How do i go about reporting a succsessfull hacking attempt. Baring in mind there were no addons at the time and i have spoken to the hacker and he 'claims' that he has written a script that will allow him access to any 3.8 board.

Go to vBulletin.com and report it there. How / why are you in communication w/ the "hacker"? Is he attempting to get money out of you?

Were you running the latest vB? And how did you "confirm" the hack?

He replaced my htaccess (amongst other things) to redirect to his website. So i sign up and asked them why they were hacking me. Its a german site so i didnt fully understand all their responses but at least i got on talk terms with them and eventually they released my site.

Previously to that no matter how many times i replaced the file system and database from various backup dates they simply got over written.

He doesnt want anything from me but im not about to name him either as it is obvious what actions he will take. He has told me that it is vbulletin that has been exploited and not and modifications.

I have some server logs but im not to clear on what i am looking for.

Ask you host for help.

It sounds to me like he has access to your server if he is replacing htaccess files. If so, your host will want to know about this and should help you figure out how they got in.

Agreed, it's not vBulletin. You need server access via CPanel or remote access or something to change the htaccess file. vBulletin has no access to it.

It seems from the logs that he gained access to my account then added or edited a plugin, which one i am unsure of because are far from detailed (which is something vb should really expand on) assuming the right plugin was used that could effectivly give him root access, right? The logs dont tell me which plugin was altered, is there another way to get this information?

He then appeared to download my style and copy all images, dont know why.

Although i have my site back i dont feel secure, what actions can i take to increase security.

I am pretty sure now that he used a modification to gain access to my account even though he says he didnt so i have already removed most of them. Some of the are critical but i believe are safe.

I read somewhere that changing your userid could help also the location of admincp, how would i do this?

here it is powlo.
http://www.vbulletin.com/forum/showthread.php?t=172234

Thanks bud, i knew id seen it somewhere. ;)

here is what i think and all the coder and programmers on my forum think any vb higher then 3.7.5 is fun to take down sorry but yes . 3.8.x no good
i cant wit an tell 4.0

Your first post is very misleading. You claim " there were no addons at the time" and then go on to say "I am pretty sure now that he used a modification to gain access to my account even though he says he didnt so i have already removed most of them. Some of the are critical but i believe are safe."

Modifications are Add-Ons.

Your first post is very misleading. You claim " there were no addons at the time" and then go on to say "I am pretty sure now that he used a modification to gain access to my account even though he says he didnt so i have already removed most of them. Some of the are critical but i believe are safe."

Modifications are Add-Ons.

ok am sorry, so Lynne are u saying he got hacked buc of Add-Ons?

Your first post is very misleading. You claim " there were no addons at the time" and then go on to say "I am pretty sure now that he used a modification to gain access to my account even though he says he didnt so i have already removed most of them. Some of the are critical but i believe are safe."

Modifications are Add-Ons.


He hacked with & without addons, i dont know what to think but the words 'vbulletin version 3.8.x' have been said more than once to me over the last 2 days.



any vb higher then 3.7.5 is fun to take down sorry but yes . 3.8.x no good


Which i guess is why you stayed a 3.7.5

So whats your advise MAD--DOG? You seem to know the score, what if anything can i do to prevent this?

ok am sorry, so Lynne are u saying he got hacked buc of Add-Ons?
I have no idea how he was hacked. But if sounds to me like the hacker got server access somehow if he was modifying the htaccess file. I was just commenting on the fact that at first he was leading people to believe he had no add-ons/modifications on his site, but it turns out he did and it sounds like the hacker even used one of them to help do something to the site.

Also, I have not heard anything to say 3.8 is less secure than 3.7. But, I don't go reading up on this all the time either.

I hate hackers. :mad:

He hacked with & without addons

Why do you hate hackers? Some of them are good and help software companies create a more secure product. I dont think these guys should be put into one basket, there are good and there are bad. Perhaps you just hate the bad ones ;)

Perhaps you just hate the bad ones ;)
Yes, I hate the bad ones.... especially ones that try to extort you to undo what they did. :cool:

If the hacker has access to your vBulletin Forum's admin account and it's a Super Administrator account and/or has the permissions to 'manage' plugins; then yes, he can alter/create files on your server. Doesn't matter if you have 3'rd party addons installed or not.

So; Stock vBulletin or not, if he gets access to your admin account, theres nothing stopping him to create his own plugins from your account to run raw PHP code on the Forum. (unless of course that particular admin account doesn't have the permission to alter plugins).

If the hacker has access to your vBulletin Forum's admin account and it's a Super Administrator account and/or has the permissions to 'manage' plugins; then yes, he can alter/create files on your server. Doesn't matter if you have 3'rd party addons installed or not.

So; Stock vBulletin or not, if he gets access to your admin account, theres nothing stopping him to create his own plugins from your account to run raw PHP code on the Forum. (unless of course that particular admin account doesn't have the permission to alter plugins).


Thats what i thought and sounds like that is exactly what happened as i can see from the log that the first thing he did was something with plugins..

17838 Python 18:04, 19th Apr 2009 plugin.php productedit
17837 Python 18:03, 19th Apr 2009 plugin.php product

.. is there a way to find out which one was altered?

It may show in your access_logs. Each plugin has an id and when you go to edit it, it says the id in the url. So, like I said, look in your access_logs for something like "..../plugin.php?do=edit&pluginid=xx" to get the pluginid.

It may show in your access_logs. Each plugin has an id and when you go to edit it, it says the id in the url. So, like I said, look in your access_logs for something like "..../plugin.php?do=edit&pluginid=xx" to get the pluginid.
Yep, plugin edits can be tracked this way; but this entry :17838 Python 18:04, 19th Apr 2009 plugin.php productedit corresponds to a whole 'product' edit; whose ID we *probably* can't track. As vB doesn't log it and moreover, that ID is sent via POST not GET; so the server access log can't see it too.

To OP:
All the hacker used was just plugin edits ? Did you check with your webhost on which 'files' were altered/added to your hosting account in the past 1 week ?

What add-ons did you have installed Powlo?

Yep, plugin edits can be tracked this way; but this entry :17838 Python 18:04, 19th Apr 2009 plugin.php productedit corresponds to a whole 'product' edit; whose ID we *probably* can't track. As vB doesn't log it and moreover, that ID is sent via POST not GET; so the server access log can't see it too.
If you have the pluginid, you can figure out which product it is.

There is nothing that i can find that relates to a plugin id, there are entries in the server logs but the dont tell me anything..

[19/Apr/2009:17:25:03 +0100] xx.xxx.xxx.xx - - "GET /forum/admincp/plugin.php?do=product HTTP/1.1" 200 53505 "http://www.xxxxxxxxxx.com/forum/admincp/index.php?do=nav"

And you don't see anything in the Control Panel logs? Look for all entries in the plugin.php script. It should show pluginids there.

All i get in the control panel logs is what i posted in post #18

Its a shame the plugins dont have 'last edited' feature. That way it would be clear where to start looking.

I wonder if he deleted them. In my logs, if I view all logs for just plugin.php, it shows an entry for everytime I modified a plugin with the plugin id. Can you see a bunch of entries missing?

Its a german site so i didnt fully understand all their responses

just post the responses, I can translate them.

Well it was a few days ago now and it was in their shoutbox so i imagine they are gone now but i kinda got the jist of it and they're not worth repeating lol

Thanks for the offer ;)

Which i guess is why you stayed a 3.7.5
So whats your advise MAD--DOG? You seem to know the score, what if anything can i do to prevent this?

i know one thing downgrade to 3.7.5, ..

Mad Dog, what is your proof of that?

i know one thing downgrade to 3.7.5, ..
You cannot downgrade vBulletin. The funnny part is you dont even know this very simple fact and yet trying to give advices on vBulletin.

vBulletin 3.8 series are safe as vBulletin 3.7 series. If you have facts please post here or else you shouldnt voice your opinion without acceptable facts.