My (4.2.1) forum was hacked but interestingly, it appears to be working. Only when I try to access "Admin" account (there are 2) it plays music spot and says "Hacked by pScript".

Can not access CP through VB. Went to my provider CPanel, saw files like index.php changed.

User with no Admin rights I think would notice nothing wrong.

/install directory was present when the hack occurred. Instructions before were saying to remove only install.php and tools.php.
Looks like the hacker had used upgrade.php.


How to regain access to VB Admin CP? Can go through the provider and edit individual files.
Appears he had not touched post but whatever user he came in as he can still do that.

--------------- Added [DATE]1379402877[/DATE] at [TIME]1379402877[/TIME] ---------------

If I try to log in as a Mod, it is OK. But no sufficient rights to run what is being suggested.

Search for user "admin" shows data and activity of the real one.
No right to change his password.

10 days ago I noticed another user, test (from test.com) that had administartor title without any email and confirmation. Upon registration, there is a question to answer that robots can not and only people of a specific nationality can. It did not go through that.

Looks like this is a separate one or different damage to different forums on the shared server.

I've been reading about all these hacking for the past week.

I knew about the /install folder exploit by being an everyday reader both here and vb com
So i instantly did the delete, actually a few of my Forums already had the folder deleted as I know there's no real need for it.

What did surprise me however, was the e mail about the /install exploit around (i am guessing here but I think it's about right) one week later after reading about it on vb org

So why did it take a huge company like vb so long to send out this very important e mail.

I haven't been happy with vb for a long time now, I keep saying to myself one day I will move all my Forums over to x en foro and after this it's now pushed me even more to do so.

I've known a lot of guys from here (vb org) have made the move already and other are doing so too.
I think the vB company has lost what it once had and is not thought of the way it used to be.

This is just my option and either people agree or disagree, that's life.
Just thought I'd share a few of my thoughts though.

Yes, there was no email.

Before, new things were in red in admin CP, as soon as I enter it, telling about new versions and dangers.

Yahoo mail (used for communication) is blocked by my company, can't see it but VB Admin CP I can access and do that several times a day. Nothing was in there.

Can't believe VB staff watched all the hacks and did nothing.

Deleted suspicious files, doing new load of VB. Will tell later how it went and what it was...if I have success.

--------------- Added [DATE]1379416900[/DATE] at [TIME]1379416900[/TIME] ---------------

now, upgrade.php says:


Database error in vBulletin :

mysql_connect() [<a href='function.mysql-connect'>function.mysql-connect</a>]: Access denied for user 'root'@'localhost' (using password: NO)
/home/mysitedb/public_html/includes/class_core.php on line 317

MySQL Error :
Error Number :
Request Date : Tuesday, September 17th 2013 @ 07:19:41 AM
Error Date : Tuesday, September 17th 2013 @ 07:19:41 AM
Script : http://www.example.com/install/upgrade.php
Referrer :
IP Address : 114.161.74.125
Username :
Classname : vB_Database
MySQL Version :

--------------- Added [DATE]1379417296[/DATE] at [TIME]1379417296[/TIME] ---------------

No access to VB CPanel, could not stop the board.

It appears to be working (no new posts).

--------------- Added [DATE]1379417453[/DATE] at [TIME]1379417453[/TIME] ---------------

removed the "install" directory.

Any ideas what else I could try?

--------------- Added [DATE]1379418139[/DATE] at [TIME]1379418139[/TIME] ---------------

Before attempting to reinstall VB, in the /forums directory found recently created files and deleted them:

phpinfo.php

piejcpii.php

testiramo.php

vb.php

zdbeerr66e4 (contained only ascii characters: 13785372610)

lamershell.php

bekap.php (it knew the original password when my Forum was initially installed)

--------------- Added [DATE]1379419533[/DATE] at [TIME]1379419533[/TIME] ---------------

Posting is still possible. Just posted with pictures, looks ok. Users may not see anything unusual.

But Admin thing in VB does not work. Somebody else may have his finger on the light switch and it's his will for how long.

--------------- Added [DATE]1379420064[/DATE] at [TIME]1379420064[/TIME] ---------------

On April 21. 2013. I upgraded to VB 4.2.1

The instructions said:

1.
Close your board via the Admin Control Panel.

2.
Delete install/install.php from your upload directory

3.
Upload all remaining files from the 'upload/' folder in the zip.

4.
Open your browser and point the URL to your forums, e.g. http://www.example.com/install/upgrade.php (where www.example.com/ is the URL of your vBulletin). Make sure to upload the files into your previous installation directory as appropriate (e.g. /forums/). The Upgrade Wizard will determine your vBulletin version and jump forward to the appropriate upgrade step.
Note:
Some steps can take a long time to process. Please be patient.

Not a word about removing the /install directory

Not a word about removing the upgrade.php script.

Hundreds of sites hacked, what a shame for the company.

VB should form a crisis team (if they can or tell us to move to another software if they can't) and help all their customers, with free support.

A common cause for this kind of error is massive crawler/robot activity on a site. It could be a search engine gone nuts but more likely is someone trying to create spam accounts or hack into the server.

That's not the only reason this happens but it's a common one. There are a LOT of rogue crawlers out there now and they can account for 1/2 to 1/3 of many sites' bandwidth usage.

Regained access to VB Admin CP.

Restored vanilla (from installation) , just one file, not full install/upgrade?

/public_html/forums/admincp/index.php

Once in Admin CP, found a user, as Administrators, "pscript", deleted him.

Now, seems (with what was done few posts above) the Forum is OK, with access to Admin CP.

What I did:
- Deleted "install" directory
- Removed suspicious files from /forums directory:

phpinfo.php

piejcpii.php

testiramo.php

vb.php

zdbeerr66e4 (contained only ascii characters: 13785372610)

lamershell.php

bekap.php (it knew the original password when my Forum was initially installed)

- Restored index.php from installation kit into /forums/admincp/index.php

loua oz

Please advise on what happens next.

Did you check the Control Panel log for this user?

Deleted him.

There was no IP address, just

serverhacker6@gmail.com

and he belonged to group Administrators.
No other users were created.

Now looks OK, see my previous post, it was edited while you typed yours.

Searched the email and this hacker isn't going out of the way to hide himself, just like the one that got me.

--------------- Added [DATE]1379449637[/DATE] at [TIME]1379449637[/TIME] ---------------

On vb.com one user is suggesting our MySQL database is compromised because of a lack of security on our config.php file. This is the most sensible explanation I have heard so far. But I don't know how to monitor MySQL access; I'll be trying to figure that out next.

Look at VBulletin's admin log. That should tell you the IP address.

Yes there was.

Maybe you should get facts right before making silly statements.

Thre was an e-mail, an ACP news item, and an announcement. Plus its been discussed in all vB related admin forums.