A common method of defacing vBulletin sites is to edit the parsed template html directly via the database. It makes it harder for administrators to find the issue, and can be a pain in the ass to cleanup if you're not familiar with working with the database.

This tool will make it easier to clean your defaced site.

What it does:
Checks all of the templates in the database:
- Makes a new compiled version from the uncompiled template.
- Compares the current compiled template to the new compiled template
- If they differ, it updates the template, then rebuilds all of the styles.

How do you use it?
- Upload to your admincp, modcp, install, or root forums folder
- Browse to it
- Let it run
- Delete tool_recompiler.php after you are done using it.

This tool now works on vB3 and vB4.

vB4 Thread (https://vborg.vbsupport.ru/showthread.php?t=281080)

Ok, but how does someone without access the the database able to do this to begin with? (Forgive me here, I don't mean to be stupid. But If I don't ask, I won't learn. :o)

Ok, but how does someone without access the the database able to do this to begin with? (Forgive me here, I don't mean to be stupid. But If I don't ask, I won't learn. :o)
They gain access on the server level, either though another account, or an exploit on a server.

They gain access on the server level, either though another account, or an exploit on a server.

Will this mod tell us if we have exploits then? im confused...

Will this mod tell us if we have exploits then? im confused...
No, it will repair the templates for you if you've been defaced by some random hacker group. I released the tool here because I thought people would like to have a tool to help them fix things.

But if it repairs templates, does it save previous template? basically...

Can it destroy a template just as easy as fix one?

Here is the explanation behind how the template system and this tool works.

Templates are stored in two ways. There is the unparsed template, which you edit in the Admin CP. It is the template as you know it. Then, there is the parsed template, which is the template after it has been ran through a function to convert things like <if> tags into valid PHP parsable code.

A common method of defacing vBulletin forums is for a hacker to directly edit the parsed version of the template in the database, leaving the unparsed template alone. When you go to edit the template in the Admin CP, you won't see anything different, but the parsed version of the template has changed.

What this tool does is it takes all of the unparsed templates from the database and creates a new parsed version from it. If the newly generated parse is different than the parsed version currently in the database, it will update the template, overwriting the old, probably compromised, parsed template. This process is not "dangerous" in any way. If you run it on a normal, uncompromised forum, you won't see it updating any templates.

No, it doesn't destory templates.

As explained already in the description, it checks the unprased template agasint the parsed template table. If the two don't match like they should, it takes your unparsed template and re-parses it and inserts it back into the database and removes the defacement.

Thanks to both of you...

thanks

Question: If it just rebuilds styles, it didn't find any issues?

Can you make a diagnostic edition where alert user instead to fix?

Question: If it just rebuilds styles, it didn't find any issues?

Correct.

Can you make a diagnostic edition where alert user instead to fix?

I don't see any reason to. All this does is fix parsed versions of templates that are different than the unparsed version. There is no reason not to ever fix this problem, as it would only happen if the parsed template was directly edited in the database. All a diagnostic version would do is not run the update query, which doesn't help any.

If you run this and no problems are found, it will simply rebuild the styles. If there is a problem found, it will tell you which template it updates.

Great fix Zachery!
My Forum was hacked twice & defaced in July & August (hosted by Hostmonster) - you fixed it manually twice (a HUGE thanks from all of here in the UAE) and now, if the nasty extreme muslims try it again this fix will wipe them.
Well done! :D

looks really interesting and useful this one...thanks...where should i upload this and how can i run it and where?...sorry for the dumb question but a bit confused here...

:p

You upload it to the admincp folder and run it directly in your browser. http://www.yoursite.com/forum/admincp/tool_reparse.php

Installed and thank you. I navigated to it and it ran all my styles. Now is it automatic from now on, or do I run it every now and then or if I see a problem on forum?

You run it when you see that there's a problem. It's not a preventative measure, just a tool to use to help get your forums back under control.

Ok this seems brilliant... but a little help for us novices.

Just ran this:

And results back are:


Template updated: USERCP_SHELL (id: 1285, styleid: 4)
Template updated: postbit (id: 544, styleid: 1)
Template updated: USERCP_SHELL (id: 580, styleid: 1)
Template updated: USERCP_SHELL (id: 6481, styleid: 12)
Template updated: USERCP_SHELL (id: 8124, styleid: 18)
Template updated: USERCP_SHELL (id: 8125, styleid: 17)


Does that mean there were issues ? in the above files?

Are they fixed ? have they been repaired... what was the issue ??

Ok this seems brilliant... but a little help for us novices.

Just ran this:

And results back are:


Template updated: USERCP_SHELL (id: 1285, styleid: 4)
Template updated: postbit (id: 544, styleid: 1)
Template updated: USERCP_SHELL (id: 580, styleid: 1)
Template updated: USERCP_SHELL (id: 6481, styleid: 12)
Template updated: USERCP_SHELL (id: 8124, styleid: 18)
Template updated: USERCP_SHELL (id: 8125, styleid: 17)


Does that mean there were issues ? in the above files?

Are they fixed ? have they been repaired... what was the issue ??

It means that there was a difference between the unparsed version of the template and the parsed version of the template and those templates have been re-compiled from the unparsed version.

What the exact differences were is not something that is checked. This isn't a script to test for the errors, it's a simple script to fix them.

You upload it to the admincp folder and run it directly in your browser. http://www.yoursite.com/forum/admincp/tool_reparse.phpwell thanks for the reply...really nice thing to have this mod...great idea...:p:up:

Absolutely brilliant idea, just ran it and it nicely just rebuilt the styles, nice to know this back-up is now available, thank you for this.

Thanks very much for this, a very handy tool :up:

Great Mod thanks :)

I stumbled upon this and its priceless to keep it in hand.

Thank you

If I edit one template for example "header" and run "tool_reparse.php", witch template will be rebuild ?

Original template or my template edited just before the defaced ?

No, it should match both database values and be ignored.

No, it should match both database values and be ignored.
Ignored, which one ?

Nice.

I ran this and it showed.
Updating style information for each style

(Default Style ... (Templates) (StyleVars) (Replacement Variables) (CSS) (Controls) Done.)

Does that mean there were no errors?

So if no results came back, this means everything was fine?

EDIT: Nvm this was answered on page one. Thanks. :)

Isn't this tool good for refreshing all templates to ?
Sorta like purging the cache ?

Thank You,

Isn't this tool good for refreshing all templates to ?
Sorta like purging the cache ?

Thank You,
No, its designed to fix defaced websites.

This fixed the malicious code that was put on my forumhome template by a hacker! This is a great tool!! Thank you so much! The hacker redirected my forum page to some stupid Turkish, Israel forum....my home page is back!!! :):):)

This might seem like an inane question but, if i have changed one of my vbulletin php files like functions_databuild.php (i added a small amount of code to parse VBA code tags) if i run this file will it reset any edits ive made to these files?

This doesn't touch files. It simply recompiles templates from the code you see in the Admin CP into the code that is actually ran when it is displayed in the forums.

Wow, speedy response! thanks for that.

Matthew if you do paid work or Zachery for that matter then please PM me or email simonDOTlloydATthecodecage.com

I guess it should be included in vb script, as you never can be secure enough.
A good idea would be to run on a regular basis as a cron job ...
Many thanks

Thank You!
I hope I wont need it, but I have it just in case.

Will this still allow you to revert templates back to vB stock as you currently can? Even if you've changed them? Not that I would want to but........... (reserved.waiting on reply)

This is a tool intended to fixed defaced websites, not revert your templatest to the stock vBulletin templates. Read the description.

This is a tool intended to fixed defaced websites, not revert your templatest to the stock vBulletin templates. Read the description.

What I asked was WILL it still allow you to revert if were to choose to as you can now or does it affect that function.

What it does:
Checks all of the templates in the database;
- Makes a new parsed version from the unparsed template.
- Compares the current parsed template to the new parsed template
- If they differ it updates the template, then rebuilds all of the styles.


It does not do anything strange or funky, it does not effect the revert function in the least.

What it does:
Checks all of the templates in the database;
- Makes a new parsed version from the unparsed template.
- Compares the current parsed template to the new parsed template
- If they differ it updates the template, then rebuilds all of the styles.


It does not do anything strange or funky, it does not effect the revert function in the least.

I love it. Thanks for the reply. Consider it installed.

thank for this mod

my site infect today and just remove it

i donlt know how they put ifram in my site..
i host my private server.

Thanks for this mod. It worked for me a treat. :up:

But I am having to use it every day!! What can i do to stop the ba$tards messing with my templates.

Contact your webhost.

Does it work with 4.0?

Did I hear correctly, if I rebuild styles correctly it won't do anything?

I run it for awhile and then I get an error.

as a webhost how we can edit it to do the fix without the need for the admin user/pass ? so we don't need to ask each user for his admin user/pass as i noticed few forums got infected on one of the servers

Thanks

anyone?

Here's a version that doesn't require admin privileges to run.

As for the unrelated question of whether it works on 4.0 - probably. I looked at how vB4 compiles templates and it is the same function call. I don't guarantee that something bad won't happen, but it'll probably work just as smoothly as it does on vB3. Maybe.

still asks for login

Put it in the forum root directory instead of the admincp directory. Sorry, I forgot to mention that.

Put it in the forum root directory instead of the admincp directory. Sorry, I forgot to mention that.
thanks a bunch!

Does it cause any troubles using the TMS (template modification system)?

It shouldn't, but a link to the product would help

It shouldn't, but a link to the product would help

This one from Andreas: https://vborg.vbsupport.ru/showthread.php?t=152931

cu
Gargi

I would say backup first. but this is intended to fix defaced sites.

Here's a version that doesn't require admin privileges to run.

As for the unrelated question of whether it works on 4.0 - probably. I looked at how vB4 compiles templates and it is the same function call. I don't guarantee that something bad won't happen, but it'll probably work just as smoothly as it does on vB3. Maybe.

not working on vb 4.0.2

Can you please make it work on vbulletin 4.02 or give me some alternative?

true it doesn't work with 4.0.2 anymore

can anyone make it works for 4.0.2 ?

Unfortunately, it still doesn't work with me, whenever I try to browse it and run it, I got the hacked pages, so it seems to me the hacked pages would show up in all the files for the forum, like if it would be a header or something like that.

Please advise,

Thank you,

any ideas if this will work with 3.6.12 PL2?

any chance this would work on v3.5x?

sorry, nm

How would you make this work on a cron job
Basically set and forget.
Let it run once or twice a day
Thanks in advance for any help

for some reason this doesn't work anymore even on 3.6.x or 3.8.x it still shows the hacked page

any idea what might be the reason?

they didn't hack your templates.

for some reason this doesn't work anymore even on 3.6.x or 3.8.x it still shows the hacked page

any idea what might be the reason?

they didn't hack your templates.

Check your plugins Bashar, Zachery has a point ;).

hmm, which plungins? thing is all pages loads the hacked page, i checked the files they are intact, i restored older DB forum(s) worked

different forums installations different plugins

i even tried to dump the db and grep into the sql file for a word but since its encrypted JS no results matched

any other hints?

thanks :)

Unfortunately it doesn't work under vB 4.1.10, but I really need this a s my forum was compromised. I have since closed the hole (I hope), but the bad templates are still in there I believe

Is there any way to get this to work, and if not, how can I manually reparse the templates?

Any help wold be greatly appreciated, thanks.

Are you positive its in the templates?

Is there a 4.1.x version of this?
I found this thread via theadminzone
http://www.theadminzone.com/forums/showpost.php?p=597122&postcount=81
and want to make sure a client is secure.

Thanks

I think for this to work in vb4 you just need to take the "false" parameter off the compile_template line so it looks like this:

$template['newparsed'] = compile_template($template['template_un']);

Are you positive its in the templates?

I'm not 100% sure, but I believe this may be what happened:

https://www.vbulletin.com/forum/showthread.php/381140-Information-about-file2store-info-redirect-Solution?p=2185387&viewfull=1#post2185387

Both my forums were compromised at the same time, and even after I had plugged the hole this mod (https://vborg.vbsupport.ru/showthread.php?t=265866) continued to send blank emails to me for several days (which according the the author (https://vborg.vbsupport.ru/showpost.php?p=2216139&postcount=35) means it found an infection but missed some phrases). It has stopped now though, but does that mean the templates are "clean"?

This may also be what happened (http://www.vbseo.com/f77/google-redirecting-filestore123-info-49062/index3.html#post309843) (or both), but how to tell? I'd rather be safe than sorry

I think for this to work in vb4 you just need to take the "false" parameter off the compile_template line so it looks like this:

$template['newparsed'] = compile_template($template['template_un']);

Thanks a lot!

I'll try this if/when I can muster the courage to run the untested code on my forums :)

Thanks a lot!

I'll try this if/when I can muster the courage to run the untested code on my forums :)

That's fair. I did run it on a test forum and it runs without errors, recompiled a template where I had gone in to the db and changed the compiled string, and didn't seem to have any other effects. But personally I don't think I'd even run the original version unless I suspected a problem.

That's fair. I did run it on a test forum and it runs without errors, recompiled a template where I had gone in to the db and changed the compiled string, and didn't seem to have any other effects. But personally I don't think I'd even run the original version unless I suspected a problem.

I see, thanks for testing it. I think what I'll do is run it right after the daily backup of my server, that way if something goes wrong It'll be at most a few hours I lose.

When I try running this file (vb4) I get a blank page. Funny thing is it seemed to work the first time I ran it but got "hung" on a particular template. Now everytime I try to run it i just get a blank page. Any thoughts?

I'm getting a 500 error when I try to run this on my vb4 forum (after changing the parameter as discussed above).

I'm getting a 500 error when I try to run this on my vb4 forum (after changing the parameter as discussed above).

I tried it again and it seems to work - what program did you use to edit the file? Some programs will put strange characters in the file and cause problems.

I tried it again and it seems to work - what program did you use to edit the file? Some programs will put strange characters in the file and cause problems.

I used Nano. I think the problem is with the time it takes to run the script (there is no output, it's just loading). I tried running the PHP script from the command line, but I'm getting an error there as well (different kind, I guess the script cannot be run from the command line).

Hello. This hack work in version 4.1.10 or .11?

Thank you

We're working on releasing a new version for 4.x

I've updated this for vB4.

I think for this to work in vb4 you just need to take the "false" parameter off the compile_template line so it looks like this:

$template['newparsed'] = compile_template($template['template_un']);

I'm curious how I ended up with the false parameter because compile_template only has one parameter in vB3. o.O

How about making this for vb 5 - vb5 is the wave of the future!

I was stuck in vb3 for years but now that I've upgraded to vb5 over all I am glad I made the move.