Forum home page hacked - at a loss.

[HarshlyCritical]

First of all, I have read this: http://www.vbulletin.com/forum/blogs...ve-been-hacked

I have followed steps 1 and 2. Step 3 is unncessary because I have retained administrator privileges. Step 4 also seems unnecessary. If you'd like to see the damage, this is it:

http://www.horrorgameforums.com/

And this is where Steps 5 and 6 come in... They say in Step 5 that AdminCP "provides a tool to scan directories". Well, great. Where is it? I cannot find it.

According to the Control Panel Log, this user made a total of three changes... All to plugin.php. The first one says "files" under Action, the second one says "doimport" under Action, and the third one is blank. So I assumed that since it's some sort of nefarious plugin, I could remove it. Except, following Step 6, when I go under Plugin Manager (the only one without a strikethrough is vBulletin, so I hit "Edit") there are hundreds and hundreds of them. Am I really supposed to go through each and every one? I can't figure this out.

Even when I disable all plugins (I put a line in config.php to supposedly disable them all), my home page still displays that irritating page. Please, I've been going crazy for the last couple of hours and have no idea where to go with this.

Also, the user who did this made themselves an administrator. Unfortunately, I cannot remove them, even though I'm a superadmin! They somehow made themselves uneditable, even though config.php does not display this information. I've googled extensively and I can't figure this out...

Thanks for any help.

[ozzy47]

The tool is under Maintenance --> Diagnostics run the Suspect File Versions

[HarshlyCritical]

Quote:

Originally Posted by ozzy47

The tool is under Maintenance --> Diagnostics run the Suspect File Versions

Thank you.

It says everything's fine except for config.php... Which I have edited a little bit, so that's to be expected.

How do I delete users that are "uneditable", if they aren't listed as uneditable in config? I can't figure that one out...

[ozzy47]

Did you try doing that with all plugins disabled?

[TheLastSuperman]

http://www.vbulletin.com/forum/blogs...vbulletin-site

Edit: Also see my post here - https://vborg.vbsupport.ru/showpost....1&postcount=52

I bet they simply edited some templates, try reverting any newly customized templates via style manager before doing anything else. *Also please note the queries I list in my blog article, you can replace the words we are searching for w/ anything you wish for example:

PHP Code:

SELECT styleid, title, template FROM template WHERE template LIKE '%adf.ly%'; 


[bremereric]

Replace your vb files from a previous backup. I had to do the same today. They hacked my default style which I copied the code from another and fixed and then the Home page was offering free money. I restored the program files from my hosting company and they are working like a charm. I also bought sitelock and they have their firewall up and running. VB will not protect your site. You will have to get something to do it also.