I just got hacked (I think) please help...

[Richard_P_Harvey]

Running 1.1.11 (yes I konw, upgrade) and today my server crashed very weirdly.  After a re-boot when I go to my forum it come ups looking normal but then most navigation within the forum makes my browser attempt to load the following URL:

http://wrxrmpmnon.cz.cc/go/1.......

there is more but it gets cut off in the status bar.  Any ideas....?  Thanks everyone.

[Dzonny]

Well, can you give us more information and link to your forum please?
Do you have all files on your server, and is your database still there?

Regards.

[Richard_P_Harvey]

I had to take the forum off line because it looks like they are using me as a host to take browsers to bad a bad place, I had Symantec complain about it once. The data base looks to be intact and I have run error scans on it with no errors. All the files in the forum directory look right to me, nothing weird or missing.

[Illori]

can you check if anything has been added to your index.php file?

[Dzonny]

Well if everything works fine then i would contact host provider and let them know what happened so they can investigate it further, and of course, i suggest you to upgrade your forum to 1.1.14 or 2.0 version to avoid this kind of problems in the future.
Also it would be the best if you change all your passwords, ftp, database, and admin password as well.

All this is if youre sure that this is not made by you or other administrators on your server.
How do I make my forum safer against hacker attacks?

[Richard_P_Harvey]

Dzonny - I'm my own host, I have a very robust Dell server and host several commercial websites but this forum is my own, I have been running it this way now for 6 years.  I currently have the forum running in maintenance mode but since I'm an admin I can still get in.  Things are not working normally at all, as I navigate around the forum I can see that my browser is attempting to get to the URL listed in the OP above.

So I'm attempting to use package manager to upgrade to 1.1.14 but whatever hack was applied does not let that function work, it seems to attempt to download the upgrade but I end up with a blank screen and it goes nowhere.  I then attempted to upload the 1.1.14 upgrade package (zip) that I just downloaded and the forum errors saying that the package is not valid or is corrupt (I have seen this once before).

Not sure where to go from here....

[Richard_P_Harvey]

Got it fixed finally...... It was a hack that did some kind of invisible mod to the index.php file.  With the bad index.php active when I go to the forum I would see a tiny white block in the upper left of the screen (not normal), I did an "inspect element" with my browser to see the code on the page and that little block had a URL call in it to www.dmprudqfp.co.tv/?go=1 which was the offending code I'm thinking.  I examined each line of the index.php file with a php editor and could NOT find that URL anywhere.  Luckily I back up my forum each night so I swapped in the index.php from last nights backup and poof, problem gone.  I have now also upgraded to 1.1.14.  If anyone can share what took place here I would love to better understand this. 

[Dzonny]

1.1.11 version have some security issues that is fixed with 1.1.12, 1.1.13 and 1.1.14 versions, so many of that issues are public and that could be where someone find the hole.
We cant say exactly what happended before seeing some logs, but as i said, upgrade and changing passwords is a must in this sutuations.

p.s - you uploaded large upgrade pack, right? And you runned upgrade.php?

[Richard_P_Harvey]

Upgrading to 1.1.14 was a major pain as I had to use package manager and go one version at a time, plus each step the compatibility check failed each time.  Having just copied the entire forum folder I decided to go ahead and upgrade anyway.  And yes I did download the large upgrade pack but like I said SMF did not like it.  In any event I'm now at 1.1.14 and everything seems to be working normally.  All admin passwords have been changed....thanks so much.