Ok, looks like some a$$hole somehow got into my providers site and purchased a $hit ton of server stuff, ie, new server, hosting, etc. Got all that taken care of, etc.

My site has been obviously compromised, and will address that later tonight. In the mean time going through the cpanel screen on my providers site, it looks like, according to the time stamps, that the culprite only ADDED files, they did not modify previously existing files. Very strange because if someone was going f... you over would they not just $hit tank your site? I have an output.txt and .php files added that have somehow overroad my entire site. They did not have DB access thank god.

I assume that when you look at an FTP manager, the dates next to the files/folders (especially folders) will change even if ONE thing in a multi tier folder changes, correct? Any input appreciated. Thanks.

I still have no idea how they knew my ID and PW for my provider... they didn't even change account info, contact, etc...

Try this: login into the admin cp > Maintenance > Diagnostics > Suspect File Versions. That will display any files which do not belong to vBulletin or are modified. Also check your plugins at Plugins & Products > Plugin Manager. There might be some fishy plugins with backdoor code.

In case you use shared hosting, they probably "rooted" the server and ran a script to replace all index files of all websites with their deface page. If that's the case, you better find a completely different host.

Try this: login into the admin cp > Maintenance > Diagnostics > Suspect File Versions. That will display any files which do not belong to vBulletin or are modified. Also check your plugins at Plugins & Products > Plugin Manager. There might be some fishy plugins with backdoor code.

In case you use shared hosting, they probably "rooted" the server and ran a script to replace all index files of all websites with their deface page. If that's the case, you better find a completely different host.



Thanks. I don't think they did that, as they charged close to a grand of $hit from my account, like new server space, domain names, etc.

I have not checked the suspect file version. It seems that I have only a few added files. In fact this whole thing is weird, how did someone get a multi digit ID and long PW???? The only two people that know are God and me and God isn't saying $hit.

In fact what is so weird is they could have totally have destroyed the site, etc. but everything is there with the exception of the few newly added files. Strange...

Ok, here are the files with new dates of 01/15/2015:

Index.php
MS.php
output.txt
wso.php

They didn't alter anything else because those scriptkiddies usually only do it to deface your site so they can brag about it to their other scripkiddy friends.

What I would do is change the passwords of all your stuff, just to be sure.
- Delete those suspicious files and re-upload the index.php file of vBulletin. (wso.php is a web-shell by the way, a backdoor. Delete that file asap)
- Be sure all of your plugins are up to date.
- Change the admincp folder to something else.

I can help you out in private if you need help, but of course understandable if you have some trust issues now.

Thanks. The admin CP folder was changed to something else originally... do I need to change it again? Also, I assume they got the FTP connection info for the DB... should I change the DB pw as well? If so, do I just do that in config, or do I need to do something on the back end of VB?

Still pretty ballsy to charge $1000.00 in server, and domain names...

Are any of thise files, with the exception of INDEX, vbulletin files to begin with? Not sure if these are fresh uploads or altered existing files.

Thanks. The admin CP folder was changed to something else originally... do I need to change it again? Also, I assume they got the FTP connection info for the DB... should I change the DB pw as well? If so, do I just do that in config, or do I need to do something on the back end of VB?


Still pretty ballsy to charge $1000.00 in server, and domain names...

You usually change the passwords of your FTP/MySQL in the CPanel of your host. If you change the password of MySQL, you also have to change it in the config file at includes/config.php of vBulletin.

You usually change the passwords of your FTP/MySQL in the CPanel of your host. If you change the password of MySQL, you also have to change it in the config file at includes/config.php of vBulletin.

Thanks. How about those file names? Are any of those vbulletin files by origin?


Oh, and also, should I change the admin folder name to something else?

--------------- Added 1421452963 at 1421452963 ---------------

I can"t delete output.text is that a vbulletin file??? It keeps showing up. Thanks.

output text could be from the https://vborg.vbsupport.ru/showthread.php?t=268208 mod.

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site

output text could be from the https://vborg.vbsupport.ru/showthread.php?t=268208 mod.

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site

Thanks! I believe that is it. It shows spiders, etc. in the output. No need to go to those threads, seems like everything is ok. I still would like to know how they got my host account info... everything seems ok now.. thanks.

--------------- Added 1421513152 at 1421513152 ---------------

How long does it take for google to pick up the changes back to my site? It still is saying in google search "hacked by..." ? I resubmitted my sitemap via seo, and have checked on the page source code and the "hacked by..." is gone (removed when I changed the site back).

Cleaned up everything, changed FTP and database passwords, removed all recent files, scanned for foreign non vbulletin software, used secondary confirmation for host access (texts pin), changed admin folder name, pw protected, changed mod folder name, pw protected... I do have the admin firewall on, and I still got hacked again this morning. I have the admin firewall mod and never received notice that someone accessed the admincp, so I wonder if this was a direct FTP?

Can the host provider tell how someone is getting in? I updated my vbulletin software this past weekend. I don't know how these people are getting in!!! I'm not sure if it originally started off as a problem on the providers end (as originally the hackers had access to my account info and proceeded to charge a bunch of stuff - ie server space, etc. on the providers site) - because I think if it was a direct ftp hack they would not have had access to my actual provider account info.

I've scanned my computer at home, and have no rootkits, or viruses. Any ideas how to combat this? Thanks.

You should look into the access.log file of Apache and FTP log file, maybe that will give you some more information.
Do you use shared hosting by the way or do you have your own VPS/dedicated server?

Not that I'm an expert on the subject, but the only thing I can think of other than your host server having been hacked is that they could have added a plugin. Seems unlikely though.

You said you scanned for non vbulletin software, how did you do that?

Have you deleted the install directory?

You should look into the access.log file of Apache and FTP log file, maybe that will give you some more information.
Do you use shared hosting by the way or do you have your own VPS/dedicated server?

Shared hosting. Last time I went in, when this first happened, all my logs were deleted...

--------------- Added 1421778601 at 1421778601 ---------------

Have you deleted the install directory?

Yes.

Could be a hidden file that hackers put in place sometimes and very hard to find

Not that I'm an expert on the subject, but the only thing I can think of other than your host server having been hacked is that they could have added a plugin. Seems unlikely though.

You said you scanned for non vbulletin software, how did you do that?

In the admincp, looking for suspicious files... unless that is not a good indicator of looking for non vb files...

When it first happened, I went into FTP and looked at all the files. Especially looking for modification dates, in the last day or so. Deleted all the files that were added on the day of the initial hack, and also uploaded clean files like the index file. Would this be a good indicator for looking at suspect files - by looking at the DAY they were uploaded or altered?

I hate to be paranoid, but could this be something on my home computer that malware software is not finding? I have firewalls, etc. so I don't know how they are getting new PW information.

It looks like these +++++++s are an Egyptian hacker group...

In the admincp, looking for suspicious files... unless that is not a good indicator of looking for non vb files...

I think that's OK, although I'm not sure offhand if it will find hidden files. But if you have any web directories outside the vbulletin directory then you'd have to check there too, and you want to make sure you're seeing hidden files (I don't know if your ftp shows you by default or not).

I think that's OK, although I'm not sure offhand if it will find hidden files. But if you have any web directories outside the vbulletin directory then you'd have to check there too, and you want to make sure you're seeing hidden files (I don't know if your ftp shows you by default or not).

Ok, this iw what I am wondering. So it is possible to physically hide a file from physical view, sort of like Windows does? Because I would think if they buried code in a vbulletin required file, the date stamp should have changed for its modification, which I would have seen in FTP, correct?

Since the database has not been screwed with, I assume they did not get access to that, but would be easily available considering the access info would be in a file....

I know this won't be helpful but...

$5 will get you $10 that your host is GoDaddy.

I've found that a good majority of hacked sites are hosted on GoDaddy.

I know this won't be helpful but...

$5 will get you $10 that your host is GoDaddy.

I've found that a good majority of hacked sites are hosted on GoDaddy.

You would be correct. I have a few months left on hosting and will be leaving to another provider. Unless of course this goes $hit south, in which case I will be punching out sooner than later...

So, are you indicating that the issue is on their end, or my end? Like I said, I have no idea how my original account was hacked, too much info they would have had to have had. Now this time around could be explained by something still on the server that I did not clean up, or perhaps, they are having issues??? Thoughts?

Well like I said before it's totally plausible that those hacking group have root access to the server which would give them full control over the server and they'll be able to do anything they want. I would just move server as soon as possible and you'll probably see that it was because of GoDaddy, not something related to you.

Well like I said before it's totally plausible that those hacking group have root access to the server which would give them full control over the server and they'll be able to do anything they want. I would just move server as soon as possible and you'll probably see that it was because of GoDaddy, not something related to you.

Thanks again. Thinking of moving to siteground or hostgator or something else that is reasonably priced but good and supports vbulletin... thoughts?

I would avoid Hostgator as well, go for Siteground or an other host such as Stablehost.

There are many ways to compromise a server. It doesn't necessarily have to be through vbulletin. Your host should be able to help you find your server logs and give you an idea on how they got in.
Also they could have gotten in though your computer itself, have you scanned it and seen if there was anything suspicious on the computer/laptop itself?

There are many ways to compromise a server. It doesn't necessarily have to be through vbulletin. Your host should be able to help you find your server logs and give you an idea on how they got in.
Also they could have gotten in though your computer itself, have you scanned it and seen if there was anything suspicious on the computer/laptop itself?

Yes, I checked for malware, etc. nothing. I will run it again tonight just to make sure. Thanks.

--------------- Added 1421799575 at 1421799575 ---------------

Let me ask something that may be relevant? About a week ago I put out some ads for a blogger/writer. These were sent to my host email address (once you signed into host site). A few of those that responded sent pdf files with writing history, etc. I opened these. Could this have infected the machine, and if so, would it be my machine or the hosts machine? Thanks. Funny though I have not found any virus or malware on my system...

--------------- Added 1421802952 at 1421802952 ---------------

OK, took care of everything, hopefully this solves it. Now, it seems I cannot get into the forums, I get a 404 error. Now what???

404 means that files are not found.

A 404 error indicates that the server itself was found, but that the server was not able to retrieve the requested page.

404 means that files are not found.

The 404 issues dealt with his htaccess file which we fixed last night. :up: