The Arcive of Official vBulletin Modifications Site.

rexall · #1 10-10-2013, 10:11 AM

Thu 10 Oct 2013, 6:05 pm

!!! HELP !!!

Requesting suggestions, advice insight regarding hacked and massively infected website.

I also posted this over on vBulletin.com. I am not technical, so please keep that in mind in your kind replies

1. Website hacked by self-proclaimed "Mustafa the Hacker." Restored site from backup, and thought all was well . . . but shortly thereafter, host (FatCow) suspended my account due to massive amounts of infected files.

2. I don't know how particular or peculiar this is to vBulletin as I have 3 websites on one host/one account : vBulletin, WordPress and Open Cart (shopping cart). vBulletin was the only one involved.

3. Backups on host also infected, so could not restore from backup.

4. Purchased a third-party product ($40) from host called SiteLock which was supposed to clean infection. Did not!

5. Went directly to SiteLock and purchased a "clean" for $200 which they assured would solve problem.

6. Two or three times now, StieLock has sent me a message saying that site has been cleaned.

7. FatCow (host) responds saying their scan still shows hundreds of infected files. And responds sympathetically but UNHELPFULLY as to their role in all of this. SiteLock hardly providing any useful communication at all.

This is now ten days old!

I am just working on blind faith here that if site can be dis-infected, that the content and design is not completely destroyed.

********************

1. Anyone familiar with "Mustafa" and the nature of this attack and what can be done about it? Anyone else gotten hit?

2. If FatCow and SiteLock will not help me, can recommend a third party individual or service who knows what the f**k they are doing and can fix this?

3. Any other suggestions and discussion are most welcome and appreciated.

Thanks.

Rex
Khon Kaen, Thailand
http://www.mindbodythailand.net

ozzy47 · #2 10-10-2013, 10:12 AM

Did you do all of the following?

First you need to follow our advisory about deleting the install folder off your forums.

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

rexall · #3 10-10-2013, 10:36 AM

Thu 10 Oct 2013, 6:31 pm

Thanks for the lightning-fast response Ozzy! I am reading the threads you pointed to now. However, I had the last upgrade done professionally in July by SEOvB.com . I just had a looksee on the server and there is a folder forum/install/ . I assume that is the one you said should have been deleted? Crap!

Thanks for your help. I'm sure I will have more later.

ozzy47 · #4 10-10-2013, 10:40 AM

Yeah after deleting that, then follow the steps in the blog post, thoroughly.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.06225 seconds Memory Usage 2,190KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (4)post_thanks_box (4)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (4)post_thanks_postbit_info (4)postbit (4)postbit_onlinestatus (4)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!