Hello i have a problem, someone is puting an index.html in my ftp with the image of owned. I change the ftp user and pass... but still i delete the file and in a few seconds is again there. I colse y forum and i am waiting if with this it dont happen again..

Any Solution????

have you checked your access logs?

I thinks its a Script in a Post... but i chek last post and nothing strange

Disable your forums, then try deleting it.

I have delete the last post and now its ok. But iam sure that the code is somewhere.. how can i find it?

did you check your access logs..............................?

cuz apparently you missed the question in the 2nd post? :(

I am a beat nervious, so sorry my questions. Where are the acces logs?

--------------- Added 1221535394 at 1221535394 ---------------

I found it.. but it tells me thay they are not avilable.,. like they werent actived... ++++

Have you checked CHMOD permissions on the relevant installation directory?

Since i delete all last post, no more "Owned" index.html appear. I change The CHMOD permission in the forum directory, i take it out the writing permisission, is that Ok???

--------------- Added 1221570961 at 1221570961 ---------------

I found the site that do this. They are from my country Argentina, and they play who is the best defacing sites... The make an inmjection.... but now how do i know that they arent going to do it again..

Are you saying that they did an SQL injection?

There is a thread about this over on vb.com - http://www.vbulletin.com/forum/showthread.php?t=284970&highlight=base64 It's from a modification you have installed, but the thread never says which modification it was.

Turn off "Allow HTML" in the forum manager as well as the bbcode and any other place you have it set to On.

Recently they change the permission of the ftp, and others things. But a found de phpShell that they insert me. Iwas called confi2.php in MODULES it was... i delete ir.. Even the antivirus told me that was a malicius code.... but how the hell they insert that..

With PHPShell, depending on the server configuration it can be very easy indeed to exploit your entire site. However for the hacker to have uploaded the PHPShell script in the first place requires a permission issue somewhere.

The instert a "c99". I scan my site and they put 5 of them. Now is clen. But i need to know what to do, to dont let them do this. I change my admin pass, my ftp pas....

You need to check the CHMOD permissions for all your directories and check for any vulnerable scripts. More than likely they didn't use your login details to do this.

Thanks for the annswer. I delete the last mods, but i will have to check for vulnerabilitys of the rest. I have a Dude, when you reffer to CHMOD.... what they should be.... i mean, all reading, but the one that you upload things writing?
Thanks again

This very much depends on your setup. You should start by focusing on the directories which were exploited.

Even tho a directory/file is set to 777, it does not mean its vulnerable to hacking, 755 is fine for all directories to function correctly, files can be set to 644, 644 can cause issues sometimes when running apache/php as a cgi though when the ownership is set incorrectly.

755 is fine for all directories to function correctly,....
Except!!!! The following directories need to be chmod 777:
/customprofilepics
/customavatars
/signaturepics
/clientscript/vbulletin_css

And the folder where your attachments are located if they are in the filesystem.

(I think that list is correct.)

I wasnt speaking for any specific dir's that require 777 to allow uploads.

I was speaking in general, 755 is good for all directories under normal circumstances.

I wasnt speaking for any specific dir's that require 777 to allow uploads.

I was speaking in general, 755 is good for all directories under normal circumstances.
*I* know what you meant. But I worry about some users who just see a statement like that and don't read what the thread is about and then blindly go change all their directories to 755 and then come post Plz Hlp!!! :)

Thanks both of you.... i change some permission. But 5 minits ago they re upload two "c99", but now with different names... one in modules and other in a vbseo carpet... they have my site to get fun =( ...... i think i should take out all the mods..... no?

Have you talked to your host about this at all? Perhaps it is a problem with their security, not yours. I just reread this thread and I don't think you ever said whether you looked through your access_logs. You asked where they were, which leads me to think No and also makes me think that you may need some help from your host in finding out how these guys are getting into your files.

Except!!!! The following directories need to be chmod 777:
/customprofilepics
/customavatars
/signaturepics

If I may add - only if the options in AdminCP are set. :) When disabled the permission for members to upload pictures for avatars / signatures / profiles or storing them in the database these directories can be set to 555 without any problems.

About the problem:

Reinstall everything deleting ALL old files. You may have deleted 5 shells, can you be sure your files are clean ?
Like a "hacked" server - save everything for analysis doing a complete clean reinstall by downloading all files again from the trusted source, not your local backups.

That's the only safe way - depending on how much the hacker(s) level was, additional files have been infected - better safe than sorry

Thanks for all the answers. i Think i dont have other choice rather than a fresh new re-install. But i dont know how to do it. I mean i should unistall al the mods, delete the files and put new ones? Or should delete all the files , install a new version ( i hope 3.8.0) . Please i know its anoing to some one that knows. But i never had this problems and i dont want to do something wrong...... can you explain me how to do it?? like if i were a kindergarden boy jeje

If you want to do a fresh install, follow Angel_Wings instructions.

But, I'll say it again (and I'll shut up and not say it again).... you need to talk to your host or view your log files to find out how they are getting onto your server. If you don't find this out, your problem will probably persist.

Use .htaccess restrictions

Use .htaccess restrictions

Give me more info please....

--------------- Added 1221877829 at 1221877829 ---------------

I change permission, and now in the user profile you thont have the tabs to move into Options like. (Stadtics, Friends, Infactions) now it appear one under the other.. like in a list... very ugly....