Evening folks,

I had the joy of finding my website hacked this evening. In place of the VBulletin main page was some graphic 'propaganda' about the conflict in Gaza.

My website has now been updated to version 3.8.0 however it appears the problem is with the database. Every time I use the old database the content returns.

Since the site is close to 2 years old, I'd love to be able to keep the database intact.

So my question is, can the database be rescued? If so, how do I do it?

Also, I believe you can change the address of the admin login section. Can anyone offer advice on how I can do it so that the admin area is more secure?

Any questions, please ask.

Thanks.

I'm unable to determine where the content is located/stored.

Most likely you can restore the database but I can't tell you because you haven't really explained the problem fully. Think of it as explaining a picture to a man whose never had eyes, every detail counts!

I deleted all the content relating directly to VBulletin and completed a fresh installation of the program (3.8.0).

I then set up a new database which works flawlessly. I tried to restore the old database, which; when triggered in 3.8.0 brings up the hacked front page (previously on 3.7.X).

To me, it looks like the hacked 'code' is in the .sql but I've no idea where to start with cleaning it. The administrator accounts were also disabled meaning I couldn't get in and fix it that way.

Have you checked your templates and plugins?

My password was changed so there was no way I could get into the admin panel to do all of that.

It's a clean installation of 3.8.0 with no plugins. If I revert to the old database (that I want to keep) it will show the hacked frontpage. It seems to be the database that's the problem but I've no idea how to go about fixing it - or if it can be fixed.

You can't get into your admin panel? Have you used tools.php to give admin permission to a newly created user so you can get back in?

Let me start again (Lol).

My site got hacked. I couldn't get into the VBulletin control panel at that time.

I went into my webhosting package and took control that way. Ended up deleting all the content and starting from scratch.

A fresh installation of 3.8.0 was completed. A new database created.

Once everything was running, I went back in and tried to revert 3.8.0 (previously running 3.7.8) to the old database. The result was a clean version of 3.8.0 with the hacked front page.

I could not get into the admin panel when the site was hacked, but can now. The fact that 3.8.0 shows the hacked page on the old database makes me think the code is inside the database and not directly in VBulletin. I'm trying to establish if I can save the database because there's alot of content in it.

Also, I'm trying to find out if I can change the address of the admin login to a 'custom' one for added security i.e. NOT admincp/index.php.

Hope that's a bit clearer.

:)

The login system for vbulletin is pretty secure. If you're worried I'd recommend setting a harder password (10 characters, letters + numbers, NOT A WORD). It would be almost impossible to crack.

I'm assuming the code for the images is located in one of your templates, have you tried creating a new style, do the images appear on that style as well?

I'm using the default layout, always have.

As I say though, I reinstalled everything and yet the images still appear when I use the old database.

How about if you turn off all your plugins via config.php and if you also use a default vb style. Do you still get the hacked front page?

Create a new style with no parent - Styles & Templates > Style Manager > Add New Style > no parent - then browse the site using that totally default vbulletin style - do you still have the same problem?

If it is still happening, then try disabling your plugins and see if you still have this problem.
Note: To temporarily disable the plugin system, edit config.php and add this line right under <?php

define('DISABLE_HOOKS', true);

No joy,

Another web address very quickly flashes up, possibly forwarding?

--------------- Added 1231718207 at 1231718207 ---------------

Okay,

They've changed my username, password and email address. Any way to recover/change them?

You can't get into your admin panel? Have you used tools.php to give admin permission to a newly created user so you can get back in?

Try this, however if they managed to get back into your account you probably have some other issues at hand.
Pointless trying to revert your forums while others are inside. Make sure you clear out all files in your server that you don't recognize, change your ftp password and database password. Possibility is they are getting access from somewhere else.

Apologies for being such a newbie, where do I find tools.php?

When you download vbulletin from vb.com theres a folder called do_not_upload, it's in there.

If you have completely new files and your plugins disabled through the config.php file, and a completely new default style, then you may want to put in a support ticket over at vb.com.

Check your vboptions, site url/title and meta data. I think you will find the url to the badguy site is attached to one of these settings. If it is, you just need to go to your database and edit that field to remove the bogus code. This is a technique that site defacers use all the time.

Forgot, you can remove that hack in vboptions too...

Thanks for the help guys,

Tools.php helped once I got hold of a friends account details. The site is back.

The only problem I appear to have is another admin was deleted meaning all his posts have effectively been turned to guest posts. Any way to restore this?

Thanks again.

Restore the admin account with the same user ID and things should be back to normal.

Again,

A newbie response. Where/how do I do that?

(sorry!)