I believe it's time to enlist some help to get this resolved. Earlier this evening our forum.php was compromised and is now suffering from some kind of redirection.

So far I've removed the /install folder, deleted accounts created today, changed admin passwords and replaced the rest of the forum directories from backup and still don't have this thing removed.

Please PM me as soon as possible if you are interested in being paid to resolve this.

http://www.treeleaf.org/forums/forum.php

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3993204-vbulletin-5-connect-security-patches-released-all-versions

Same thing happened to us in the last 6 hours. When you click on our forum.php, it gets redirected to:
http://adf.ly/xxxxx

Reinstalling the forum removes any customizations we made. Is there any other way to handle this?

Thanks.

Okay, I tried the supplied cookbook. No resolution yet.

Help please!

I've deleted the install directory, found several admin users and removed their admin permissions, disabled hooks in config.php, but still haven't resolved it yet. I haven't installed a fresh vB version yet since that will remove all my customizations.

I'll update here if I get it working.

Edit: I've also noticed it is the main theme that redirects, and all it child themes. Other themes work fine w/o redirect.

--------------- Added 1378795611 at 1378795611 ---------------

In the FORUMHOME template, it was modified by a hacker account, and was modified to be:
<META HTTP-EQUIV="Refresh" CONTENT="0;URL=http://adf.ly/xxx">

Check that file, and revert it.

I've also chased these fixes with no luck yet.

--------------- Added 1378824479 at 1378824479 ---------------

I'll eat my words, you had it right Pjkcards. Once you get the info out of the template, it's gone. Thanks so much for this.

Bows.

The redirects are being inserted into the database through the ADMINCP. Replacing the scripts won't accomplish anything.

Your best bet is to look at the Admin Log and see which functions the bogus admin accounts accessed. Then go to those tools and look at the most recently changed/added data. This could be notices, templates, plugins -- anything where you can embed HTML code that is executed.

I've deleted the install directory, found several admin users and removed their admin permissions, disabled hooks in config.php, but still haven't resolved it yet. I haven't installed a fresh vB version yet since that will remove all my customizations.

I'll update here if I get it working.

Edit: I've also noticed it is the main theme that redirects, and all it child themes. Other themes work fine w/o redirect.

--------------- Added 1378795611 at 1378795611 ---------------

In the FORUMHOME template, it was modified by a hacker account, and was modified to be:
<META HTTP-EQUIV="Refresh" CONTENT="0;URL=http://adf.ly/VRAFS">

Check that file, and revert it.

I've also chased these fixes with no luck yet.

--------------- Added 1378824479 at 1378824479 ---------------

I'll eat my words, you had it right Pjkcards. Once you get the info out of the template, it's gone. Thanks so much for this.

Bows.

The redirects are being inserted into the database through the ADMINCP. Replacing the scripts won't accomplish anything.

Your best bet is to look at the Admin Log and see which functions the bogus admin accounts accessed. Then go to those tools and look at the most recently changed/added data. This could be notices, templates, plugins -- anything where you can embed HTML code that is executed.

IF and I mean IF you have the redirect yet your FORUMHOME template is fine in your styles, then they have edited your master style see here - https://vborg.vbsupport.ru/showpost.php?p=2444641&postcount=52

The only way that is possible is by them uploading shell scripts that then allow them to modify files to place the site in debug mode, heck you can do that for one single user via a quick plugin. Check for files such as lol.php and others, also check above your forum root in public_html and others for files such as lol.php or similar names, check timestamps of files as one could be a shell script and yes do replace all your vBulletin files with 100% fresh files, download the same version (patched of course) and then overwrite all files - REMEMBER to delete the /install/ folder before uploading.

Today the site was redirected again, then time the homepage.

As for the files they modified: the 4 users modified probably 100 files.

I just spent about a few hours cleaning up my forum

- changed passwords all over the place
- removing /install directory
- removing redirect from FORUMHOME
- removing admins
- changed passwords for all my admins
- reverted index.php in my /admincp
- they also placed some index.php files in each one of my folders (include, vb, archive,etc) that I had to manually delete. I organized by date modified.

Sigh. Hope that helps some of you guys.

Things look good now, but I am afraid to see what I find when I wake up tomorrow.

Doing my head in.. Restored a full clean backup 3 times.. removed install.. Deleted admins.. Changed PWs..

Still it keeps coming back..

If the files are from a week ago, and hence clean.. what can there be to cleanup ??

What can forum logs show me ?? How can I look at how this is happening ??

Would running your site through http://sitecheck.sucuri.net/scanner/ help? Might find the malware file. Also, have you checked your htaccess in root?

I hired someone in the paid forum to fix it. Took them quite awhile to fix it, and the styles are now messed up. Apparently it isn't an easy fix.

I hired someone in the paid forum to fix it. Took them quite awhile to fix it, and the styles are now messed up. Apparently it isn't an easy fix.

I am assuming you mean fixing it when you didnt have a file system backup ??

I have a similar re-direct as of yesterday, only mine is to
http://www.cadiroig.cat/downalert.html

I have spent hours following instructions,, have re-installed files etc removed directories, I even deleted all files on the server and up loaded last months back up ...... which makes me wonder if it is the database that has been attacked.

I have found this unauthorised visit ......

20749 N/A 04:05, 10th Sep 2013 notice.php modify 91.144.37.46
20748 N/A 04:04, 10th Sep 2013 notice.php update 91.144.37.46
20747 N/A 04:04, 10th Sep 2013 notice.php add 91.144.37.46

........ but even replacing the notice.php with a newly downloaded version doesn't help.

Im kind of hoping that as hundreds of sites have been affected that someone might have found a common fix .....

anybody have any ideas ?

You got the added admins ??

Also make sure you change admin PW, FTP and MySQL passwords ??

I have a similar re-direct as of yesterday, only mine is to
http://www.cadiroig.cat/downalert.html

I have spent hours following instructions,, have re-installed files etc removed directories, I even deleted all files on the server and up loaded last months back up ...... which makes me wonder if it is the database that has been attacked.

I have found this unauthorised visit ......

20749 N/A 04:05, 10th Sep 2013 notice.php modify 91.144.37.46
20748 N/A 04:04, 10th Sep 2013 notice.php update 91.144.37.46
20747 N/A 04:04, 10th Sep 2013 notice.php add 91.144.37.46

........ but even replacing the notice.php with a newly downloaded version doesn't help.

Im kind of hoping that as hundreds of sites have been affected that someone might have found a common fix .....

anybody have any ideas ?

Ladies and Gentlemen, there is no "added fix" let me clear up some misconceptions here:


Most of the sites hacked recently still had their /install/ folder present on the site, its the exploit mentioned here - http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5
A security bulletin email was also sent out, you should have received one and followed instructions promptly. *Always ensure you're receiving vBulletin emails and eBulletins/any and all mail from vBulletin.com needs to bypass your spam filters and others and be in your inbox and able to be read each and every time and you need to read these emails as apparently they are important!
If you restore a backup of the database prior to being hacked, you must restore a backup of the files from that time as well otherwise a file may have been modified still allowing access. Is it just vBulletin files to overwrite? Well you certainly need to overwrite the vBulletin files with 100% fresh files AND any others you find that were modified, if you find a suspect file such as lol.php or sexy.php or even owned.html basically anything that does not belong should be deleted, run suspect file versions from the admincp maintenance area to check vBulletin related files.
Follow the links that myself and Zachery have been posting in countless threads, the links to his blog, mine and other links we post are to blogs and articles that provide detailed instructions including various ways to test and ways to fix.


Here are the links again:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/michael-miller/3934768-recovering-a-hacked-vbulletin-site
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site

So to be perfectly clear, there is no "automatic" fix, no upload this and run it then your done and site secure... it is this simple:

1) Restore a complete backup (database and filesystem, the backups need to be from before the hacker made changes and had access) then once restored promptly delete the /install/ folder and at this time check your version, patch to the most recent patch # of your version OR upgrade to a more secure version i.e. 4.1.5 --> 4.2.1

- OR -

2) If no backup is available, using the links provided above you must manually clean your site. Check the database and filesystem for modified files and be very thorough to ensure nothing slips past you and remains in place for example if a shell script is left on the server or a spare admin account then you're still vulnerable and the site can be exploited/defaced again.

If you're unsure about something and need a clarification do not hesitate to post and ask, if you feel its a stupid question well then its not, no question is stupid unless your specifically being silly when you ask it and even then it ends up being a silly question instead lol. Ask questions now and receive helpful replies that may assist you in cleaning your site and returning to business as usual ;).

I strongly recommend forum owners sign up with Securi (http://affl.sucuri.net).

They have done a great job for me and I use them on all my forums.




.

I strongly recommend forum owners sign up with Securi (http://affl.sucuri.net).

They have done a great job for me and I use them on all my forums.




.

You need to stop pushing this as you are losing any credibilty the site may have had and it is against the rules here to have your affiliate link in a post.

................... well I have tried everything and its still there.
worst of all, when I try to copy files back to my computer, they are all password protected and I cant access them.

Finally I went to my host and deleted everything from the server ........ except the database, then loaded new files that I just downloaded from the vbulletin members area ......

and from nowhere this file appears .....

zdberrb4476bf0aed19d1e05964d0757f51.dat

it doesn't look legit, I managed to open it up and the only contents were a number .....

13790115241146

Im thinking I now have a server problem .....

any ideas ?

................... well I have tried everything and its still there.
worst of all, when I try to copy files back to my computer, they are all password protected and I cant access them.

Finally I went to my host and deleted everything from the server ........ except the database, then loaded new files that I just downloaded from the vbulletin members area ......

and from nowhere this file appears .....

zdberrb4476bf0aed19d1e05964d0757f51.dat

it doesn't look legit, I managed to open it up and the only contents were a number .....

13790115241146

Im thinking I now have a server problem .....

any ideas ?




Get back ups of both your files and the db PRIOR to the hack. Contact your provider to make sure they wipe everything off your hosted server and DB. Upload backups and see if that helps. Most host providers can get backups, either through their interface or requesting...

CHANGE all your passwords on your host, FTP, etc. DB pw etc, before uploading backup files, change config files to reflect. I would also force everyone on the site to put in a new pw, and I would change the admin pw...


I would also check your htaccess files for code, redirects, etc...

I have a similar re-direct as of yesterday, only mine is to
http://www.cadiroig.cat/downalert.html

I have spent hours following instructions,, have re-installed files etc removed directories, I even deleted all files on the server and up loaded last months back up ...... which makes me wonder if it is the database that has been attacked.

Login to your ADMINCP and go to NOTICES. You should find it there. Just delete the notice. Then delete the admin account.

As above..

Deleted EVERYTHING but the DB multiple times..

Removed install of course
Changed all passwords
Removed admins
Removed the plugin.php
Scanned for strange files..

And still back in last night

--------------- Added 1379033803 at 1379033803 ---------------

I hired someone in the paid forum to fix it. Took them quite awhile to fix it, and the styles are now messed up. Apparently it isn't an easy fix.

Who did you hire ??

Well I bit the bullet and had my Host wipe the server and data base.

Time to start all over again ..... and once I have a clean site running with an empty db, I will try and import an older db backup.

I have so much time in site config.. templates.. RSS feeds.. Spam control.. VBSEO..

I have my backups.. But working from them still somehow leaves me open..

I really dont want to revert to a earlier database.. There has to be someone or a way that this can be cleaned up.

I have so much time in site config.. templates.. RSS feeds.. Spam control.. VBSEO..

I have my backups.. But working from them still somehow leaves me open..

I really dont want to revert to a earlier database.. There has to be someone or a way that this can be cleaned up.

Here is an idea. Take your CLEAN backup (with all your mods) and if you have a copy of the corrupted files (hacked) compare them in Meld http://meldmerge.org/ opensource software. See if it flags certain files and folder, and look into those...

--------------- Added 1379091231 at 1379091231 ---------------

I have not tried this, but you could also do the same for db comparison...

http://dbcomparer.com/

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
...



How do I access the tool mentioned in "Step 5: Removing unknown files" from the AdminCP?

Never mind I think I found it.

Here is an idea. Take your CLEAN backup (with all your mods) and if you have a copy of the corrupted files (hacked) compare them in Meld http://meldmerge.org/ opensource software. See if it flags certain files and folder, and look into those...

--------------- Added 1379091231 at 1379091231 ---------------

I have not tried this, but you could also do the same for db comparison...

http://dbcomparer.com/


Ok, meldmerge sounds interesting, but what if you don't have a graphical UI on your server?

I have found two hackers hacked the admincp and added themselves as administrators, they only hacked my default style to link it to Syria. I have deleted the hackers, I bought Sitelock for one year and just need to find their crap in the default style.

--------------- Added 1379179783 at 1379179783 ---------------

I found their crap in the forumhome of my default style. I copied the code from another working style and pasted over their crap. My site is back to normal now. I did delete the install folder as suggested and also changed my password and deleted all other admins. I found their two ip addresses and added them to the banned list. Good luck to everyone. Run you admin log to see what they did.

Ok, meldmerge sounds interesting, but what if you don't have a graphical UI on your server?

I would get a hold of a clean version of you entire root download it to your desktop, along with the corrupted files (entire root files) and compare the corrupted version to the clean version you have before the hack...

Quick question, I've turned my forums off in the AdminCP while I've been cleaning up after the hack. However when I go to my site I can see that there are several guests who appear to be accessing various parts of my forums. But when I try to access my site as a guest, I receive the message that the forums are off line, and I can't access anything. Has anyone else notice this?

They should have he little lock icon next to their usernames, if they are attempting to view the site while it is closed.

and from nowhere this file appears .....

zdberrb4476bf0aed19d1e05964d0757f51.dat

it doesn't look legit, I managed to open it up and the only contents were a number .....

13790115241146

That is a legitimate file.

It created when you have a database error - to track the time and error code (1379011524,1146). This is used to limit the number of database fail e-mails sent.

I would get a hold of a clean version of you entire root download it to your desktop, along with the corrupted files (entire root files) and compare the corrupted version to the clean version you have before the hack...

Can you recommend a good Windows compare tool that would compare all the files in both forum root directories and highllight the differences?

Can you recommend a good Windows compare tool that would compare all the files in both forum root directories and highllight the differences?

I've used winmerge before, its pretty good...

http://alternativeto.net/software/meld/?platform=windows

Has anyone recovered from this without reverting to an earlier database ??

I have securi saying all files are clean.. I have the install folder gone.. Of course removed the admins and stuff.. But I am still being taken out..

Has anyone recovered from this without reverting to an earlier database ??

I have securi saying all files are clean.. I have the install folder gone.. Of course removed the admins and stuff.. But I am still being taken out..

I would compare the db and files (corrupted) to a known clean set before hack. At least you could determine what files are modified, which you could eliminate...

If you are running a portal check the index.php file, when mine was hacked this was re written.

In fact you need to check the index.php file anyway.

also look for any txt files in the root, I found a couple, also look for a file called mail.php, this was re-writing the index.php file even after I'd uploaded a clean version

how do you check the logs? I upgraded to 4.2.1 and it is through cms

--------------- Added 1380912104 at 1380912104 ---------------

Okay I got it ! They messed up the forum home template. I replace with the older style.