i have been hijaked

[harvey]

im not sure where to post this but i need some help and info, hopefully i can get it here. i woke up this morning to find my site hijacked,

there is a video playing on everypage of my site

the message is in text (sorry admin but you have no security on your site )

it also says before video (root@localhost- [~]# PrO SpY)

im not sure what this is and how to safely remove it or even where to find it or how to stop it from happening again.

im not sure if this is a problem with the vshare script, or a security problem on my server.

please please
someone give me some helpfull hints.

[flexserve]

Did they edit your php files or just add their own index.php file?

I always say..better safe then sorry, check your db and uploads folder for your videos then re-up the script. and export the DB and only reimport the uploads portion to retain your videos.

Also check for any "extra" DBs you dont know, some drop a db inthere... also please use updated script to prevent an SQL injection in the future (see the groups fix) :wink:

[harvey]

Did they edit your php files or just add their own index.php file?

I always say..better safe then sorry, check your db and uploads folder for your videos then re-up the script. and export the DB and only reimport the uploads portion to retain your videos.

Also check for any "extra" DBs you dont know, some drop a db inthere... also please use updated script to prevent an SQL injection in the future (see the groups fix) :wink:

looks like they have changed my advertisements, added there own even left me with his contact info, but i am not contacting he/she i am so mad now, i may say something and he destroy my site.
i have looked at database, i had already installed the security patch put out by vshare weeks ago.
in my admin panel under view advertisements, i see 3 entries there. as you can see below.

--------------------------------------------------------------------------------
ID Advertise Name Status Action
1 banner_top Active Edit |Active |Inactive
2 HACKED BY PrO SpY [email protected] Active Edit |Active |Inactive
3 HACKED BY PrO SpY [email protected] Active Edit |Active |Inactive
4 HACKED BY PrO SpY [email protected] Active Edit |Active |Inactive


thanks for your help, if you think of anything new let me know

[mersh]

You should contact your web host immediately and tell them of the breach. Change your root password IMMEDIATELY if you are able to. If you have Cpanel update to the latest version. Do you still have root access, or did they change the password?

[harvey]

You should contact your web host immediately and tell them of the breach. Change your root password IMMEDIATELY if you are able to. If you have Cpanel update to the latest version. Do you still have root access, or did they change the password?

thanks guys my hosting co has regained my control. everything is fixed. thanks for all your help.

[harvey]

my problems are not over this guy has been into every database and site i have, you guys may want to search your database to see if you are being hijacked. this is the entry that i searched in my database (HACKED BY PrO SpY [email protected]) some of my databases have over 300 entries.

i need help from admin. please admin
here is one of my database searches
Search results for "HACKED BY PrO SpY [email protected]" at least one of the words: 1 match(es) inside table adv
0 match(es) inside table buddy_list
0 match(es) inside table channel
0 match(es) inside table comments
2 match(es) inside table config
0 match(es) inside table contact
0 match(es) inside table disallow
7 match(es) inside table emailinfo
0 match(es) inside table favourite
0 match(es) inside table feature_req
0 match(es) inside table friends
0 match(es) inside table group_mem
0 match(es) inside table group_own
0 match(es) inside table group_tps
0 match(es) inside table group_tps_post
0 match(es) inside table group_vdo
0 match(es) inside table guest_info
0 match(es) inside table inappro_req
0 match(es) inside table last_5users
0 match(es) inside table package
0 match(es) inside table pages
0 match(es) inside table playlist
0 match(es) inside table pm
0 match(es) inside table poll_question
2 match(es) inside table process_queue
0 match(es) inside table profile_comments
0 match(es) inside table relation
1 match(es) inside table sconfig
0 match(es) inside table servers
1 match(es) inside table signup
0 match(es) inside table subscriber
0 match(es) inside table tag_video
0 match(es) inside table tags
0 match(es) inside table uservote
0 match(es) inside table verify_code
3 match(es) inside table video
0 match(es) inside table vote_result
0 match(es) inside table words

[grynmoors]

Seems this moron is getting around. I just googled "HACKED BY PrO SpY" and several URLs spring up.

I tried a database search the same way you did and got the same "matches" but when I searched for it as "exact phrase", nothing showed up. I also tried a search by the email address alone, and still nothing. Try a more specific search in your data base, such as just one of the words (like the email address) or by exact phrase.

Seems this person targeted mostly blogs.