I've just restored twice over the last couple of days, my hosts are screaming...he is a clever bugger...I have a developer keeping an eye on my site until Sunday so I will update this thread...I am using Spam Hammer and to date it is brilliant, so I don't think it is flawed, but Steve is the expert in this stuff

--------------- Added [DATE]1378651717[/DATE] at [TIME]1378651717[/TIME] ---------------

clock.php...interesting...I have clock on my home page header, hmmm

Hopefully with Steve watching the site, he can figure out everything they are doing and share with the community on how to put a stop to him.

Hello,

Thank you for these details.

I was able to see these backdoor (php) files - about 4 in different names (gs.php, test.php, dyna_statistic.php) with exactly same content installed in the following folders:
customprofilepics
attachments
captcha
vba_dyna_modules


Deleted those files today.
Removed install directory the very next day of being hacked (6-Sep).
Changed cpanel/FTP, vbulletin database and admin account passwords.

I didn't find anything injected into the database, so should I restore it? Then the members posts will be lost!

What more should I do to keep the hacker away?

Well somethings still not right, i logged onto my site today and may account was using an un selectable style, the style options at the bottom were just showing a blank space, nothing in the control panel logs, no file edits on the server, no new admins......

Well, that is certainly a strange one. Surprised there was nothing in the logs.

This guy hacked our site with 3 usernames (administrator, z3ro and Th3H4ck), all admins, and with no record of them registering, no email confirmation to admin, so it had to be manually done. I deleted them, and the contents of the install folder (all were backup files). The site crashed, so I had our ISP restore web files from before the 3 stooges registered, run a malware scan, then verified the htaccess file. Meanwhile, within minutes of being back up, we had 2 more phoney admins, and ZAP! got a message saying, "This site has been hijacked by Frozen.Heart."

I also found at CPanel that all the access logs had been locked. Going thru File Manager, I found the files empty.

Neither the ISP nor we have any idea what to do to restore the site without starting over, but they're going thru the software now. What else could he have done to hijack the site??

(I'm not much more than a glorified Mod, so hopefully I'll catch on to whatever suggestions you've got!)

One other question: How does this guy find out who vB's clients are???

I would look at the raw server logs and identify the IP addresses he is using. You can buy yourself some time by blocking those in your .htaccess or firewall.

Thanks, Xenite, but first I need to figure out how to get the site back up, without any surprise easter eggs included. I suspended the account until we can get it fixed...we don't need to advertise his "expertise", since all you get at our URL is a flaming demon with music and his banner headline.

The ISP is asking me for any information available on what he does to the software.

This is a long, convoluted thread and I'm about to get offline to run some errands so I apologize if this is an unhelpful suggestion.

When my site was hacked this morning all they did (besides create the ADMIN account) was add a NOTICE through the ADMINCP that had HTML code embedded in it.

I found one SQL table entry for the notice and edited that but when I reactivated the forum the redirect still loaded. So then I just logged in to the ADMINCP and edited the notice.

Thanks. Will check it out.

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

Erm working on one now where they edited the master style, will update this post once I find out more.

Edit: If your reviewing plugin edits via the control panel log and notice anything similar to: template.php modify style id = 0 then place your site into debug mode then check the MASTER STYLE for any edits.

The one I located was in the Master Style included in the forumhome template:
The code present on your site may vary and may or may not be a redirect to adlfy it could be anything else so be on the lookout ;).

I got got.

I'm bottom of the barrel level too, so I'm just bewildered. Lost about 30 posts by members after restoring to the previous day's backup via MySQL.

What's with these colon licking hackers?

--------------- Added [DATE]1378824257[/DATE] at [TIME]1378824257[/TIME] ---------------

Please give me as thorough a walk through as possible on this, Lynne/anyone.

Sorry.

never mind. I got it.

Basically you know how all those folder and files related to vBulletin must be uploaded to your server? You want to locate the folder /install/ and delete it entirely.

https://vborg.vbsupport.ru/attachmen...hmentid=146371

Someone send me a contact message about this issue. I've been so busy working on clients' sites that I didn't see it until today. Thankfully I deleted that user and the install folder....will that stop it for sure?

I don't know. I deleted the install folder, but the site got hijacked, and after reinstalling vB it's still not up.

No, if you were hacked there is a high probability that the hacker uploaded a shell script and could have backdoors in various folders on your server. There is actually quite a bit you need to do in order to rid yourself of this. If you are not experienced in these matters contact your host and link them to this thread along with these links which have helpful info:

• http://www.vbulletin.com/forum/blogs...vbulletin-site
• http://www.vbulletin.com/forum/blogs...ve-been-hacked
• http://www.vbulletin.com/forum/blogs...vbulletin-site

By that you mean what? That you dropped all tables in the database, deleted all the files then installed 100% from scratch using new files and a clean database and its still not working?

Btw, I updated my blog again, with some additional steps to help remove the exploits.

No.
1. My site went down with a server error message.
2. Host got it back up, but home page "wasn't right". I noticed that I had phoney "admins" in my usergroup who were "registered" minutes before the error and deleted them. I read this thread and deleted the install folder. (Obviously, the payload had already been delivered.)
3. Site got hijacked.
4. Via link to ACP I shut down the boards, stopped all plugins.
5. Host restored a web file backup from 2 days prior to hacker reg, ran malware checks; site crashed and I cannot access ACP.
6. Following instructions from this site, I downloaded a fresh copy of 4.2.1 and uploaded the files to the server, overwriting the old ones.
7. Site is still down.

So how do I know if the db is clean? If not, have I lost all the member data? Is there a way to delete all the files except the forum and membership?

I will give this link to host, and will check out all the cleanup suggestions you and Zachary give.

I had the same problem in 4.2.1 before some days someone register as admin ...... we delete him
Yesterday the same , we delete him
I read here to delete the install folder , I did it .
The site is down .... database error.
I Reupload all 4.2.1 and make Upgrade or install , I have this error

When I refer to backups I always say database backup and filesystem backup, one being a copy of your database at the time the backup was made and the other being the actual folders with files.

When you say they restored a web backup do you mean they had a full database(1)
AND filesystem(2) backup and restored both(3)?

1 If the host restored then they know to drop the tables in fact the entire database depending on restore method. The issue here for some site owners who attempt this themselves is the fact they tend to import a backup onto a populated database i.e. overwriting newer data with older data and that can cause issues. The proper way to do it is to drop all tables from the database then import the backup into the now empty database thereby restoring it.

2 If the host restored a filesystem backup, it must be BOTH filesystem AND database because the two must match each other i.e. timeframe, if the database backup was made at 5pm your time then the filesystem backup should be from that same time and by disabling the forum before a backup you ensure no activity is taking place i.e. avatar/image uploads so the two will in fact match what the database knows is within the filesystem.

3 If only one was done, as I said above in note #2 it must be both. Now is there an exception? Yes! The inability to access the admincp could be modification related, if you restored fresh files only and forgot to upload all the missing plugin files then that can cause inability to access, if you feel that is the case locate the missing modification files and upload them (you can still access the database via phpmyadmin so check the product and plugin tables). If you have issues tracking down the files OR truly believe this is the issue then start disabling each plugin one by one using this article until you find the culprit as not all plugins disable when you disable mods via the config file, I've seen some odd situations and scenarios with certain third-party modifications/plugins.

Was the version you were running at the time of the hacking in fact 4.2.1? If you were lets say for example running 4.2.0 and then overwrote those files with 4.2.1 files without running the upgrade script then issues can occur and if that is the case simply run the upgrade script to resolve (and on that note, when you uploaded those 4.2.1 files you did delete the /install/ folder before uploading the contents of the .zip correct? See where I'm headed with this ;)).

You need to manually inspect it, there are queries listed in some of the articles and blog entries we linked you to prior in this thread, you can modify those queries i.e. for example you can search in the database for http://adf.ly/VRrrp as mentioned in this post. Edit: Removed some info I was mistaken and needed to clarify.

Your site is more than likely intact, other than one site where they edited the master style I have only seen defacement no thread or post deletions but make sure to check regardless.

Deleting your install folder had nothing to do with your new error:

'max_connections_per_hour'

Your MySQL user has used all of the queries they're allowed to be hour.

Host had a full database and filesystem backup, and (as I understand) restored filesystem, when I asked if new data entered between the last good backup (3 days prior) and restore could be salvaged. Host's reply was
I see, and we were running 4.1.x, patch level 3), but the upgrade instructions said different:
I'm understanding that the install.php prompts the upgrade script, correct? The instructions with the download said:
Since the site is inaccessible via browser, I followed these instructions:
http://www.vbulletin.com/vbcms/conte...to-vBulletin-4 and transferred files via FTP. (To complicate it more, the FTP manager showed I was in the web root directory, but it turns out my ftp account directs the files to "my" folder, so they were moved by host.) I obviously blew it somewhere...so how do I fix it now? Is it smarter to simply do another db restore (and can that be done without losing the interim data), then redo the upgrade?

Oye... this is making me want more coffee lol...

Let me re-phrase:

• Never restore one, restore both database and files at the same time.
• The upgrade instructions did not say differently, you misinterpreted what I meant. You either download the vbulletin.zip to your pc and extract then upload or you upload the .zip and extract it on your server - if you saved to pc then delete the /install/ folder before uploading all of the files.
• Actually install.php prompts the installation script, upgrade.php processes the upgrade respectively.

The best way to fix this now is to ask you host to restore the database AND the files from three days prior at the same time however you will lose all data from the time of the backup to date. Unless you have a custom script written and possible edits to the database to merge in the data taking into account new data from the time you start using the forum after the restore then the data is lost forever after restoration.

OK, thanks.

--------------- Added [DATE]1378918449[/DATE] at [TIME]1378918449[/TIME] ---------------

Does this sound correct, please?

From host:

Sept. 5 was when the site was hijacked, and the 4th was when the exploit occurred. Apparently, the full system backups through 9/4 have been overwritten on the server.

Hello guys,

Here is my feedback running vBulletin 4.2.0 Patch Level 3

Today I received a phone call of a moderator of mine saying that the forum was hacked.
Immediately I logged as admin and turn the forum off.

I have vBa CMPS installed in the root of the forum and the index is working fine, only when we go to forum.php is redirecting to this page:
http://i.imgur.com/JingJTM.png

Showing a Brazilian message:
The source code of that page is:
http://paste2.org/YeFAjz9m

I have found this in my forumhome template:
http://paste2.org/Mw7snpxK

I also have found a new admin in the administrators group:
ID: 136733
username: polter
email: pulodentrodurio@hotmail.com
join and last activity date: 11-09-2013

Does someone know exactly what the hacker changed?
Until now only found:

1- a new admin (already deleted)
2- forumhome templatechanged (already reverted)

I already deleted the install folder also like Wayne Luke said here:
http://www.vbulletin.com/forum/forum...-1-vbulletin-5

Just a quick note. I saw the logs on
And found what he did:
http://i.imgur.com/pJRBdfi.png

So, If I am right, he only modified template files right?
Is possible to know if was only forumhome or more?

UPDATE: I have checked all template files one by one in the Last edited information and the only template file that was edit by the hacker was FORUMHOME in all templates that I have installed.
It says: Last edited September 11 2013 at 05:51 by polter

UPDATE2: I notice a new template file that was edit today (the day that my vb was hacked) and the file was bbcode_video
It says: Last edited September 11 2013 at 05:49 by
Note that don't appear the username, but the file was edit today and 2 minutes before he change FORUMHOME
My bbcode_video file code: http://paste2.org/5bP0w05b

UPDATE3: Just cant find the template file that he inserted on style 2 (default):
http://i.imgur.com/pJRBdfi.png
I saw the files one by one and cant find the today date...

Anymore changes that anyone have notice?

Thanks!

My vBulletin forum was also hacked via Symlink. My forum was on shared hosting server.

This tutorial article (http://www.securitygeeks.net/2012/08...-tutorial.html ) shows how easy it is for hacker to hack into your vBulletin forum.

The hacker installed symlink plugin into my forum and use it to access other accounts configuration information in the shared server.

Now, I have a hard time to clean up the symlink plugin software and any files that were installed and modified by the hacker.

Anybody can help me or provide advice on how to clean up the software installed/modified by the hacker?

bbcode_video is built (and rebuilt) by a function, its not likely they changed it, esp as there is no username, but rather they triggered a rebuild of it (no idea why they would bother).

Two things I had to do yesterday. No roll back required. I know the two hackers were in Friday night. I saw what they changed and it only had to do with the forumhome template. Easy to roll back the database from a prior backup. I just copied the good code from another style and pasted it in the hacked one. This fixed the forum redirect. Then if I would hit the home tab it would also do a redirect. This time I restored the program files from a backup from early Friday morning, this corrected that. Hope it helps you. I also bought a month of SiteLock firewall. Will probably keep on using it.:)

This thread was very useful. Thank you to everyone that has contributed. We also were breached and I found about 7 new admin accounts from the past three weeks but only three of them had bothered to do anything. I had several new plugins and some Base64 encoded PHP tied to the subscriptions.php. I tried to decode the php but it is a file within a file, within a file and my day is only so long. I haven't seen others mentioning this. Has anyone seen this or can speculate on why this php file would be targeted?

UPDATE: after 10 rounds of decode we found a hacker tool called c99madshell.php was what the plugin was. A description of what it does is here: http://www.derekfountain.org/security_c99madshell.php

We are digging deeper into what may have been accessed in the DB.

My (4.2.1) forum was hacked but interestingly, it appears to be working. Only when I try to access "Admin" account (there are 2) it plays music spot and says "Hacked by pScript".

Can not access CP through VB. Went to my provider CPanel, saw files like index.php changed.

User with no Admin rights I think would notice nothing wrong.

/install directory was present when the hack occurred. Instructions before were saying to remove only install.php and tools.php.
Looks like the hacker had used upgrade.php.


How to regain access to VB Admin CP? Can go through the provider and edit individual files.
Appears he had not touched post but whatever user he came in as he can still do that.

--------------- Added [DATE]1379402877[/DATE] at [TIME]1379402877[/TIME] ---------------

If I try to log in as a Mod, it is OK. But no sufficient rights to run what is being suggested.

Search for user "admin" shows data and activity of the real one.
No right to change his password.

10 days ago I noticed another user, test (from test.com) that had administartor title without any email and confirmation. Upon registration, there is a question to answer that robots can not and only people of a specific nationality can. It did not go through that.

Looks like this is a separate one or different damage to different forums on the shared server.

I've been reading about all these hacking for the past week.

I knew about the /install folder exploit by being an everyday reader both here and vb com
So i instantly did the delete, actually a few of my Forums already had the folder deleted as I know there's no real need for it.

What did surprise me however, was the e mail about the /install exploit around (i am guessing here but I think it's about right) one week later after reading about it on vb org

So why did it take a huge company like vb so long to send out this very important e mail.

I haven't been happy with vb for a long time now, I keep saying to myself one day I will move all my Forums over to x en foro and after this it's now pushed me even more to do so.

I've known a lot of guys from here (vb org) have made the move already and other are doing so too.
I think the vB company has lost what it once had and is not thought of the way it used to be.

This is just my option and either people agree or disagree, that's life.
Just thought I'd share a few of my thoughts though.

Yes, there was no email.

Before, new things were in red in admin CP, as soon as I enter it, telling about new versions and dangers.

Yahoo mail (used for communication) is blocked by my company, can't see it but VB Admin CP I can access and do that several times a day. Nothing was in there.

Can't believe VB staff watched all the hacks and did nothing.

Deleted suspicious files, doing new load of VB. Will tell later how it went and what it was...if I have success.

--------------- Added [DATE]1379416900[/DATE] at [TIME]1379416900[/TIME] ---------------

now, upgrade.php says:


Database error in vBulletin :

mysql_connect() [<a href='function.mysql-connect'>function.mysql-connect</a>]: Access denied for user 'root'@'localhost' (using password: NO)
/home/mysitedb/public_html/includes/class_core.php on line 317

MySQL Error :
Error Number :
Request Date : Tuesday, September 17th 2013 @ 07:19:41 AM
Error Date : Tuesday, September 17th 2013 @ 07:19:41 AM
Script : http://www.example.com/install/upgrade.php
Referrer :
IP Address : 114.161.74.125
Username :
Classname : vB_Database
MySQL Version :

--------------- Added [DATE]1379417296[/DATE] at [TIME]1379417296[/TIME] ---------------

No access to VB CPanel, could not stop the board.

It appears to be working (no new posts).

--------------- Added [DATE]1379417453[/DATE] at [TIME]1379417453[/TIME] ---------------

removed the "install" directory.

Any ideas what else I could try?

--------------- Added [DATE]1379418139[/DATE] at [TIME]1379418139[/TIME] ---------------

Before attempting to reinstall VB, in the /forums directory found recently created files and deleted them:

phpinfo.php

piejcpii.php

testiramo.php

vb.php

zdbeerr66e4 (contained only ascii characters: 13785372610)

lamershell.php

bekap.php (it knew the original password when my Forum was initially installed)

--------------- Added [DATE]1379419533[/DATE] at [TIME]1379419533[/TIME] ---------------

Posting is still possible. Just posted with pictures, looks ok. Users may not see anything unusual.

But Admin thing in VB does not work. Somebody else may have his finger on the light switch and it's his will for how long.

--------------- Added [DATE]1379420064[/DATE] at [TIME]1379420064[/TIME] ---------------

On April 21. 2013. I upgraded to VB 4.2.1

The instructions said:

1.
Close your board via the Admin Control Panel.

2.
Delete install/install.php from your upload directory

3.
Upload all remaining files from the 'upload/' folder in the zip.

4.
Open your browser and point the URL to your forums, e.g. http://www.example.com/install/upgrade.php (where www.example.com/ is the URL of your vBulletin). Make sure to upload the files into your previous installation directory as appropriate (e.g. /forums/). The Upgrade Wizard will determine your vBulletin version and jump forward to the appropriate upgrade step.
Note:
Some steps can take a long time to process. Please be patient.

Not a word about removing the /install directory

Not a word about removing the upgrade.php script.

Hundreds of sites hacked, what a shame for the company.

VB should form a crisis team (if they can or tell us to move to another software if they can't) and help all their customers, with free support.

A common cause for this kind of error is massive crawler/robot activity on a site. It could be a search engine gone nuts but more likely is someone trying to create spam accounts or hack into the server.

That's not the only reason this happens but it's a common one. There are a LOT of rogue crawlers out there now and they can account for 1/2 to 1/3 of many sites' bandwidth usage.

Regained access to VB Admin CP.

Restored vanilla (from installation) , just one file, not full install/upgrade?

/public_html/forums/admincp/index.php

Once in Admin CP, found a user, as Administrators, "pscript", deleted him.

Now, seems (with what was done few posts above) the Forum is OK, with access to Admin CP.

What I did:
- Deleted "install" directory
- Removed suspicious files from /forums directory:

phpinfo.php

piejcpii.php

testiramo.php

vb.php

zdbeerr66e4 (contained only ascii characters: 13785372610)

lamershell.php

bekap.php (it knew the original password when my Forum was initially installed)

- Restored index.php from installation kit into /forums/admincp/index.php

loua oz

Please advise on what happens next.

Did you check the Control Panel log for this user?

Deleted him.

There was no IP address, just

serverhacker6@gmail.com

and he belonged to group Administrators.
No other users were created.

Now looks OK, see my previous post, it was edited while you typed yours.

Searched the email and this hacker isn't going out of the way to hide himself, just like the one that got me.

--------------- Added [DATE]1379449637[/DATE] at [TIME]1379449637[/TIME] ---------------

On vb.com one user is suggesting our MySQL database is compromised because of a lack of security on our config.php file. This is the most sensible explanation I have heard so far. But I don't know how to monitor MySQL access; I'll be trying to figure that out next.

Look at VBulletin's admin log. That should tell you the IP address.

Yes there was.

Maybe you should get facts right before making silly statements.

Thre was an e-mail, an ACP news item, and an announcement. Plus its been discussed in all vB related admin forums.