Th3H4ck Has hacked hundreds of VB forums over the last few days, what is the exploit and are we working on a fix???

Just google Th3H4ck

Yeah I saw he joined today and used my Spam-O-Matic features to get rid of him but I would really like to know how he signed up as an Admin?

Yeah I saw he joined today and used my Spam-O-Matic features to get rid of him but I would really like to know how he signed up as an Admin?

Did you get an IP or any information as to what he is doing once he's in.

Looks like a bot attack to me.

It relates to this article
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5

Apache Log below:
178.33.229.22 - - [05/Sep/2013:10:10:37 +0100] "GET /forum/core/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:38 +0100] "GET /forum/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:39 +0100] "GET /forums/core/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:39 +0100] "GET /forums/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:40 +0100] "GET /core/install/upgrade.php HTTP/1.1" 404 613 "-" "-"
178.33.229.22 - - [05/Sep/2013:10:10:41 +0100] "GET /install/upgrade.php HTTP/1.1" 200 13394 "-" "-"
66.96.183.79 - - [05/Sep/2013:10:10:45 +0100] "POST /install/upgrade.php HTTP/1.1" 200 279 "-" "-"

Do we just delete the entire install folder?

Do we just delete the entire install folder?

That's what it says.

Yeah I saw he joined today and used my Spam-O-Matic features to get rid of him but I would really like to know how he signed up as an Admin?

He signed up twice on my forum as admin. I have deleted the install folder. I dont know what else to do or what if anything he did to my forum.

If you want to see what he did on your site, go to Admincp > Statistics & Logs > Control Panel Log. You will see if he added a plugin or accessed the templates, etc.

DELETE YOUR INSTALL DIRECTORY!!!

I was a victim of this also. Check my thread. If you guys haven't already you need to check the database and your templates. On my forum they put iframes in the footer of all my templates.

I had 8 Administrators in the admin group with the same name. However, one admin account was just a "."

Did you get an IP or any information as to what he is doing once he's in.
IP addy 180.216.122.253 and I checked my Control Panel and I don't see anything logged for the user so it looks like he just signed up and that was it. I am almost 100% certain I deleted my install folder after the initial install a year ago.

Yeah we went through this with another member yesterday, https://vborg.vbsupport.ru/showthread.php?t=301892

a lot of vb clients don't even know he is on there forum as administrator. it's kinda sad that people despite of the warnings to remove there install directory still have that on there server(s).

Well, it's kind of sad it took IB a week to send out security bulletins by mail. Not everyone checks their admincp or the announcement forum on vb.com every day (the latter can't even be subscribed, since that - surprise - does not work in vB5). It's probably not the fault of the support staff, but I imagine they need to get approval from the IB high command to send out such things.

Despite who reads things on the announcements, it shouldn't matter. People are urged to delete install folders on their server after a successful install, therefore it's their own fault if they've been hacked. It does state that leaving precious files and folders on the server can cause people to "hack" or "attack" the forum.

People are urged to delete install folders on their server after a successful install, therefore it's their own fault if they've been hacked.
No, this is wrong. People were told to remove install.php from the server, not the install folder. Just the opposite: People who asked have explicitly been told to leave the install folder on the server, because it contains files like the style or language xml files that can be useful when troubleshooting. This is why you can't access AdminCP after install/upgrade when install.php is present, but you can access AdminCP perfectly when the install folder is present.

You should at least get your facts straight before you tell people it's their own fault.

No, this is wrong. People were told to remove install.php from the server, not the install folder. Just the opposite: People who asked have explicitly been told to leave the install folder on the server, because it contains files like the style or language xml files that can be useful when troubleshooting. This is why you can't access AdminCP after install/upgrade when install.php is present, but you can access AdminCP perfectly when the install folder is present.

You should at least get your facts straight before you tell people it's their own fault.

https://vborg.vbsupport.ru/showpost.php?p=2443348&postcount=33

https://vborg.vbsupport.ru/showpost.php?p=2443348&postcount=33

Yuup because its no longer required after initial installation unless running tools.php.

*Please note: Renaming it to /..install../ OR /old_install/ OR anything honestly is not doing you any good, delete the entire directory to be 100% sure you're not able to be exploited by that ftard :p.

Any script kiddie can become famous, it only takes a tutorial on a supposed "hacker" site and someone without a life to spend time defacing your site or worse. Its your job as the site owner to stay up to par on vB announcements and current security issues. Before the exploit was "known" you had an excuse when hacked, now that we know one is present if leaving the /install/ folder up its silly to come online one morning to find your site defaced or worse when you could have prevented it by simply reading an announcement and taking action.

Shoot I emailed a few old clients just to remind them about this, be sure if your running email filters and folders that you still check the folder for the announcement emails and eBulletin's from vBulletin as its easy to overlook mail when its not right in front of you inside your inbox ;).

Edit: Also vBulletin did tell people to delete the entire /install/ folder, this was up letting everyone know of a possible exploit and what actions to take:
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5

This was a completely unrelated exploit found and the announcement clearly states that, furthermore it also states to delete the /install/ directory near the bottom:
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3993204-vbulletin-5-connect-security-patches-released-all-versions

So I'm not sure who was telling people to delete just install.php but it was not vBulletin themselves unless I'm missing something entirely and my wife says I do that from time-to-time laugh at me not with me on that one ;).

Despite who reads things on the announcements, it shouldn't matter. People are urged to delete install folders on their server after a successful install, therefore it's their own fault if they've been hacked. It does state that leaving precious files and folders on the server can cause people to "hack" or "attack" the forum.

For years people have been told by VB to NOT delete the install directory. I asked it several times myself. VB always wrote to just uninstall the file install.php.

This all changed last week, now we MUST DELETE THE INSTALL DIRECTORY !

For years people have been told by VB to NOT delete the install directory. I asked it several times myself. VB always wrote to just uninstall the file install.php.

This all changed last week, now we MUST DELETE THE INSTALL DIRECTORY !

Ahh now I see what you and others meant by that. Although for years this exploit may not have been present, it could be related to recent code changes/inclusions we still do not know the specifics however we do know that from here on out you delete the /install/ directory after installation.

Would it be enough to just rename it?

*Please note: Renaming it to /..install../ OR /old_install/ OR anything honestly is not doing you any good, delete the entire directory to be 100% sure you're not able to be exploited by that ftard :p.

Would it be enough to just rename it?

See above quote.

https://vborg.vbsupport.ru/showpost.php?p=2443348&postcount=33

Yeah. Great. A post from yesterday. That only proves that NOW they tell you to remove that directory. They have done otherwise for years.

I've always deleted the install directory on live sites without any problems. It just seemed to make more sense to me.

I also rename the admincp and modcp folders to a secure name. In addition, whenever possible I protect them with htaccess so only IP addresses included in the htaccess file can use the ACP and ModCP.

Would it be enough to just rename it?

Why would you take that rrisk ? VB recommends to delete it, why ignore that ?

It is not just your forum at risk, but also the privacy and online security of your users.

I have always deleted the whole install folder have been doing this for sometime. I have also a lot of other security things in place

Why would you take that rrisk ? VB recommends to delete it, why ignore that ?

It is not just your forum at risk, but also the privacy and online security of your users.
I'm working on a adminCP file manager and am using it to delete this but I found a functional but very slow running block of code I would like to improve so I'm wondering if I need to do this in the next five minutes or the next five hours. But TheLastSuperman answered. Now I have to create a bunch of junk files to test my improved code on.

I'm working on a adminCP file manager and am using it to delete this but I found a functional but very slow running block of code I would like to improve so I'm wondering if I need to do this in the next five minutes or the next five hours. But TheLastSuperman answered. Now I have to create a bunch of junk files to test my improved code on.

Clone the site, restore on localhost then tinker away ;).

Obviously, it is not smart for VB to post any real details of the vulnerability, but if any of you are in the know: Is it sufficient enough to just IP restrict the install directory?

Might be a short term solution @nerbert.

I do like @TheLastSuporman suggestion, but I am sure you are already developing on a local system, this is probably just for testing -- right?

Obviously, it is not smart for VB to post any real details of the vulnerability, but if any of you are in the know: Is it sufficient enough to just IP restrict the install directory?

Might be a short term solution @nerbert.

I do like @TheLastSuporman suggestion, but I am sure you are already developing on a local system, this is probably just for testing -- right?

Actually I have an old unusable vB3 clone I can beat to pieces. But it's a useful resource for developing something like this -- not to be consumed recklessly.

Renaming/htaccess protecting it still leaves you vulnerable the only way to be 100% safe is to delete the entire directory.

ok, I was warned by someone via email my site had been exploited. Boooo.
flat4lv.com

I should know more about this, but I don't.

Anyway,
1. deleted user
2. Deleted install folder
3. Deleted user again (it had made a name again instantly)
4. Saw this thread https://vborg.vbsupport.ru/showthread.php?t=301892&page=3 but I don't have a Iframe, but do have a link on the bottom of my page. "something you've never seen"
5. Installed check 4 hack. (https://vborg.vbsupport.ru/showthread.php?t=265866) > Setup e-mail, enabled demo, ran task, got email with the demo (pluginlist) corrupt.

Now I'm at a loss. Am I still vulnerable? Am I currently still exploited? Should I just remove the link at the bottom of my page?

Thanks in advance for any advice.

ok, I was warned by someone via email my site had been exploited. Boooo.
flat4lv.com

I should know more about this, but I don't.

Anyway,
1. deleted user
2. Deleted install folder
3. Deleted user again (it had made a name again instantly)
4. Saw this thread https://vborg.vbsupport.ru/showthread.php?t=301892&page=3 but I don't have a Iframe, but do have a link on the bottom of my page. "something you've never seen"
5. Installed check 4 hack. (https://vborg.vbsupport.ru/showthread.php?t=265866) > Setup e-mail, enabled demo, ran task, got email with the demo (pluginlist) corrupt.

Now I'm at a loss. Am I still vulnerable? Am I currently still exploited? Should I just remove the link at the bottom of my page?

Thanks in advance for any advice.

This is a great post at vb.com

http://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions-problems-and-troubleshooting/3991429-a-new-type-hack-method?p=3993335#post3993335

Hello,

I came to know of this exploit and looks like we too had this attack, we did the below:

1.Deleted install folder
2. Deleted suspicious admin user accounts
4. Refer thread - https://vborg.vbsupport.ru/showthread.php?t=301892 as mentioned there I didn't have any Iframe injection , but there was a line added in the "header" template of one of our custom style that reads as "Kindly delete "install" directory of your forums. Otherwise you will keep getting hacked" and the suspicious lines were removed.

Also we notice that few templates in the custom style has edit history that says "Edited by .." the suspicious admin accounts with time stamp in the past year 2010.

Is there any other precautions that need to be done. Am I currently still exploited? What are the other security measures that I need to do to protect my forums.

I have deleted my install directory and have been hit twice in 24 hours

I have deleted my install directory and have been hit twice in 24 hours

Wait, the same user is still getting in after the install directory has been deleted?

I have deleted my install directory and have been hit twice in 24 hours

I had the same thing, from the logs i saw that he created created a plugin then removed it and then created a user and removed that to,


102106 N/A 18:13, 30th Aug 2013 user.php kill user id = 333162 198.203.28.247
102105 N/A 18:13, 30th Aug 2013 user.php remove user id = 333162 198.203.28.247
102104 N/A 18:13, 30th Aug 2013 user.php edit user id = 333162 198.203.28.247
102103 N/A 18:13, 30th Aug 2013 user.php find 198.203.28.247
102102 N/A 18:13, 30th Aug 2013 user.php modify 198.203.28.247
102101 N/A 18:13, 30th Aug 2013 plugin.php 198.203.28.247
102100 N/A 18:13, 30th Aug 2013 plugin.php kill plugin id = 8305 198.203.28.247
102099 N/A 18:13, 30th Aug 2013 plugin.php delete plugin id = 8305 198.203.28.247
102098 N/A 18:13, 30th Aug 2013 plugin.php modify 198.203.28.247
102097 N/A 18:05, 30th Aug 2013 plugin.php 198.203.28.247
102096 N/A 18:05, 30th Aug 2013 plugin.php doimport 198.203.28.247
102095 N/A 18:04, 30th Aug 2013 plugin.php files 198.203.28.247


what their doing is creating a backdoor to come back in later.

When i saw this i deleted the install folder as advised and restored my database to the 29th of august as this had been done on the 30th i figured that it would undo any database or template alterations,

Wrong, the next day the same user was back with admin access, i removed him again, and checked the admin logs and nothing had been done so i left it at that and just observed the site, the next day my templates had all been reverted to the originals so someone had access the admin cp again......

so then i figured it must be a file uploaded on the server because from what i've seen of the plugin being used gives them the ability to upload files to the server, so then i checked the file dates and found a suspicious "clock.php" file in the custom avatars folder that had been created the same day as the plugin above was installed so i removed that and restored another database backup from the 24th which is the day before the guy registered an account on my forums

I've changed admin, cpanel, & ftp passwords so i'll see where it goes from here, just removing the install folder is not enough,

here's an example of a file someone has uploaded as a backdoor back in to a forum http://www.paccin.org/deface.txt i guess their must be more files as well but this i all is could find on google

Did you try the following?

Run Suspect File Versions: > AdminCP > Maintenance > Diagnostics > Suspect File Versions > *Click Submit > Review the files listed, research and delete all files you suspect are malicious. *Also check your .htaccess file and config.php file for modified code, the suspect file versions script does not check config.php or .htaccess.

Did you try the following?

Run Suspect File Versions: > AdminCP > Maintenance > Diagnostics > Suspect File Versions > *Click Submit > Review the files listed, research and delete all files you suspect are malicious. *Also check your .htaccess file and config.php file for modified code, the suspect file versions script does not check config.php or .htaccess.

yes did both the first time round, also if it had been modified the file dates would be different

OK cool, here is a interesting article TheLastSuperman wrote, it way help, http://www.vbulletin.com/forum/blogs/michael-miller/3934768-recovering-a-hacked-vbulletin-site

If you look at the options they have once they have installed the plugin you can see how much they can do

http://s9.postimg.org/4v480fyhq/Untitled.jpg

I've just restored twice over the last couple of days, my hosts are screaming...he is a clever bugger...I have a developer keeping an eye on my site until Sunday so I will update this thread...I am using Spam Hammer and to date it is brilliant, so I don't think it is flawed, but Steve is the expert in this stuff

--------------- Added 1378651717 at 1378651717 ---------------

clock.php...interesting...I have clock on my home page header, hmmm

Hopefully with Steve watching the site, he can figure out everything they are doing and share with the community on how to put a stop to him.

what their doing is creating a backdoor to come back in later.

so then i figured it must be a file uploaded on the server because from what i've seen of the plugin being used gives them the ability to upload files to the server, so then i checked the file dates and found a suspicious "clock.php" file in the custom avatars folder that had been created the same day as the plugin above was installed so i removed that and restored another database backup from the 24th which is the day before the guy registered an account on my forums

I've changed admin, cpanel, & ftp passwords so i'll see where it goes from here, just removing the install folder is not enough,

here's an example of a file someone has uploaded as a backdoor back in to a forum http://www.paccin.org/deface.txt i guess their must be more files as well but this i all is could find on google

Hello,

Thank you for these details.

I was able to see these backdoor (php) files - about 4 in different names (gs.php, test.php, dyna_statistic.php) with exactly same content installed in the following folders:
customprofilepics
attachments
captcha
vba_dyna_modules


Deleted those files today.
Removed install directory the very next day of being hacked (6-Sep).
Changed cpanel/FTP, vbulletin database and admin account passwords.

I didn't find anything injected into the database, so should I restore it? Then the members posts will be lost!

What more should I do to keep the hacker away?

Well somethings still not right, i logged onto my site today and may account was using an un selectable style, the style options at the bottom were just showing a blank space, nothing in the control panel logs, no file edits on the server, no new admins......

Well, that is certainly a strange one. Surprised there was nothing in the logs.

This guy hacked our site with 3 usernames (administrator, z3ro and Th3H4ck), all admins, and with no record of them registering, no email confirmation to admin, so it had to be manually done. I deleted them, and the contents of the install folder (all were backup files). The site crashed, so I had our ISP restore web files from before the 3 stooges registered, run a malware scan, then verified the htaccess file. Meanwhile, within minutes of being back up, we had 2 more phoney admins, and ZAP! got a message saying, "This site has been hijacked by Frozen.Heart."

I also found at CPanel that all the access logs had been locked. Going thru File Manager, I found the files empty.

Neither the ISP nor we have any idea what to do to restore the site without starting over, but they're going thru the software now. What else could he have done to hijack the site??

(I'm not much more than a glorified Mod, so hopefully I'll catch on to whatever suggestions you've got!)

One other question: How does this guy find out who vB's clients are???

I would look at the raw server logs and identify the IP addresses he is using. You can buy yourself some time by blocking those in your .htaccess or firewall.

Thanks, Xenite, but first I need to figure out how to get the site back up, without any surprise easter eggs included. I suspended the account until we can get it fixed...we don't need to advertise his "expertise", since all you get at our URL is a flaming demon with music and his banner headline.

The ISP is asking me for any information available on what he does to the software.

This is a long, convoluted thread and I'm about to get offline to run some errands so I apologize if this is an unhelpful suggestion.

When my site was hacked this morning all they did (besides create the ADMIN account) was add a NOTICE through the ADMINCP that had HTML code embedded in it.

I found one SQL table entry for the notice and edited that but when I reactivated the forum the redirect still loaded. So then I just logged in to the ADMINCP and edited the notice.

This is a long, convoluted thread and I'm about to get offline to run some errands so I apologize if this is an unhelpful suggestion.

When my site was hacked this morning all they did (besides create the ADMIN account) was add a NOTICE through the ADMINCP that had HTML code embedded in it.

I found one SQL table entry for the notice and edited that but when I reactivated the forum the redirect still loaded. So then I just logged in to the ADMINCP and edited the notice.
Thanks. Will check it out.

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3993204-vbulletin-5-connect-security-patches-released-all-versions

Erm working on one now where they edited the master style, will update this post once I find out more.

Edit: If your reviewing plugin edits via the control panel log and notice anything similar to: template.php modify style id = 0 then place your site into debug mode (https://www.vbulletin.com/docs/html/main/debug_mode) then check the MASTER STYLE for any edits.

The one I located was in the Master Style included in the forumhome template:
<META HTTP-EQUIV="Refresh" CONTENT="0;URL=http://adf.ly/VRrrp">

The code present on your site may vary and may or may not be a redirect to adlfy it could be anything else so be on the lookout ;).

I got got.

I'm bottom of the barrel level too, so I'm just bewildered. Lost about 30 posts by members after restoring to the previous day's backup via MySQL.

What's with these colon licking hackers?

--------------- Added 1378824257 at 1378824257 ---------------



DELETE YOUR INSTALL DIRECTORY!!!

Please give me as thorough a walk through as possible on this, Lynne/anyone.

Sorry.

never mind. I got it.

Basically you know how all those folder and files related to vBulletin must be uploaded to your server? You want to locate the folder /install/ and delete it entirely.

https://vborg.vbsupport.ru/attachment.php?attachmentid=146371

Someone send me a contact message about this issue. I've been so busy working on clients' sites that I didn't see it until today. Thankfully I deleted that user and the install folder....will that stop it for sure?

Someone send me a contact message about this issue. I've been so busy working on clients' sites that I didn't see it until today. Thankfully I deleted that user and the install folder....will that stop it for sure?

I don't know. I deleted the install folder, but the site got hijacked, and after reinstalling vB it's still not up.

Someone send me a contact message about this issue. I've been so busy working on clients' sites that I didn't see it until today. Thankfully I deleted that user and the install folder....will that stop it for sure?

No, if you were hacked there is a high probability that the hacker uploaded a shell script and could have backdoors in various folders on your server. There is actually quite a bit you need to do in order to rid yourself of this. If you are not experienced in these matters contact your host and link them to this thread along with these links which have helpful info:


http://www.vbulletin.com/forum/blogs/michael-miller/3934768-recovering-a-hacked-vbulletin-site
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site


I don't know. I deleted the install folder, but the site got hijacked, and after reinstalling vB it's still not up.

By that you mean what? That you dropped all tables in the database, deleted all the files then installed 100% from scratch using new files and a clean database and its still not working?

Btw, I updated my blog again, with some additional steps to help remove the exploits.

By that you mean what? That you dropped all tables in the database, deleted all the files then installed 100% from scratch using new files and a clean database and its still not working?
No.
1. My site went down with a server error message.
2. Host got it back up, but home page "wasn't right". I noticed that I had phoney "admins" in my usergroup who were "registered" minutes before the error and deleted them. I read this thread and deleted the install folder. (Obviously, the payload had already been delivered.)
3. Site got hijacked.
4. Via link to ACP I shut down the boards, stopped all plugins.
5. Host restored a web file backup from 2 days prior to hacker reg, ran malware checks; site crashed and I cannot access ACP.
6. Following instructions from this site, I downloaded a fresh copy of 4.2.1 and uploaded the files to the server, overwriting the old ones.
7. Site is still down.

So how do I know if the db is clean? If not, have I lost all the member data? Is there a way to delete all the files except the forum and membership?

I will give this link to host, and will check out all the cleanup suggestions you and Zachary give.

I had the same problem in 4.2.1 before some days someone register as admin ...... we delete him
Yesterday the same , we delete him
I read here to delete the install folder , I did it .
The site is down .... database error.
I Reupload all 4.2.1 and make Upgrade or install , I have this error

Due to the following errors, the install/upgrade can not continue:

The database has failed to connect because you do not have permission to connect to the server. Please confirm the values entered in the includes/config.php file
Error description: mysql_connect() [function.mysql-connect]: User 'myname' has exceeded the 'max_connections_per_hour' resource (current value: 1) /home4/myname/public_html/forums/includes/class_core.php on line 317

5. Host restored a web file backup from 2 days prior to hacker reg, ran malware checks; site crashed and I cannot access ACP.

When I refer to backups I always say database backup and filesystem backup, one being a copy of your database at the time the backup was made and the other being the actual folders with files.

When you say they restored a web backup do you mean they had a full database(1)
AND filesystem(2) backup and restored both(3)?

1 If the host restored then they know to drop the tables in fact the entire database depending on restore method. The issue here for some site owners who attempt this themselves is the fact they tend to import a backup onto a populated database i.e. overwriting newer data with older data and that can cause issues. The proper way to do it is to drop all tables from the database then import the backup into the now empty database thereby restoring it.

2 If the host restored a filesystem backup, it must be BOTH filesystem AND database because the two must match each other i.e. timeframe, if the database backup was made at 5pm your time then the filesystem backup should be from that same time and by disabling the forum before a backup you ensure no activity is taking place i.e. avatar/image uploads so the two will in fact match what the database knows is within the filesystem.

3 If only one was done, as I said above in note #2 it must be both. Now is there an exception? Yes! The inability to access the admincp could be modification related, if you restored fresh files only and forgot to upload all the missing plugin files then that can cause inability to access, if you feel that is the case locate the missing modification files and upload them (you can still access the database via phpmyadmin so check the product and plugin tables). If you have issues tracking down the files OR truly believe this is the issue then start disabling each plugin one by one using this article (https://vborg.vbsupport.ru/showthread.php?t=259619) until you find the culprit as not all plugins disable when you disable mods via the config file, I've seen some odd situations and scenarios with certain third-party modifications/plugins.

6. Following instructions from this site, I downloaded a fresh copy of 4.2.1 and uploaded the files to the server, overwriting the old ones.

Was the version you were running at the time of the hacking in fact 4.2.1? If you were lets say for example running 4.2.0 and then overwrote those files with 4.2.1 files without running the upgrade script then issues can occur and if that is the case simply run the upgrade script to resolve (and on that note, when you uploaded those 4.2.1 files you did delete the /install/ folder before uploading the contents of the .zip correct? See where I'm headed with this ;)).

So how do I know if the db is clean? If not, have I lost all the member data? Is there a way to delete all the files except the forum and membership?

You need to manually inspect it, there are queries listed in some of the articles and blog entries we linked you to prior in this thread, you can modify those queries i.e. for example you can search in the database for http://adf.ly/VRrrp (https://vborg.vbsupport.ru/showpost.php?p=2444870&postcount=61) as mentioned in this post (https://vborg.vbsupport.ru/showpost.php?p=2444641&postcount=52). Edit: Removed some info I was mistaken and needed to clarify.

Your site is more than likely intact, other than one site where they edited the master style I have only seen defacement no thread or post deletions but make sure to check regardless.

Deleting your install folder had nothing to do with your new error:

'max_connections_per_hour'

Your MySQL user has used all of the queries they're allowed to be hour.

When you say they restored a web backup do you mean they had a full database(1)
AND filesystem(2) backup and restored both(3)?Host had a full database and filesystem backup, and (as I understand) restored filesystem, when I asked if new data entered between the last good backup (3 days prior) and restore could be salvaged. Host's reply was
We can restore the web files without restoring the mysql databases. If that's okay with you, just let us know and we'll start on that.

Was the version you were running at the time of the hacking in fact 4.2.1? If you were lets say for example running 4.2.0 and then overwrote those files with 4.2.1 files without running the upgrade script then issues can occur and if that is the case simply run the upgrade script to resolve (and on that note, when you uploaded those 4.2.1 files you did delete the /install/ folder before uploading the contents of the .zip correct? See where I'm headed with this ;)).
I see, and we were running 4.1.x, patch level 3), but the upgrade instructions said different:
After an upgrade or installation, it is important that you delete the /install/ folder. This is necessary to provide proper security to your installation.
I'm understanding that the install.php prompts the upgrade script, correct? The instructions with the download said:
1. Close your board via the Admin Control Panel.
2. Delete install/install.php from your upload directory
3. Upload all remaining files from the 'upload/' folder in the zip.


Since the site is inaccessible via browser, I followed these instructions:
http://www.vbulletin.com/vbcms/content.php/426-vBulletin-Upgrading-vBulletin-3-to-vBulletin-4 and transferred files via FTP. (To complicate it more, the FTP manager showed I was in the web root directory, but it turns out my ftp account directs the files to "my" folder, so they were moved by host.) I obviously blew it somewhere...so how do I fix it now? Is it smarter to simply do another db restore (and can that be done without losing the interim data), then redo the upgrade?

Host had a full database and filesystem backup, and (as I understand) restored filesystem, when I asked if new data entered between the last good backup (3 days prior) and restore could be salvaged. Host's reply was



I see, and we were running 4.1.x, patch level 3), but the upgrade instructions said different:

I'm understanding that the install.php prompts the upgrade script, correct? The instructions with the download said:


Since the site is inaccessible via browser, I followed these instructions:
http://www.vbulletin.com/vbcms/content.php/426-vBulletin-Upgrading-vBulletin-3-to-vBulletin-4 and transferred files via FTP. (To complicate it more, the FTP manager showed I was in the web root directory, but it turns out my ftp account directs the files to "my" folder, so they were moved by host.) I obviously blew it somewhere...so how do I fix it now? Is it smarter to simply do another db restore (and can that be done without losing the interim data), then redo the upgrade?

Oye... this is making me want more coffee lol...

Let me re-phrase:

Never restore one, restore both database and files at the same time.
The upgrade instructions did not say differently, you misinterpreted what I meant. You either download the vbulletin.zip to your pc and extract then upload or you upload the .zip and extract it on your server - if you saved to pc then delete the /install/ folder before uploading all of the files.
Actually install.php prompts the installation script, upgrade.php processes the upgrade respectively.


The best way to fix this now is to ask you host to restore the database AND the files from three days prior at the same time however you will lose all data from the time of the backup to date. Unless you have a custom script written and possible edits to the database to merge in the data taking into account new data from the time you start using the forum after the restore then the data is lost forever after restoration.

OK, thanks.

--------------- Added 1378918449 at 1378918449 ---------------

Does this sound correct, please?

From host:

Sorry for delay in my response, we have finished up backing up your account in it's current state.

We will be unable to restore the account to it's state on September 3rd or 4th. However, since there is a backup of the database from Sep. 3rd we recommend installing a fresh vBulletin. We have created the subdirectory [/home/catho11/public_html/vb/] for you to install vBulletin to. Once you have installed a fresh copy we can attempt to import the database from September 3rd.

It would be best to install the version of vBulletin that you were using previously to avoid issues. Please let us know if you have any questions.

Sept. 5 was when the site was hijacked, and the 4th was when the exploit occurred. Apparently, the full system backups through 9/4 have been overwritten on the server.

Hello guys,

Here is my feedback running vBulletin 4.2.0 Patch Level 3

Today I received a phone call of a moderator of mine saying that the forum was hacked.
Immediately I logged as admin and turn the forum off.

I have vBa CMPS installed in the root of the forum and the index is working fine, only when we go to forum.php is redirecting to this page:
http://i.imgur.com/JingJTM.png

Showing a Brazilian message:
Desculpe o transtorno estamos invadindo seu site
Sabe por que? porque eu quis.

@Nega_cabelo_duro

The source code of that page is:
http://paste2.org/YeFAjz9m

I have found this in my forumhome template:
http://paste2.org/Mw7snpxK

I also have found a new admin in the administrators group:
ID: 136733
username: polter
email: pulodentrodurio@hotmail.com
join and last activity date: 11-09-2013

Does someone know exactly what the hacker changed?
Until now only found:

1- a new admin (already deleted)
2- forumhome templatechanged (already reverted)

I already deleted the install folder also like Wayne Luke said here:
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5

Just a quick note. I saw the logs on
And found what he did:
http://i.imgur.com/pJRBdfi.png

So, If I am right, he only modified template files right?
Is possible to know if was only forumhome or more?

UPDATE: I have checked all template files one by one in the Last edited information and the only template file that was edit by the hacker was FORUMHOME in all templates that I have installed.
It says: Last edited September 11 2013 at 05:51 by polter

UPDATE2: I notice a new template file that was edit today (the day that my vb was hacked) and the file was bbcode_video
It says: Last edited September 11 2013 at 05:49 by
Note that don't appear the username, but the file was edit today and 2 minutes before he change FORUMHOME
My bbcode_video file code: http://paste2.org/5bP0w05b

UPDATE3: Just cant find the template file that he inserted on style 2 (default):
http://i.imgur.com/pJRBdfi.png
I saw the files one by one and cant find the today date...

Anymore changes that anyone have notice?

Thanks!

My vBulletin forum was also hacked via Symlink. My forum was on shared hosting server.

This tutorial article (http://www.securitygeeks.net/2012/08/symlink-tutorial.html ) shows how easy it is for hacker to hack into your vBulletin forum.

The hacker installed symlink plugin into my forum and use it to access other accounts configuration information in the shared server.

Now, I have a hard time to clean up the symlink plugin software and any files that were installed and modified by the hacker.

Anybody can help me or provide advice on how to clean up the software installed/modified by the hacker?

UPDATE2: I notice a new template file that was edit today (the day that my vb was hacked) and the file was bbcode_video
It says: Last edited September 11 2013 at 05:49 by
Note that don't appear the username, but the file was edit today and 2 minutes before he change FORUMHOME

bbcode_video is built (and rebuilt) by a function, its not likely they changed it, esp as there is no username, but rather they triggered a rebuild of it (no idea why they would bother).

My vBulletin forum was also hacked via Symlink. My forum was on shared hosting server.

This tutorial article (http://www.securitygeeks.net/2012/08/symlink-tutorial.html ) shows how easy it is for hacker to hack into your vBulletin forum.

The hacker installed symlink plugin into my forum and use it to access other accounts configuration information in the shared server.

Now, I have a hard time to clean up the symlink plugin software and any files that were installed and modified by the hacker.

Anybody can help me or provide advice on how to clean up the software installed/modified by the hacker?Two things I had to do yesterday. No roll back required. I know the two hackers were in Friday night. I saw what they changed and it only had to do with the forumhome template. Easy to roll back the database from a prior backup. I just copied the good code from another style and pasted it in the hacked one. This fixed the forum redirect. Then if I would hit the home tab it would also do a redirect. This time I restored the program files from a backup from early Friday morning, this corrected that. Hope it helps you. I also bought a month of SiteLock firewall. Will probably keep on using it.:)

This thread was very useful. Thank you to everyone that has contributed. We also were breached and I found about 7 new admin accounts from the past three weeks but only three of them had bothered to do anything. I had several new plugins and some Base64 encoded PHP tied to the subscriptions.php. I tried to decode the php but it is a file within a file, within a file and my day is only so long. I haven't seen others mentioning this. Has anyone seen this or can speculate on why this php file would be targeted?

UPDATE: after 10 rounds of decode we found a hacker tool called c99madshell.php was what the plugin was. A description of what it does is here: http://www.derekfountain.org/security_c99madshell.php

We are digging deeper into what may have been accessed in the DB.

My (4.2.1) forum was hacked but interestingly, it appears to be working. Only when I try to access "Admin" account (there are 2) it plays music spot and says "Hacked by pScript".

Can not access CP through VB. Went to my provider CPanel, saw files like index.php changed.

User with no Admin rights I think would notice nothing wrong.

/install directory was present when the hack occurred. Instructions before were saying to remove only install.php and tools.php.
Looks like the hacker had used upgrade.php.


How to regain access to VB Admin CP? Can go through the provider and edit individual files.
Appears he had not touched post but whatever user he came in as he can still do that.

--------------- Added 1379402877 at 1379402877 ---------------

If I try to log in as a Mod, it is OK. But no sufficient rights to run what is being suggested.

Search for user "admin" shows data and activity of the real one.
No right to change his password.

10 days ago I noticed another user, test (from test.com) that had administartor title without any email and confirmation. Upon registration, there is a question to answer that robots can not and only people of a specific nationality can. It did not go through that.

Looks like this is a separate one or different damage to different forums on the shared server.

I've been reading about all these hacking for the past week.

I knew about the /install folder exploit by being an everyday reader both here and vb com
So i instantly did the delete, actually a few of my Forums already had the folder deleted as I know there's no real need for it.

What did surprise me however, was the e mail about the /install exploit around (i am guessing here but I think it's about right) one week later after reading about it on vb org

So why did it take a huge company like vb so long to send out this very important e mail.

I haven't been happy with vb for a long time now, I keep saying to myself one day I will move all my Forums over to x en foro and after this it's now pushed me even more to do so.

I've known a lot of guys from here (vb org) have made the move already and other are doing so too.
I think the vB company has lost what it once had and is not thought of the way it used to be.

This is just my option and either people agree or disagree, that's life.
Just thought I'd share a few of my thoughts though.

Yes, there was no email.

Before, new things were in red in admin CP, as soon as I enter it, telling about new versions and dangers.

Yahoo mail (used for communication) is blocked by my company, can't see it but VB Admin CP I can access and do that several times a day. Nothing was in there.

Can't believe VB staff watched all the hacks and did nothing.

Deleted suspicious files, doing new load of VB. Will tell later how it went and what it was...if I have success.

--------------- Added 1379416900 at 1379416900 ---------------

now, upgrade.php says:


Database error in vBulletin :

mysql_connect() [<a href='function.mysql-connect'>function.mysql-connect</a>]: Access denied for user 'root'@'localhost' (using password: NO)
/home/mysitedb/public_html/includes/class_core.php on line 317

MySQL Error :
Error Number :
Request Date : Tuesday, September 17th 2013 @ 07:19:41 AM
Error Date : Tuesday, September 17th 2013 @ 07:19:41 AM
Script : http://www.example.com/install/upgrade.php
Referrer :
IP Address : 114.161.74.125
Username :
Classname : vB_Database
MySQL Version :

--------------- Added 1379417296 at 1379417296 ---------------

No access to VB CPanel, could not stop the board.

It appears to be working (no new posts).

--------------- Added 1379417453 at 1379417453 ---------------

removed the "install" directory.

Any ideas what else I could try?

--------------- Added 1379418139 at 1379418139 ---------------

Before attempting to reinstall VB, in the /forums directory found recently created files and deleted them:

phpinfo.php

piejcpii.php

testiramo.php

vb.php

zdbeerr66e4 (contained only ascii characters: 13785372610)

lamershell.php

bekap.php (it knew the original password when my Forum was initially installed)

--------------- Added 1379419533 at 1379419533 ---------------

Posting is still possible. Just posted with pictures, looks ok. Users may not see anything unusual.

But Admin thing in VB does not work. Somebody else may have his finger on the light switch and it's his will for how long.

--------------- Added 1379420064 at 1379420064 ---------------

On April 21. 2013. I upgraded to VB 4.2.1

The instructions said:

1.
Close your board via the Admin Control Panel.

2.
Delete install/install.php from your upload directory

3.
Upload all remaining files from the 'upload/' folder in the zip.

4.
Open your browser and point the URL to your forums, e.g. http://www.example.com/install/upgrade.php (where www.example.com/ is the URL of your vBulletin). Make sure to upload the files into your previous installation directory as appropriate (e.g. /forums/). The Upgrade Wizard will determine your vBulletin version and jump forward to the appropriate upgrade step.
Note:
Some steps can take a long time to process. Please be patient.

Not a word about removing the /install directory

Not a word about removing the upgrade.php script.

Hundreds of sites hacked, what a shame for the company.

VB should form a crisis team (if they can or tell us to move to another software if they can't) and help all their customers, with free support.

Deleting your install folder had nothing to do with your new error:

'max_connections_per_hour'

Your MySQL user has used all of the queries they're allowed to be hour.

A common cause for this kind of error is massive crawler/robot activity on a site. It could be a search engine gone nuts but more likely is someone trying to create spam accounts or hack into the server.

That's not the only reason this happens but it's a common one. There are a LOT of rogue crawlers out there now and they can account for 1/2 to 1/3 of many sites' bandwidth usage.

Regained access to VB Admin CP.

Restored vanilla (from installation) , just one file, not full install/upgrade?

/public_html/forums/admincp/index.php

Once in Admin CP, found a user, as Administrators, "pscript", deleted him.

Now, seems (with what was done few posts above) the Forum is OK, with access to Admin CP.

What I did:
- Deleted "install" directory
- Removed suspicious files from /forums directory:

phpinfo.php

piejcpii.php

testiramo.php

vb.php

zdbeerr66e4 (contained only ascii characters: 13785372610)

lamershell.php

bekap.php (it knew the original password when my Forum was initially installed)

- Restored index.php from installation kit into /forums/admincp/index.php

loua oz

Please advise on what happens next.

Did you check the Control Panel log for this user?

Deleted him.

There was no IP address, just

serverhacker6@gmail.com

and he belonged to group Administrators.
No other users were created.

Now looks OK, see my previous post, it was edited while you typed yours.

Searched the email and this hacker isn't going out of the way to hide himself, just like the one that got me.

--------------- Added 1379449637 at 1379449637 ---------------

On vb.com one user is suggesting our MySQL database is compromised because of a lack of security on our config.php file. This is the most sensible explanation I have heard so far. But I don't know how to monitor MySQL access; I'll be trying to figure that out next.

Deleted him.

There was no IP address, just

serverhacker6@gmail.com

and he belonged to group Administrators.
No other users were created.

Now looks OK, see my previous post, it was edited while you typed yours.

Look at VBulletin's admin log. That should tell you the IP address.

Yes, there was no email.

Yes there was.


Can't believe VB staff watched all the hacks and did nothing.


Maybe you should get facts right before making silly statements.

Thre was an e-mail, an ACP news item, and an announcement. Plus its been discussed in all vB related admin forums.

Yes there was.


Maybe you should get facts right before making silly statements.

Thre was an e-mail, an ACP news item, and an announcement. Plus its been discussed in all vB related admin forums.

While I came and said exactly what was done to recover, you came to tell that hundreds of customers got devastated while you did all needed?

I run Windows but never go to Win forums.
Why would I frequent this one? Should I be on a lookout to see if any minute another hacker has trashed your product that I have paid for, not free download?

Red alert in AdminCP was not there, as is when a new version or patch are available. That is where I go 2-3 times a day and could not miss it.

Yahoo is banned as junk site from where I work, checked Inbox at home, other than 1000s "vBulletin Database Error!" no others or summarily deleted with them.

Red alert in AdminCP was not there, as is when a new version or patch are available. That is where I go 2-3 times a day and could not miss it..
There is no such thing as a "red alert". The ACP news item is there, so clearly you did miss it, and unless you dismissed it, it will still be there. If you dismissed it without reading it then thats your issue.


Yahoo is banned as junk site from where I work, checked Inbox at home, other than 1000s "vBulletin Database Error!" no others or summarily deleted with them.
Whether you can find it does not change the fact an e-mail was sent. It is your responsibility to make sure your e-mail address is up to date, and doesnt filter out vb e-mails.

Transaction logs shows (2 screens, too big for 1). Does not look like legit thing, see bottom of pic 2:

There is no such thing as a "red alert". The ACP news item is there, so clearly you did miss it, and unless you dismissed it, it will still be there. If you dismissed it without reading it then thats your issue.


Whether you can find it does not change the fact an e-mail was sent. It is your responsibility to make sure your e-mail address is up to date, and doesnt filter out vb e-mails.

It is true that an email was sent out, but only AFTER it was too late for so many sites. There was a forum announcement posted on vb.com on 8/27, but no email was sent until 9/3, presumably once it moved from a "potential exploit" that vB was investigating to a case of hundreds or thousands of sites being hacked.

For most of us, we have followed VB installation instructions for many years. This is from the 4.2 read me/install instructions:

8. When the installation wizard is complete, it will ask if you want to go to the Admin Control Panel. Before proceeding to the Admin Control Panel, you must delete the 'install/install.php'file from your webserver. You may then enter the control panel and start working on your new vBulletin!

Nothing about deleting the entire directory. Now, if there was enough of a potential exploit to post a vBulletin announcement about deleting the /install directory, there should have been an email on 8/27. Instead, myself, like so many others, got the email AFTER the site was hacked, rather than a week before.

yes, exactly. that version was asking for that, 4.2.1 does not.
let alone deleting the whole /install directory.

vB staff are in damage control, bshitting and pointing at customers as their guilt. this blunder may spell the end of them, as a company and their jobs.

next morning, someone may wake up and say: let's hack another 100 of vB sites.

Transaction logs shows (2 screens, too big for 1). Does not look like legit thing, see bottom of pic 2:

Personally, since you have expended so much time, only to find things are slightly off, I would take a known CLEAN backup of your site BEFORE you had issues. I would then take a current version of your site (the only that is "dirty"), and use a program like winmerge to compare files and folders, to see what may have been changed.

From looking at that pic they are NOT legit!!!!!! I would also use a DB comparison tool, and see what, if anything may have been added to your db prior to the hack, and after... HTH

yes, exactly. that version was asking for that, 4.2.1 does not.
let alone deleting the whole /install directory.

vB staff are in damage control, bshitting and pointing at customers as their guilt. this blunder may spell the end of them, as a company and their jobs.

next morning, someone may wake up and say: let's hack another 100 of vB sites.

I see staff over there busting their arse to help, I bet they are handling an abundance of tickets the best they can honestly.

Now let's think about this for a minute...
- This is a 100% new exploit that was just brought to their attention, they immediately went about investigating and offering a potential fix before knowing the full extent of the issue and it was on par i.e. delete the /install/ directory. My point is they took immediate action, it's not like they are vBSEO where a KNOWN exploit was left included across countless versions over the course of a year, that was horrid and unforgivable, this was just another case of someone having too much time on their hands and just enough brainpower to pull it off half proper.
- While I agree with you on the delayed "eBulletin" email being a "fail" per say as it was several days late, the fact of the matter is this was announced, on a site that is RSS feed into more sites than there are Chevrolet cars on the road so how you missed it ENTIRELY is beyond me I'm literally baffled. Please bookmark the site and check it daily, as a vBulletin forum owner you need to check the site once daily the same as you do the mail, reading the paper, or watching the news those are daily habits and maintaining your forum is now one, make note of that!

While I agree with you on the delayed "eBulletin" email being a "fail" per say as it was several days late
Thanks for acknowledging that. When I asked why it was send out so late that was not a question well received at vbulletin.com.

, the fact of the matter is this was announced, on a site that is RSS feed into more sites than there are Chevrolet cars on the road
Since when does vB5 support RSS feeds? How do I subscribe to it - genuine question, I wanted to subscribe to it since subscription to a forum does not work either, as far as I know.

so how you missed it ENTIRELY is beyond me I'm literally baffled.
Given that the messaging functions of vB5 do not work, it's not so astonishing, really.
Please bookmark the site and check it daily, as a vBulletin forum owner you need to check the site once daily
Sorry, but you can't be serious about that. People have lives! IB twiddles their thumbs for seven days before sending out an email about a crucial security issue, and you're really of the opinion that customers have to check out the company website daily (which is, once again, running a software that lacks even the most basic subscription features)?

Transaction logs shows (2 screens, too big for 1). Does not look like legit thing, see bottom of pic 2:

Sorry. It's the CONTROL PANEL LOG that will tell you anything useful. (ON EDIT: About the IP address they used.)

Thanks for acknowledging that. When I asked why it was send out so late that was not a question well received at vbulletin.com.


Since when does vB5 support RSS feeds? How do I subscribe to it - genuine question, I wanted to subscribe to it since subscription to a forum does not work either, as far as I know.


Given that the messaging functions of vB5 do not work, it's not so astonishing, really.

Sorry, but you can't be serious about that. People have lives! IB twiddles their thumbs for seven days before sending out an email about a crucial security issue, and you're really of the opinion that customers have to check out the company website daily (which is, once again, running a software that lacks even the most basic subscription features)?

Ohh I didn't acknowledge I simply made a logical observation that is was later than a lost teen on prom night - I'm not on staff their anymore so (get ready for this runonramblinglol) no one cares if I acknowledged it or not unless it's for the sake of arguments sake that it was just late lol.

As for the rss feeds... you got me there and the messages you say? Is it obvious I'm not up to par on vB5 Cellarius - Can you imagine why? All I know is if it looks like a Beta Product, Smells like a Beta product, and Acts like a Beta product it surely must be a Beta product... still feels like a Beta product to me as of 9/18/2013.

So of course my arguments are invalid now that I know ;).

Also found my site hacked today! (only front page, forums still works)
I run 4.1.1

Any idea what i can do to fix this?

Thanks alot!!


This is what they did, cp log:


15389 N/A 04:08, 19th Sep 2013 admincalendar.php modify 36.74.252.52
15388 N/A 04:08, 19th Sep 2013 admincalendar.php update 36.74.252.52
15387 N/A 04:07, 19th Sep 2013 admincalendar.php add 36.74.252.52
15386 N/A 04:07, 19th Sep 2013 admincalendar.php modify 36.74.252.52
15385 N/A 04:07, 19th Sep 2013 plugin.php doimport 36.74.252.52
15384 N/A 04:07, 19th Sep 2013 plugin.php files 36.74.252.52
15383 N/A 03:18, 19th Sep 2013 plugin.php 65.49.14.143
15382 N/A 03:18, 19th Sep 2013 plugin.php doimport 65.49.14.143
15381 N/A 03:18, 19th Sep 2013 plugin.php files 65.49.14.143
15392 N/A 04:08, 19th Sep 2013 faq.php insert 36.74.252.52
15391 N/A 04:08, 19th Sep 2013 faq.php add 36.74.252.52
15390 N/A 04:08, 19th Sep 2013 admincalendar.php edit calendar id = 2

Maybe you should get facts right before making silly statements.

There was an e-mail .

But not till a week after vB published it over on vB com
Why did it take a week Paul for the e mail to be sent after the Thread was made on vB com?

I wonder if VB staff get fired for telling customers they are silly. In my company he would be history and marched out with security escort that minute.

Amateurs, should not comment, have to set some place where official comment is given.

Sorry. It's the CONTROL PANEL LOG that will tell you anything useful. (ON EDIT: About the IP address they used.)

CP transaction log, 3 pics. N/A is his user name (or instead of it).

Last picture is when he actually disabled admin account (played a clip when trying to enter Admin) but the site was working.

vB staff, provide some sweep that would tell your paying customers what is wrong with their sites.
Your product, easily hacked, even for fun, may have deprived some of your customers of their bread.

As it is now, you (vB) are out of business and possibly out of your jobs.

You mean the giant guides that have been repeatedly posted on vBulletin.com and .org about how to find whats wrong, and fix your site?


Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked

http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site

If you're actually looking for support, vBulletin.com forums, and or the members area would be the correct place to post.

I wonder if VB staff get fired for telling customers they are silly. In my company he would be history and marched out with security escort that minute.

Amateurs, should not comment, have to set some place where official comment is given.

Paul is hardly an amateur and everyone is entitled to their own opinions.

vB staff, provide some sweep that would tell your paying customers what is wrong with their sites.
Your product, easily hacked, even for fun, may have deprived some of your customers of their bread.

As it is now, you (vB) are out of business and possibly out of your jobs.

I understand you're upset however this is vbulletin.org, we are simply here to assist with the modifications listed on this site not to bash on the product/company itself.

Ladies and Gentlemen, this type of stuff happens on occasion with virtually all online software at some point in it's lifetime if not multiple times and yes that includes php/apache that runs on your server and allows vBulletin, wordpress, and countless other software to run, vulnerabilities/exploits can exist on more than one level. When you're hacked it's very unfortunate and often times more than simply upsetting if data is lost however the best thing to do in a situation like that is to focus, fix your site first then worry about posting opinions - we are all entitled to them but be sure you take care of business first i.e. your site and also direct your anger accordingly :cool:.

You mean the giant guides that have been repeatedly posted on vBulletin.com and .org about how to find whats wrong, and fix your site?


Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked

http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site

If you're actually looking for support, vBulletin.com forums, and or the members area would be the correct place to post.

A blatant, fundamental lack of understanding what the term "customer" means.

I don't need support, I want the product that I have bought to function properly. Not to be redirected to lessons.

I can teach you one: the biggest asset any company has are their customers. Thousands of talented people found themselves out of their jobs because there were no customers for whatever they were making.

Where is a tool that every customer of vB can run and see if they are in danger?
Providing you have any idea what the dangers could be.

Shame on you.

You know what, never mind.

Paul is hardly an amateur and everyone is entitled to their own opinions.



I understand you're upset however this is vbulletin.org, we are simply here to assist with the modifications listed on this site not to bash on the product/company itself.

Ladies and Gentlemen, this type of stuff happens on occasion with virtually all online software at some point in it's lifetime if not multiple times and yes that includes php/apache that runs on your server and allows vBulletin, wordpress, and countless other software to run, vulnerabilities/exploits can exist on more than one level. When you're hacked it's very unfortunate and often times more than simply upsetting if data is lost however the best thing to do in a situation like that is to focus, fix your site first then worry about posting opinions - we are all entitled to them but be sure you take care of business first i.e. your site and also direct your anger accordingly :cool:.

Yet another confirmation vB staff do not understand what a product means. Theirs appears to be a Mickey Mouse, any kid can hack it. As they have, are doing, and will be doing.

Make vB free and then OK.
Charge for it, you may be in court, in the dock.

Edited.

Removed.

Long story short if your site has been hacked please open a new thread and ask for assistance, sometimes threads such as this become quite long and confusing for some to follow and then other times we see heated debates such as the above which tend to become tiresome to those simply reading the thread to resolve an issue.

Thread closed, if you need assistance please open a new thread with:


Title "Site hacked please assist"
Site URL. *Those reading this please note to not visit the site unless you're experienced in dealing with matters such as these as your pc can possibly become infected.
Description of what's going on.


Our community here is very active and helpful, we'll do the best we can to assist!