Need advice?

[Neoszion]

I recently had 2 of my VB sites hacked I done all the security checks (How To Make My Forums More Secure), and working in the industry full time (as a designer not a developer) all my sites are very secure

So basicly I had a parse error on the index of my sites and on my forums, so I commented out the following line in my global.php where the error was pointing to:

eval('$spacer_open = "' . fetch_template('spacer_open') . '";');
eval('$spacer_close = "' . fetch_template('spacer_close') . '";');

and I get the following at the top of the site:

ViRuSMaN Ow3nd Your SiTe .. v.-m@hotmail.com

Immediatley I have taken the sites down, but it baffles me how he got in as I looked within the databases and done a search for the above and it is only located in the template table (on both custom and default templates).

So my question is would this be a server problem (ie. with the host bad security)? Or is there something I am overlooking here? As I have all the upto date patches admin/mod cp are secure, I am the only Superadmin on the board and password is pretty tight (changed every month). I do want to restore the database because I have alot of posts and alot of members so any advice anyone can give would be more than greatfull?

Btw. I did try on vB support but they said its either me not securing it prop or the host.. but knowing how they got in the first place would realy strenghten my argument with the host..
And also on 1 of the sites there is no mods installed!

Thanks in advance

[Dismounted]

If there are no modifications installed - the first thing that comes to mind is another script - it doesn't even have to be related to vBulletin. Another "theory" is that they had access to your server, which securing your vBulletin installation would have no effect anyway.

[Neoszion]

thanks for your reply.

The other pages at the moment on the sites are static.. And none of the scripts have access to any of the db's. I host with uk2 so I dont know where they rate on the server security chain but from what I hear there not a small company?

What would suggest my options are within restoring the orginal databases (obviously removing any template edits done bt this guy)?

[Lynne]

Did you run Admin CP > Maintenance > Suspect File Version and get a list of all the files vbulletin does not recognize? That is a good place to start. Of course, the script could be outside the vb directory, in which case you will have to look through all the files yourself.

[DarkGizmo]

Quote:

Originally Posted by Neoszion

thanks for your reply.

The other pages at the moment on the sites are static.. And none of the scripts have access to any of the db's. I host with uk2 so I dont know where they rate on the server security chain but from what I hear there not a small company?

What would suggest my options are within restoring the orginal databases (obviously removing any template edits done bt this guy)?

They must be small since I never heard of them, I would switch hosts to something more...common, like hostgator or godaddy.

[Neoszion]

Need a a Uk host for search engines.. Uk2.net there in .net magazine every month

--------------- Added [DATE]1222535270[/DATE] at [TIME]1222535270[/TIME] ---------------

Sorry to post twice!!!

OK in one of my forums I am trying to restore I have to comment out the following lines:

eval('$gobutton = "' . fetch_template('gobutton') . '";');
eval('$spacer_open = "' . fetch_template('spacer_open') . '";');
eval('$spacer_close = "' . fetch_template('spacer_close') . '";');

otherwise I ge the following error..

Parse error: syntax error, unexpected T_STRING, expecting ',' or ';' in /home/******/public_html/forums/global.php(627) : eval()'d code(1) : eval()'d code on line 1

I cannot find on this db where he has modified the file.

[Lynne]

What is on line 627 of your global.php file? Have you replaced all your files? Deleted all non vb files?

[Neoszion]

Yeah I have reiuploaded all default vb files.. Which leads me to believe that something has been altered in the db..

line 626 - 628

eval('$gobutton = "' . fetch_template('gobutton') . '";');
eval('$spacer_open = "' . fetch_template('spacer_open') . '";');
eval('$spacer_close = "' . fetch_template('spacer_close') . '";');

[Lynne]

And have you deleted all non-vb files from your site? Have you looked at those three templates you have posted? Are they all reverted in your style? And actually, if they got into the database, perhaps they got into the MASTER STYLE and changed them so they can't be reverted.

spacer_open:

HTML Code:

<!-- open content container -->
<if condition="$show['old_explorer']">
    <table cellpadding="0" cellspacing="0" border="0" width="$stylevar[outertablewidth]" align="center"><tr><td class="page" style="padding:0px $stylevar[spacersize]px 0px $stylevar[spacersize]px">
<else />
<div align="center">
    <div class="page" style="width:$stylevar[outerdivwidth]; text-align:$stylevar[left]">
        <div style="padding:0px $stylevar[spacersize]px 0px $stylevar[spacersize]px" align="$stylevar[left]">
</if>

space_close:

HTML Code:

<if condition="$show['old_explorer']">
    </td></tr></table>
<else />
        </div>
    </div>
</div>
</if>
<!-- / close content container -->

go_button:

HTML Code:

<input type="submit" class="button" value="$vbphrase[go]"  />

If you really think it's the database, then restore one of your backups. But, you need to worry about how they got into there or they'll just do it again.

[Neoszion]

Nah those template edits are exact to what I have got.. I also got this message back from my host:

Well not much to do on our end as the server has not been hacked but your page, if he managed to log in to your account and inject an exploit it means you had a security breach. You need to secure your password and reupload your site content.

Have a nice day!

So they have'nt been much help.. My last backup is of 3months ago