Hi all, I administer a site that's running 4.2.1 and we got hacked last week. Hacker deleted all DB files and changed a ton of stuff to where we had to pay Godaddy for a full restore. Everything is back in place from a week prior to the hack, including DB. When you go to the main URL it automatically goes to xxx.com/forums/install/install.php and says file is missing. The install folder is not in the forums directory. What do I do here?

Also I was planning on updating to 4.2.2 once I got the site back up.

I would suggest you download 4.2.2 and do a fresh install. That way you will have your install folder back.

Hacker deleted all DB files and changed a ton of stuff to where we had to pay Godaddy for a full restore.

Do you ever make a backup of your entire site? I don't mean just the DB but everything? It doesn't sound like it if you have to pay Godaddy to do a restore.

I suggest creating a full backup of the entire site once a week and a full backup of your DB every day. There's a nice mod on this site that will do the DB backup for you as a scheduled job.


https://vborg.vbsupport.ru/showthread.php?t=231481

I'm curious just how much Godaddy charges to restore the site

You are definitely missing files or have the wrong ones there.

Also, verify that the information in your /includes/config.php file is correct. If they restored a database, perhaps they gave it a different name, or different mysql user. Also, check the table prefix and make sure that if there is one, that you entered it into the config.php file.

Thanks for the responses everyone. You're supposed to delete the install folder after an upgrade for security reasons (so I read) and it was running fine without it before the hack. Godaddy charges 150 for a restore when you have more than one db (we have 4). I had a local backup from March but it was taking forever to upload so we paid for the restore to get it done quicker and for a more recent copy. Thanks Lynne - I triple checked the config file with Godaddy, everything was correct. Godaddy ended up re-importing the db and boom, worked. So there must have been an incomplete or corrupt db restore on the first attempt. We're up and running sort of. Offline while I backup, upgrade, patch, backup.

Get your host to see how the hacker got in then fix the problem

Email communicated with the hacker, as he was trying to get money from us. This is how he said he got in:

I exploited your site. Got that Admins HASH:SALT (which is the password encrypted). Once i gained acess i uploaded an AJAX code and upload a i47 shell. Then i looked at your config.php logged in to the SQL dump and dumped your database. Self killed the shell

I asked him to explain I exploited your site and he said "I ran a 4.2.x upgrade exploit."

Well that sounds rather like a young script kiddie lol. It's smart to keep an eye on the vBulletin announcements section, you never know if you're missing out on security updates.

Email communicated with the hacker, as he was trying to get money from us. This is how he said he got in:

I exploited your site. Got that Admins HASH:SALT (which is the password encrypted). Once i gained acess i uploaded an AJAX code and upload a i47 shell. Then i looked at your config.php logged in to the SQL dump and dumped your database. Self killed the shell

I asked him to explain I exploited your site and he said "I ran a 4.2.x upgrade exploit."
I believe this exploit uses the upgrade.php file.

Are you sure you did not have the install directory in there at the time the site was hacked?

I would suggest you email all users and tell them to change log ins. in addition make sure you change all admin and server related log ins, database, ftp, etc.

Grab the admincp firewall and use it and be sure to protect your config using htaccess.

Lastly, many times these hackers lie to throw you off the trail. Check your server logs and see what went on yourself so you do not have to take his word for it.

Make sure you delete your whole /install folder as that is how he hacked your site!

And, as Richie says, you should .htaccess protect your /admincp. Make sure that is a unique username/password (don't use the same as your /admincp login like some admins do as that will NOT make it secure if they have your admin login details!). Actually, read all that Richie wrote as it is very good advice.

Make sure you delete your whole /install folder as that is how he hacked your site!

And, as Richie says, you should .htaccess protect your /admincp. Make sure that is a unique username/password (don't use the same as your /admincp login like some admins do as that will NOT make it secure if they have your admin login details!). Actually, read all that Richie wrote as it is very good advice.

Thanks Lynne! That is high praise coming from you and I'll take it. :D

Thanks again. We restored to a week prior to the hack so I can't check logs. I did delete the install folder completely, it positively was not there at the time of hack as my last 2 local backups show. I will do everything else you said as well. What is the admincp firewall and how do I .htaccess protect my /admincp?

You can password protect your ACP with this mod, https://vborg.vbsupport.ru/showthread.php?t=312555