for a while, then I get sent/redirected to www.cia.gov

HTML was and still is disabled.

Smilys were and are still on. All letters "e" is now shown as a vometing smily, and if change that in general settings a visit to my guestbook page will show the black page (mentioned above) instead of my brown page.

After the attack I upgraded to version 2.3.1 but these problems remains. HELP PLEASE!
[/quote]

Immediately after you open up your easy admin page to remove their post, press the "ESC" key you may need to do it several times to stop any sequences that they have coaded in. Once you are sure that the redirect is stalled by the Esc key, then delete normally. Keep HTML Disabled first and foremost - and do a search on this forum for other spam protective measures. For example, I ended up including the words meta and script in my forbidden word section.

Good luck and let us know how it goes.]]> https://proxy2.de/forum/posts/preList/4254/14271.php https://proxy2.de/forum/posts/preList/4254/14271.php GMT
This screen shows how far I can come now:
[url]http://www.farbrortorsten.com/temp/gb.jpg[/url]
When I try to go to record number 102, 103 or 104 that black hacker page comes too quickly.


I'm afraid I need another trick!]]> https://proxy2.de/forum/posts/preList/4254/14272.php https://proxy2.de/forum/posts/preList/4254/14272.php GMT Make backups of your templates before that.
Re-upload original templates. Make modifications to the templates again.
Look at the stickies in the support forum on how to patch your gb.]]> https://proxy2.de/forum/posts/preList/4254/14273.php https://proxy2.de/forum/posts/preList/4254/14273.php GMT
Okay - the only other way to delete the post then is to go into your MySQL tables thru your Website's control panel (most use CPanel) -

You will need to open the SQL tables for the guestbook - Some call it "MySQL Databases" or "MySQL Tools" while others call it "phpMyAdmin" -

Look for the AGBook's tables to open then look inside that for "book_data"

Once you open up book_data, you may need to click on "Browse" to find the list of table entries for your guestbook - you should be able to delete that one particular entry from there.

Some hackers have found a workaround within 2.3.1 that allows them to insert javascript codes, meta tags and redirects... I won't explain how it is done, but suffice it to say, I've found that making certain words "forbidden" helps. for example, they used the smilies to enforce a redirect on your guestbook [code] height="15">nt="10;URL=http://www.cia.gov">[/code]

Good luck - and let us know if you need more help.]]> https://proxy2.de/forum/posts/preList/4254/14274.php https://proxy2.de/forum/posts/preList/4254/14274.php GMT
EDIT - Oh I see somebody made it so that the puke face was posted wherever there was an e.]]> https://proxy2.de/forum/posts/preList/4254/14276.php https://proxy2.de/forum/posts/preList/4254/14276.php GMT
Okay - the only other way to delete the post then is to go into your MySQL tables thru your Website's control panel (most use CPanel) -

You will need to open the SQL tables for the guestbook - Some call it "MySQL Databases" or "MySQL Tools" while others call it "phpMyAdmin" -

Look for the AGBook's tables to open then look inside that for "book_data"

Once you open up book_data, you may need to click on "Browse" to find the list of table entries for your guestbook - you should be able to delete that one particular entry from there.

Some hackers have found a workaround within 2.3.1 that allows them to insert javascript codes, meta tags and redirects... I won't explain how it is done, but suffice it to say, I've found that making certain words "forbidden" helps. for example, they used the smilies to enforce a redirect on your guestbook [code] height="15">nt="10;URL=http://www.cia.gov">[/code]

Good luck - and let us know if you need more help.[/quote]

reuploading files doesn't matter since all the entries are stored in the db.
its just a case of fixing the smilie tags/whatever, and removing the offending entry/ies.]]> https://proxy2.de/forum/posts/preList/4254/14285.php https://proxy2.de/forum/posts/preList/4254/14285.php GMT https://proxy2.de/forum/posts/preList/4254/14286.php https://proxy2.de/forum/posts/preList/4254/14286.php GMT Thank you so much, especially ET! You outclassed the tech support of the company that hosts my site (they couldn't help me much)!

I removed the crap through that phpMyAdmin thingy, and now my guestbook looks good.

By some reason I had to remove the message (the previous record number 102), written by myself, to get back the normal look of the guestbook. But since they could changed so the puke smily appeared by the letter "e" maybe they can mess with the last input/record as well.

I thought I already before the hacker attack had some good curse words to stop bad code, but I now have improved that list.

Thanks again!


[url]http://www.FarbrorTorsten.com/english.htm[/url]]]> https://proxy2.de/forum/posts/preList/4254/14287.php https://proxy2.de/forum/posts/preList/4254/14287.php GMT reuploading files doesn't matter since all the entries are stored in the db.
its just a case of fixing the smilie tags/whatever, and removing the offending entry/ies.[/quote]

Auron - help me with the thinking here - how does loading the templates, etc, change the smilie tags and remove the offending entry? If I don't understand the thinking behind this, others may not understand it either....]]> https://proxy2.de/forum/posts/preList/4254/14288.php https://proxy2.de/forum/posts/preList/4254/14288.php GMT By some reason I had to remove the message (the previous record number 102), written by myself, to get back the normal look of the guestbook. But since they could changed so the puke smily appeared by the letter "e" maybe they can mess with the last input/record as well.
[/quote]

Now that is interesting!!! Maybe chmod your templates files/dir back to 644 (rw-r--r--) for added security? I haven't seen them actually mess up other entries like that before.

Anyways, glad you were able to fix the problem.]]> https://proxy2.de/forum/posts/preList/4254/14289.php https://proxy2.de/forum/posts/preList/4254/14289.php GMT https://proxy2.de/forum/posts/preList/4254/14290.php https://proxy2.de/forum/posts/preList/4254/14290.php GMT reuploading files doesn't matter since all the entries are stored in the db.
its just a case of fixing the smilie tags/whatever, and removing the offending entry/ies.[/quote]

Auron - help me with the thinking here - how does loading the templates, etc, change the smilie tags and remove the offending entry? If I don't understand the thinking behind this, others may not understand it either....[/quote]

one of the exploits of gb 2.3.1 was that they could access other files on the server, for example change some of the gb files like config.php etc.]]> https://proxy2.de/forum/posts/preList/4254/14292.php https://proxy2.de/forum/posts/preList/4254/14292.php GMT one of the exploits of gb 2.3.1 was that they could access other files on the server, for example change some of the gb files like config.php etc.[/quote]

Thanks for helping me understand better. Appreciated ]]> https://proxy2.de/forum/posts/preList/4254/14294.php https://proxy2.de/forum/posts/preList/4254/14294.php GMT one of the exploits of gb 2.3.1 was that they could access other files on the server, for example change some of the gb files like config.php etc.[/quote]

Thanks for helping me understand better. Appreciated [/quote]

np, the thread where carb talked about is around here.
maybe in the stickies? not sure though.]]> https://proxy2.de/forum/posts/preList/4254/14296.php https://proxy2.de/forum/posts/preList/4254/14296.php GMT https://proxy2.de/forum/posts/preList/4254/14307.php https://proxy2.de/forum/posts/preList/4254/14307.php GMT
hmmmmm.... maybe your server is set up a little differently than mine? Once I'm inside the admin section on the templates page, pages can be edited from admin if CHMOD is 777 OR 666 - so that was why I recommended to Torsten that the files CHMOD be 644 for his pages. But at this point, we don't know whether the hacker had access to his 2.3.1 version Admin or not.... Maybe we'll find out at a later time....]]> https://proxy2.de/forum/posts/preList/4254/14309.php https://proxy2.de/forum/posts/preList/4254/14309.php GMT
I looked in my file manager and all files in my guestbook drawer have the chmod 644, and the files have probably had that all the time. In easy admin I cannot change the templates (getting warnings), so I downloaded some of them to my computer with my ftp program so I could patch and redesign a little.

Wonder what, if anything, the hacker can do now?]]> https://proxy2.de/forum/posts/preList/4254/14310.php https://proxy2.de/forum/posts/preList/4254/14310.php GMT Edit your config.inc.php with your new password.
Put a .htaccess password protection file in the admin folder.

The Hackers are Editing the Database not the Guestbook.
If you have not yet been hacked then
Put a .htaccess password protection file in the admin folder

This stops the hackers reading the config.inc.php file to get your dbs username and password.
Just Deleting the entry and turning the smileys, html and other codes of will not stop the hackers.
I know I have had my guestbook hacked 7 times. (the same guestbook)
Also notice that when you remove the hacked entry you will lose your last valid guestbook entry as the hackers just overwrite the last entry in your guestbook.]]> https://proxy2.de/forum/posts/preList/4254/14314.php https://proxy2.de/forum/posts/preList/4254/14314.php GMT https://proxy2.de/forum/posts/preList/4254/14315.php https://proxy2.de/forum/posts/preList/4254/14315.php GMT I run myself (well I lost count) but a lot of sites and most of them use the Advanced Guestbook script.
Apart from the hakers it's the best guestbook script on the net.
but locking the admin folder with a .htaccess works a treat.
I am guessing that they are using something in there to send there stupid html to the databse or using some sort of script to fool the server.]]> https://proxy2.de/forum/posts/preList/4254/14325.php https://proxy2.de/forum/posts/preList/4254/14325.php GMT https://proxy2.de/forum/posts/preList/4254/14332.php https://proxy2.de/forum/posts/preList/4254/14332.php GMT

Thanks for the help everybody!
Goodnight!]]> https://proxy2.de/forum/posts/preList/4254/14337.php https://proxy2.de/forum/posts/preList/4254/14337.php GMT https://proxy2.de/forum/posts/preList/4254/14338.php https://proxy2.de/forum/posts/preList/4254/14338.php GMT