The Arcive of Official vBulletin Modifications Site.

Divvy · #1 09-11-2013, 01:39 PM

Hello guys,

Maybe someone can help me...
Today morning my vBulletin 4.2.0 Patch Level 3 was hacked by what it seems a brasilian hacker that leaved this message:

Quote:

Desculpe o transtorno estamos invadindo seu site
Sabe por que? porque eu quis.

@Nega_cabelo_duro

Im trying to discover how to solve the problem, but cant find the file that he modified. Can someone please help me or give a clue?

I have vBa CMPS installed in the root of the forum and the index is working fine, only when we go to forum.php is redirecting to this page:
http://i.imgur.com/JingJTM.png

The source code of that page is:
http://paste2.org/YeFAjz9m

Any ideas guys? Please?

Thanks!

Best regards,
Tim

--------------- Added [DATE]1378910715[/DATE] at [TIME]1378910715[/TIME] ---------------

Ok, I have found this in my forumhome template:
http://paste2.org/Mw7snpxK

I also have found a new admin in the administrators group:
ID: 136733
username: polter
email: pulodentrodurio@hotmail.com
join and last activity date: 11-09-2013

Could he modified anything more?

Zachery · #2 09-11-2013, 02:05 PM

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

Brandon Sheley · #3 09-11-2013, 02:09 PM

Did you have the install folder in place?

Remove it, remove the new admins, remove or revert the compromised templates, enjoy a cold beer.

squidsk · #4 09-11-2013, 02:15 PM

See https://vborg.vbsupport.ru/showthread.php?t=301904

Divvy · #5 09-11-2013, 02:16 PM

Thank you guys for your help!

Does someone know exactly what the hacker changed?
Until now only found:

1- a new admin (already deleted)
2- forumhome templatechanged (already reverted)

I already deleted the install folder also like Wayne Luke said here:
http://www.vbulletin.com/forum/forum...-1-vbulletin-5

Anymore changes that anyone have notice?

Best regards

Zachery · #6 09-11-2013, 02:19 PM

Did you read over: http://www.vbulletin.com/forum/blogs...ve-been-hacked ?

Divvy · #7 09-11-2013, 02:21 PM

Thank you squidsk,

Just a quick note. I saw the logs on
And found what he did:
http://i.imgur.com/pJRBdfi.png

So, If I am right, he only modified template files right?
Is possible to know if was only forumhome or more?

Thanks!

--------------- Added [DATE]1378915535[/DATE] at [TIME]1378915535[/TIME] ---------------

UPDATE: I have checked all template files one by one in the Last edited information and the only template file that was edit by the hacker was FORUMHOME in all templates that I have installed.
It says: Last edited September 11 2013 at 05:51 by polter

UPDATE2: I notice a new template file that was edit today (the day that my vb was hacked) and the file was bbcode_video
It says: Last edited September 11 2013 at 05:49 by
Note that don't appear the username, but the file was edit today and 2 minutes before he change FORUMHOME
My bbcode_video file code: http://paste2.org/5bP0w05b

UPDATE3: Just cant find the template file that he inserted on style 2 (default):
http://i.imgur.com/pJRBdfi.png
I saw the files one by one and cant find the today date...

dimobr · #8 09-11-2013, 05:31 PM

Same problem here!
To resolve I did a restore from my DB (earliest possible before the attack)
Also deleted the install folder.

Now everything seems to be ok!
... It is advisable to change passwords ..

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04032 seconds Memory Usage 2,231KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (8)post_thanks_box (8)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (8)post_thanks_postbit_info (8)postbit (8)postbit_onlinestatus (8)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!