need help - forum.php has been hijacked

[VBUsers]

I have my forum.php (main forum) showing an iframe to some a hole hacker that doesnt stop messing with my forum

http://www.hydrocanna.com/forum.php

can anyone tell me how they are doing this? I have checked the files and templates and cant find anything. Im not sure what file or how so please help me out

[synseal]

Have you tried overwriting forum.php with a fresh backed up one?.

[VBUsers]

Quote:

Originally Posted by synseal

Have you tried overwriting forum.php with a fresh backed up one?.

yes and ive looked at the file and none of th code is in there. I have over written everything on the site

[kh99]

Try using this: www.vbulletin.org/forum/showthread.php?t=281080

Also check the plugin manager to see if anything looks like it doesn't belong.

[VBUsers]

Quote:

Originally Posted by kh99

Try using this: www.vbulletin.org/forum/showthread.php?t=281080

Also check the plugin manager to see if anything looks like it doesn't belong.

that worked! thanks a lot.

[SupportAM]

Okay I have the same problem and I replace all the files and I reloaded all files and I upgraded to 4.2.1 from 4.2.0 but forum.php is still going to the hijack page ..... where is it coming from It is not the physical forum.php file as i have looked at it.

[ozzy47]

This is what most people are following.

First you need to follow our advisory about deleting the install folder off your forums.

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

[SupportAM]

Hello ozzy,


I did all those steps (if you read my email, you will see that i did). Nothing has worked. Only thing left is restorng db from a back up and my web hosting take 200 for that. I am trying to avoid that.

--------------- Added [DATE]1380907613[/DATE] at [TIME]1380907613[/TIME] ---------------

and i didn't take db backup on my own. sadly

--------------- Added [DATE]1380907860[/DATE] at [TIME]1380907860[/TIME] ---------------

Sorry my bad ..... I wrote detail email in another thread. here it is.
---------------------------------------------
Okay I need help badly.
1. I have restored my older version of Web files.
2. Upgraded to newer version of VB ....now vb 4.2.1.
3. Cleaned suspect files.
4. Looked at the plugin.
Still nothing ..... My forum is showing forum.php that is not the physical forum.php on the webserver. There must be an entry somewhere that is displaying the page.
Here is the link to my page.

What else do i ahve to do ????

[ozzy47]

I did not see you mention that you tried the mod listed in post #4?

Nevermind just saw your post in that thread as well.

[Lynne]

Quote:

Originally Posted by SupportAM

1. I have restored my older version of Web files.
2. Upgraded to newer version of VB ....now vb 4.2.1.
3. Cleaned suspect files.
4. Looked at the plugin.
Still nothing ..... My forum is showing forum.php that is not the physical forum.php on the webserver. There must be an entry somewhere that is displaying the page.
Here is the link to my page.

What else do i ahve to do ????

I don't see anything in there about you checking for added admins, checking for modded templates, checking for modded phrases, checking for added notices, etc. Tons of things to be looking for in the admincp besides plugins.