Forum hacked? - redirections from google search results

[Caelum]

The antivir & antispyware programs I linked to are meant to be used on your pc, not on your server.

Try them out though, if they don't detect anything, it likely isn't your pc.

Also, it's possible that when downloading those 20 antivirusses, you downloaded some fake/infected antivirus software as well.

[cat11]

No I'm not infected(thanks God!) because redirections happen only when I enter my forum. I've checked it from another computer in different city and it was redirected from my forum too. That makes me sure that the problem is only with my forum.

P.S.
I've scan with malwarebytes, and kaspersky AV and fef other...

[Aleksi "Lex" Kilpinen]

Trust me, you are infected. I have had the same problem with this. You are being redirected to pages that would look like unsold domains or just alternative fake search engines would you?

Trust me - you really can't know that, and cat11 says to have done multiple scans already.

[Caelum]

Using any mods you got from elsewhere than simplemachines.org?

Either way, this might help.

Note: read through it first and be sure to actually know what it all means. If you don't understand or know something, I can clarify it for ya.

1. Disable all your mods
2. Backup your forum database
3. Remove the folder of the forum that's being redirected (eg public_html/blablabla/forum, for instance; the /forum folder - or whatever you named it - aka main SMF install folder should be deleted)
4. Redo the full install found at http://download.simplemachines.org/
5. Run said install with The same database as the forum you deleted, as well as the same install path, but with a different prefix
6. Install with same settings you originally installed with (mainly characterset, you should know this before doing anything)
7. Upload & run repair settings, found at http://download.simplemachines.org/?tools
8. Using repair settings, change the database prefix to the prefix your database had before you did any of the above.
9. Delete repair_settings.php again
10. Is it working now?
11. Reinstall all mods
12. Still working?

[Aleksi "Lex" Kilpinen]

No need to do a clean install, and following your advice all attachments, avatars, settings files etc would be lost as well.
Best course of action to clean an SMF install, is to do the large upgrade. ( Even though you'd be running the latest version already, the large upgrade should not do any harm, but would uninstall all modifications done to the default files. )

[Caelum]

Oooh, LexArma has a point, my mistake.

Listen to the above, the weird pistol simpson avatar guy knows the way

[Aleksi "Lex" Kilpinen]

The one thing that doing a large upgrade would not clean though, and your way would - is all the files that are not part of the default install. So if you decide to go through the large upgrade, then it would be best to also manually compare the contents of your server, to the contents of a fresh installation package - and see if you have files there that are not supposed to be there.

[cat11]

Hmm thnx for your help guys 

Caelum - No I don't use any mods that are not from simplemachines.org

LexArma - the problem is that I've already did large upgrade. I Thought that helped but it didn't or it was only temporary (I don't know because redirections occurs not in every attempt, sometimes i can't be redirected and a hour later I'm redirected). Conclusion is that it didn't help or someone has infected my forum again pretty quickly(all passwords was changed, even deleted from my ftp client to avoid possibility that someone hacked my PC and found password).

[Aleksi "Lex" Kilpinen]

After the upgrade, did you make sure nothing was left on your server that wasn't supposed to be there?
Have you asked your host about this? They might be able to help you find the cause of this problem.

[Kenny01]

Have you asked your host about this?

We need to hear from your host?

[cat11]

Yes I did, I've asked if anyone broken to my account or any other way connected to it. They didn't respond yet, maybe they are still searching? I'll try to call them tomorrow because they are not by the phone in these hours.

No I didn't check if there was something else because I was told that if I'll overwrite all files(with large upgrade) it will be ok.

[Kenny01]

Find a new host, a good host should respond under 10 to 15 minutes in a hacking case.

[IchBin™]

You should post a link so we can see how the redirect is happening. It's likely that someone will be able to see where the redirect is happening.

[cat11]

Maybe I should but they helped me a lot in the past so I'll forgive them once.

My forum adress is www.forum.4kolka.pl you can(probably, if not try search Google.pl) search it at Google typing keyword "auto forum"

[Kenny01]

Try to scan your server, i get redirected to

http://www.mugyra.org/sutra/in.cgi?15=&ID=104671&fb=aSlAXz5iW2g%2BbWcxRGJDaDBQUztpUGR6RG1bej5tJTFyYCUxJW1AWVEkYVk%2BYCUxPklAWSUpREY%2BSURfJUk7WT5gJTElKUQxRGp4O1JqQ19STi1oMEM%2FLzBWRCM4aEA2PllEID4pdWBHSkQjOGhAWj5ZU2U4JzIvRG1baD5tLDFEbSxxJW0sIERtWz84aEBoPllTWzBJLFk%2BYCUxJWhEMURqLEJpaGdfJSlhOjBqdVpHSWc6ME4laCVoLDYlbXVfaWhDWUdoRF8%2BSTItRG1bPw%3D%3D

[Aleksi "Lex" Kilpinen]

It can be a DNS issue, that only your host can resolve - or it can be your server compromised, in which case you should scan the server if you have any antivirus installed on it, or again contact your host to do this.
It would also be recommended to scan through your files manually, to see if there is any files there that are not supposed to be there. ( ie. compare your server contents to a clean installation. )

[cat11]

ok I'll try to check files and compare it. I'll also call host today and see what they'll tell me.

[cat11]

I've have few more files than in large upgrade but maybe they are normal?

In attachments folder is a file "6_c52b03bc7c348dbf6d880ea99c903187b8ddf2b0" and another with similar long name + 3 or 4 png files.

In Sources folder I have 100 files instead of 65 in large upgrade. I don't know which of these should be there.

There is also my theme folder and besides this nothing unusual.

[Aleksi "Lex" Kilpinen]

The attachment files sound normal, the theme folders - only you can know what is supposed to be there (based on what themes you have installed), the sources folder should not have more files than what is included in the large upgrade or clean install package, UNLESS they are files ending with ~, and if they are, they are normal backup files made by SMF.
In which case you can still delete them.

[cat11]

So it looks OK, there are plenty of files ended with ~ and few more without ~but their name suggest that they are installed by AEVAC modification.

My host is analysing log files and they told me it'll take some time(SMF forum is not only site on my account), they should contact me in about an hour.