Th3H4ck hacked hundreds of VB forums over the last two days.

[Zachery]

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

[TheLastSuperman]

Erm working on one now where they edited the master style, will update this post once I find out more.

Edit: If your reviewing plugin edits via the control panel log and notice anything similar to: template.php modify style id = 0 then place your site into debug mode then check the MASTER STYLE for any edits.

The one I located was in the Master Style included in the forumhome template:

Code:

<META HTTP-EQUIV="Refresh" CONTENT="0;URL=http://adf.ly/VRrrp">

The code present on your site may vary and may or may not be a redirect to adlfy it could be anything else so be on the lookout .

[obglobal.net]

I got got.

I'm bottom of the barrel level too, so I'm just bewildered. Lost about 30 posts by members after restoring to the previous day's backup via MySQL.

What's with these colon licking hackers?

--------------- Added [DATE]1378824257[/DATE] at [TIME]1378824257[/TIME] ---------------

Quote:

Originally Posted by Lynne

DELETE YOUR INSTALL DIRECTORY!!!

Please give me as thorough a walk through as possible on this, Lynne/anyone.

Sorry.

never mind. I got it.

[TheLastSuperman]

Basically you know how all those folder and files related to vBulletin must be uploaded to your server? You want to locate the folder /install/ and delete it entirely.

[Edgespeeder06]

Someone send me a contact message about this issue. I've been so busy working on clients' sites that I didn't see it until today. Thankfully I deleted that user and the install folder....will that stop it for sure?

[CarolSEL]

Quote:

Originally Posted by Edgespeeder06

Someone send me a contact message about this issue. I've been so busy working on clients' sites that I didn't see it until today. Thankfully I deleted that user and the install folder....will that stop it for sure?

I don't know. I deleted the install folder, but the site got hijacked, and after reinstalling vB it's still not up.

[TheLastSuperman]

Quote:

Originally Posted by Edgespeeder06

Someone send me a contact message about this issue. I've been so busy working on clients' sites that I didn't see it until today. Thankfully I deleted that user and the install folder....will that stop it for sure?

No, if you were hacked there is a high probability that the hacker uploaded a shell script and could have backdoors in various folders on your server. There is actually quite a bit you need to do in order to rid yourself of this. If you are not experienced in these matters contact your host and link them to this thread along with these links which have helpful info:

• http://www.vbulletin.com/forum/blogs...vbulletin-site
• http://www.vbulletin.com/forum/blogs...ve-been-hacked
• http://www.vbulletin.com/forum/blogs...vbulletin-site

Quote:

Originally Posted by CarolSEL

I don't know. I deleted the install folder, but the site got hijacked, and after reinstalling vB it's still not up.

By that you mean what? That you dropped all tables in the database, deleted all the files then installed 100% from scratch using new files and a clean database and its still not working?

[Zachery]

Btw, I updated my blog again, with some additional steps to help remove the exploits.

[CarolSEL]

Quote:

Originally Posted by TheLastSuperman

By that you mean what? That you dropped all tables in the database, deleted all the files then installed 100% from scratch using new files and a clean database and its still not working?

No.
1. My site went down with a server error message.
2. Host got it back up, but home page "wasn't right". I noticed that I had phoney "admins" in my usergroup who were "registered" minutes before the error and deleted them. I read this thread and deleted the install folder. (Obviously, the payload had already been delivered.)
3. Site got hijacked.
4. Via link to ACP I shut down the boards, stopped all plugins.
5. Host restored a web file backup from 2 days prior to hacker reg, ran malware checks; site crashed and I cannot access ACP.
6. Following instructions from this site, I downloaded a fresh copy of 4.2.1 and uploaded the files to the server, overwriting the old ones.
7. Site is still down.

So how do I know if the db is clean? If not, have I lost all the member data? Is there a way to delete all the files except the forum and membership?

I will give this link to host, and will check out all the cleanup suggestions you and Zachary give.

[willy888]

I had the same problem in 4.2.1 before some days someone register as admin ...... we delete him
Yesterday the same , we delete him
I read here to delete the install folder , I did it .
The site is down .... database error.
I Reupload all 4.2.1 and make Upgrade or install , I have this error

Code:

Due to the following errors, the install/upgrade can not continue:

    The database has failed to connect because you do not have permission to connect to the server. Please confirm the values entered in the includes/config.php file
    Error description: mysql_connect() [function.mysql-connect]: User 'myname' has exceeded the 'max_connections_per_hour' resource (current value: 1) /home4/myname/public_html/forums/includes/class_core.php on line 317