Hello,

Recently, my forum got hacked, the hacker used the "C99madShell v. 2.0 madnet edition" and changed my paypal adresses to get the membership donations. He also created some new administrators accounts.

So i just noticed that today by going on the paid subscriptions options on the admincp :

https://vborg.vbsupport.ru/external/2013/08/4.png

So if you know how can i fix it and how can i do to avoid this again.

EDIT : I just used the Suspect File Versions in Maintenance in the admincp and i found 3 files that the hack seems to has uploaded : 3 php files (which one was a config of the shell) and when i deleted one of the php file, it also deleted another file : "mine.tar.gz" which is without doubts the file that the hacker has uploaded on my ftp to run the shell script.

Cordially

Same here, I cant find that files, could you send me a PM with the files you've deleted ?
I did 5-6 from HERE (http://www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/424590-remove-c99madshell-v-2-0-madnet-edition?p=3641037#post3641037) and subscriptions.php seems to be fine now but I still need to delete some files probably.

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3993204-vbulletin-5-connect-security-patches-released-all-versions

Same problem here, my site was hacked too.

Did everything as on the links above, but the linkbucks redrection is still there, and in the admin CP -> Paid subscriptions, same shit as above.

How can I remove both? Thanks.

--------------- Added 1380211877 at 1380211877 ---------------

madshell removed - i found a plugin called vBulletin, which did it. Removed it, and now the Paid Subscriptions menu is the original again.

But how to remove the linkbucks redirection?

We have the same problem now. Where did you find that plugin, Evoklub?

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3993204-vbulletin-5-connect-security-patches-released-all-versions

There's a lot of work and quite some patience and knowledge in performing all these steps. Does vBulletin offer some kind of service/help in getting these things done?

Work yes, however everything outlined is very doable if you've been admining a forum and using ftp

I can of course upgrade from 4.2.0 Patch Level 3 to 4.2.1, but usually such updates come with their issues, and sometimes require needing to spend some time on fixing problems which occur with our skins etc. The problems occurred just before I upgraded to the latest patch level, by the way. And in addition to that, the server company restored the forum from a database, but also did that again after I had been upgrading to patch level 3, which may be one of the reasons behind the various problems we've had after that.

--------------- Added 1380744147 at 1380744147 ---------------

very doable

I have never used PhPMyAdmin, and never used FTP for other than uploading files.
According to the diagnostics function, the forum also contain a lot of files which probably shouldn't be there now (some of them are most likely harmless leftovers from plugins I now have deinstalled or disabled).

And, btw, I did empty the install folders, but it now contains an Include folder with class_upgrade_420a1.php in it.

These files are listed as potential suspects:

ajaxthreads.php File not recognized as part of vBulletin
blog_search.php File not recognized as part of vBulletin
confdon.php File not recognized as part of vBulletin
index.php File does not contain expected contents
init.php File not recognized as part of vBulletin
mysql-schema.php File not recognized as part of vBulletin
vbdonate.php File not recognized as part of vBulletin
wog_qqoute.js File not recognized as part of vBulletin
Scanned 84 files./admincp
100.php File not recognized as part of vBulletin
ajaxthreads.php File not recognized as part of vBulletin
album.php File not recognized as part of vBulletin
backup.php File not recognized as part of vBulletin
buildinfo.php File not recognized as part of vBulletin
evbs_sstabs.php File not recognized as part of vBulletin
glowhostspamomatic.php File not recognized as part of vBulletin
sa.php File not recognized as part of vBulletin
vbdonate_banner.php File not recognized as part of vBulletin
verify_new.php File not recognized as part of vBulletin
Scanned 3 files./archive
Scanned 107 files./clientscript
cms_textedit.js File not recognized as part of vBulletin
vbulletin-forumhome.js File not recognized as part of vBulletin
vbulletin-read-marker.js File not recognized as part of vBulletin
vbulletin-threadbit.js File not recognized as part of vBulletin
vbulletin_ajax_namesugg.js File not recognized as part of vBulletin
vbulletin_ajax_reputation.js File not recognized as part of vBulletin
vbulletin_ajax_tagsugg.js File not recognized as part of vBulletin
vbulletin_ajax_threadslist.js File not recognized as part of vBulletin
vbulletin_global.js File not recognized as part of vBulletin
wog_qqoute.js File not recognized as part of vBulletin

Scanned 21 files./clientscript/jquery
jquery-1.3.min.js File not recognized as part of vBulletin
jquery-1.4.4.min.js File not recognized as part of vBulletin
jquery-1.6.1.js File not recognized as part of vBulletin
jquery-1.6.1.min.js File not recognized as part of vBulletin
Scanned 5 files./clientscript/yui
connection.js File not recognized as part of vBulletin
dev-readme.txt File not recognized as part of vBulletin
yahoo-dom-event.js File not recognized as part of vBulletin

Scanned 12 files./forumrunner
INSTALL.txt File not recognized as part of vBulletin
license.txt File not recognized as part of vBulletin
product-forumrunner.xml File not recognized as part of vBulletin
sitekey.php File not recognized as part of vBulletin

Scanned 205 files./includes
adminfunctions.php File does not contain expected contents
adminfunctions_backup.php File not recognized as part of vBulletin
class_blog_search.php File not recognized as part of vBulletin
class_dm_picture.php File not recognized as part of vBulletin
class_dm_threadpost.php File does not contain expected contents
class_editor_override.php File not recognized as part of vBulletin
class_floodcheck.php File does not contain expected contents
class_modpm_checker.php File not recognized as part of vBulletin
functions_ghsom.php File not recognized as part of vBulletin
functions_modpm.php File not recognized as part of vBulletin
functions_wysiwyg.php File not recognized as part of vBulletin
Scanned 7 files./includes/api
commonwhitelist.php File not recognized as part of vBulletin


Scanned 8 files./includes/block
dbtech_vbdonate.php File not recognized as part of vBulletin
Scanned 28 files./includes/cron
vbcms_dailycleanup.php File not recognized as part of vBulletin
Scanned 3 files./includes/facebook
Scanned 8 files./includes/paymentapi
Scanned 41 files./includes/xml
bitfield_dbtech_ajaxthreads.xml File not recognized as part of vBulletin
bitfield_dbtech_vbdonate.xml File not recognized as part of vBulletin
cpnav_bfspmstoper.xml File not recognized as part of vBulletin
cpnav_dbtech_ajaxthreads.xml File not recognized as part of vBulletin
cpnav_dbtech_vbdonate.xml File not recognized as part of vBulletin
cpnav_evbs_sstab.xml File not recognized as part of vBulletin
cpnav_glowhostspamomatic.xml File not recognized as part of vBulletin
cssrollup_digitalpoint_css.xml File not recognized as part of vBulletin
hooks_dbtech_ajaxthreads.xml File not recognized as part of vBulletin
product-dbtech_ajaxthreads.xml File not recognized as part of vBulletin


class_upgrade_420a1.php File does not contain expected contents


wysiwyghtmlparser.php File not recognized as part of vBulletin
Scanned 2 files./packages/vbcms/attach
Scanned 3 files./packages/vbcms/bbcode
wysiwyg.php File not recognized as part of vBulletin
Scanned 4 files./packages/vbcms/collection
Scanned 6 files./packages/vbcms/collection/content
statichtml.php File not recognized as part of vBulletin
Scanned 6 files./packages/vbcms/content
statichtml.php File not recognized as part of vBulletin
Scanned 7 files./packages/vbcms/controller
editor.php File not recognized as part of vBulletin
Scanned 8 files./packages/vbcms/dm
statichtml.php File not recognized as part of vBulletin
Scanned 2 files./packages/vbcms/exception
Scanned 5 files./packages/vbcms/item
Scanned 6 files./packages/vbcms/item/content
statichtml.php File not recognized as part of vBulletin
Scanned 25 files./packages/vbcms/item/widget
sectionnav.php File not recognized as part of vBulletin
staticbb.php File not recognized as part of vBulletin
Scanned 5 files./packages/vbcms/route
editor.php File not recognized as part of vBulletin
Scanned 5 files./packages/vbcms/search/indexcontroller
cmscomment.php File not recognized as part of vBulletin
statichtml.php File not recognized as part of vBulletin
Scanned 6 files./packages/vbcms/search/result
cmscomment.php File not recognized as part of vBulletin
statichtml.php File not recognized as part of vBulletin
Scanned 6 files./packages/vbcms/search/searchcontroller
newcmscomment.php File not recognized as part of vBulletin
newstatichtml.php File not recognized as part of vBulletin
Scanned 5 files./packages/vbcms/search/type
cmscomment.php File not recognized as part of vBulletin
statichtml.php File not recognized as part of vBulletin
Scanned 2 files./packages/vbcms/taggablecontent
Scanned 6 files./packages/vbcms/view
page.php File not recognized as part of vBulletin
Scanned 25 files./packages/vbcms/widget
sectionnav.php File not recognized as part of vBulletin
staticbb.php File not recognized as part of vBulletin

We have the linkbucks redirection too. You can clear it out of your footer template manually but it keeps coming back every other day

I see you are requesting Paid help. I think that is a wise solution for your site at this time. You just need a bit more time understanding vbulletin software, but that will come if you keep reading vbulletin.org.

Good Luck and I hope things go well for you! :)

Hey tbworld, thanks for helping out everyone with these hacks! It really makes a difference to have someone with knowledge give reassurance and advice during the worst times.

Pretty crappy help from vbulletin actually, it is their forum that is being targeted by these automated spammers.

Who would buy vbulletin seriously if their forums can easily be hacked to steal money ffs.

WHERE IS THE SUPPORT VBULLETIN? RELEASE A FIX. THOUSANDS WHERE HACKED.

Pretty crappy help from vbulletin actually, it is their forum that is being targeted by these automated spammers.

Who would buy vbulletin seriously if their forums can easily be hacked to steal money ffs.

WHERE IS THE SUPPORT VBULLETIN? RELEASE A FIX. THOUSANDS WHERE HACKED.

Hackers use custom plugins or other ways to get in its not vb software that is the problem its some owners dont have a clue how to secure there forums correctly if anyone is to blame its the forum owners

This thread should be closed in my opinion. New problems require new threads. :)