Hacked
 

Anyone familiar with Symlink hack? I just lost my forum, completely deleted using such method i was informed by my hosting company.

A hacker uploaded a c99 shell to my server and deleted all the data with it and used symlink aswell is what i was told. Anyway to prevent this from happening again?

Im so mad

Are all backups gone as well. Check logs to see how he got in

Curious if you still have the v4 files on your server, particularly the "install" folder.

No i dont Max, I was back on 3.8.7.

ForceHss luckily I had a backup. The only different thing I had was 2 skins I installed.
Would you guys be able to check if they were the culprit?

You need to ask your host how they got in they can check things you might not have access to

This does NOT mean you still don't have the vulnerable v4 files on the server.

Remove ALL instances of the install folder, regardless of version. Immediately.

Max i guess you didnt read correctly.. EVERYTHING GOT WIPED OUT. all files are gone from ftp

Chances are the shell was in one of those nulled scripts you had. This was why I told you twice to scan for malware. Those hacked versions always contain shell scripts and malware.

Hopefully up still have a back up downloaded to your pc.

It wasnt that Always had them. This happened as soon as I installed those 2 new skins :/

well I doubt it was the skins. Perhaps just coincidence.

Do you have a back up downloaded to your pc? If so you are ok.

I do. Working on it

ok, well the very first thing once you get it up is to scan it for shell scripts, etc.. start with webmaster tools.

I also do text searches on my pc when I have the files to find shell scripts or debase64 code. And if your server has cpanel there is usually a virus scanner that catches most of those scripts.

Using "nulled" scripts isn't a very intelligent thing to do. Jus' sayin.

True,

I cannot tell you how many hacked site I have repaired that were hacked through nulled versions of Vbseo or other scripts. It is not always easy to know though if those sites have a nulled version unless looking for it.

Those scripts though almost always have extra's added... it just may take the guy who put it there some time to find you but he can do so pretty easily with a Google search and then bam...

Yep, lowlifes who null licensed scripts and software aren't doing it out of a sense of philanthropy.

clamav found nothing on homedir

Well it could just be an extra php file that a virus scanner would not catch. use the suspect versions under maintenance in the admincp and check those files to make sure they either belong to VB or the mods you have.

Exactly (cannot catch comment) the issue about that is, some of these files are custom coded per site or revised every so often so if it's a new script chances are your anti-virus is not going to detect it (server level or even your personal anti-virus if you download files from your server to your pc) HOWEVER this is why they have the Suspect Files maintenance tools in the admincp.

On the note of suspect files, you should always compare your vBulletin files to that of the original files within the .zip - What is different?

- Well the only thing that should be different is added files from modifications so simply verify those were not modified, compare your "supposedly stock" vBulletin files to the same files in a fresh copy of the same version you were running and if nothing differs i.e. the vBulletin files match (filesize and upload timestamp/date should all be the same if not within a minute or two of each other, timestamps can help indicate a malicious file too) that of those in the .zip AND all modification file sizes match then what remains? Chances are those are the bad files but remember to clone the directory before making changes or deleting files.

Well said. I see why we call you superman. :)