So a few weeks ago some great help got me in with Fix It to fix our forums. There are still problems we are running into.

1.) When going to update plugs and enable them. It acts like its going to but gives this in the box.
Updating style information for each style

World at War ... (Templates) (StyleVars) (Replacement Variables) (CSS) ~ HaCkEd By EjRaM HaCkEr ~ isecurity7@gmail.com

That hacked by ejram is the hack that kept spamming our main page before we used fix it.

2.) If I try to run the vbulletin upgrade script. It says this.

On Processing Blog 17 of 18 It errors out with this message.

Unexpected Text:
<?xml version="1.0" encoding="windows-1252"?>
~ HaCkEd By EjRaM HaCkEr ~
isecurity7@gmail.com


Does anyone know where this hack could be?

Otherwise the forums are working just seems like updates can't be done.

--------------- Added 1375646712 at 1375646712 ---------------

Also, The only way we can view the forums, is if all of our plugins are disabled.

--------------- Added 1375647598 at 1375647598 ---------------

Ok I disabled every plugin, and removed the define('DISABLE_HOOKS', 1); from my config file. Now each time I go to enable a plugin it gives me this:

Updating style information for each style

World at War ... (Templates) (StyleVars) (Replacement Variables) (CSS) ~ HaCkEd By EjRaM HaCkEr ~ isecurity7@gmail.com

--------------- Added 1375648135 at 1375648135 ---------------

Ok Plugin - Everywhere Sidebar - Posted teh big white screen of the hacked message on main index.php or any of the site links. I have uninstalled this plugin, but still getting the Hacked messages for the Updating Styles

Have you tried posting a support ticket yet. A link to your site might help someone here to locate the problem. Check server logs see how they got in. Using custom plugins sometimes allow hackers access to your site

<a href="http://www.bfewaw.com" target="_blank">http://www.bfewaw.com</a> is the site, but the hacked message is only in admin stuff now.

The site shows as blacklisted.
Analyzed On 2013-08-04 22:23 GMT
Website Address bfewaw.com
Blacklist Status BLACKLISTED
Detection Ratio 1 / 26 (4 %)
Domain 1st Registered 2005-10-24 (8 years ago)
Google Page Rank Google Page Rank
Alexa Rank 10,610,734
Website Blacklist Report
Engine Status Info
Favicon SCUMWARE Alert DETECTED


Some information about the hacker? http://www.google.com.au/?gws_rd=cr#output=search&sclient=psy-ab&q=%22+isecurity7%40gmail.com%22&oq=%22+isecurity7%40gmail.com%22&gs_l=hp.12...1635.7200.0.9324.3.3.0.0.0.0.276.766. 2-3.3.0....0...1c.1.23.psy-ab..3.0.0.5uvFzUlTgko&pbx=1&bav=on.2,or.r_qf.&bvm=bv.50165853,d.dGI&fp=a21548815edd3956&biw=1280&bih=792

This may help with sorting it out.? Good luck with getting rid of the hacker.

Hackers and those who support them are the scum of the earth IMHO.

What does that exactly mean?

It means that as of a few seconds ago a scan of your site shows it is blacklisted by http://www.scumware.org/search.scumware

This information may assist if you contact your host, so they can see there is a problem.

You may wish to contact scumware.org to re-evaluate your site to see if it is now clean.

Did you make sure to use a database backup from before you were hacked? I'm guessing they either changed, or added, a plugin and that is causing the issue.

Yeah unfortunately Lynne we didn't have a backup. :( So we are trying to find out where the hack is at.

Yeah unfortunately Lynne we didn't have a backup. :( So we are trying to find out where the hack is at.

Where do you get the hack message? You should do a thorough checkup of your server space and database as well. Also contact your host so they can check their access logs around the time that your forum got hacked to see how they got in.

http://www.bfewaw.com is the site, but the hacked message is only in admin stuff now.

I loaded your admin page and I did not see any hack message. Is it solved now?

Here are screenshots.

The first is the message that pops up when you try to Enable a plugin. (It does not update the styles when you click enable.)

http://www.bfewaw.co.uk/Wir3tap/first.jpg

The 2nd is what pops up in error of stage 17 of updating VBulletin. When you scroll the bar to the side, it says the hacked Message

http://www.bfewaw.co.uk/Wir3tap/2nd.jpg


When we first got hacked, we couldn't get into anything. It didn't even show us the forums. It was just one white screen that said "Hacked By Ejram" and that email address, the same thing its saying in the screenshots.

Try searching in templates for "isecurity7".

Try searching in templates for "isecurity7".

Already done haven't found anything.

If you have any way of searching in files (like grep), try searching all files in includes/xml for isecurity. Or maybe look in cssrollup_vbulletin.css.

Have you tried Maintenance > Diagnostics > Suspect File Versions to see if there are any files that don't belong?

I am soo lost, I don't know whats supposed to be or not be lol. I might just have to hire someone to do this. I also pm'd the author of everywhere sidebar in hope that he knows what his sidebar actually calls up. Because whatever it called up was exactly where the hack was.

Create a new style with no parent:

Styles & Templates > Style Manager > Add New Style
Parent Style: No Parent Style
Title: Default vBulletin
Allow User Selection: Yes
Save

And then delete all your other styles. (feel free to export them for later).

Now try to enable plugins.

I have to say a massive HUGEEEEEE thanks to snakes1100 for helping us get our forums fixed. Much appreciated!!!!!!!!!

Thanks also Lynne and everyone else for your support!!! :D