The Arcive of Official vBulletin Modifications Site.

digif · #1 11-06-2015, 10:25 AM

So, yesterday out of nowhere, google sent me a mail that they've blocked my forum because they found malware on my forum. If I try to visit it directly, both firefox and chrome also block the visit with that usual page and you have to ignore it to get to the forum. Of course, same is on google search engine too.

I've contacted my hosting provider and they've told me my version which is -3.8.4. patch level 2- has security leak and that my forum was attacked before but they've removed everything, this time it happened on March and google found out yesterday.

Hosting provider recommended me to overwrite all the files, but I'm unsure if I'll lose some settings if I do that with original vB files. Also, do I have to do the same with the plugins as well?

Even if I do that, how can I know it won't happen again? I can't download v3.8.9. but I can see on vbulletin.com that I can download 4.0.2. version patch level 11, but how can I do that if I haven't payed for upgrade?

The main question is bolded so please let me know asap what do I do, and will I lose some settings?

Dave · #2 11-06-2015, 10:40 AM

Your host is full of crap, how would they know your vBulletin version is vulnerable to exploits? Any evidence on their claims?

There's no way for us to know that you'll lose settings if you overwrite all the files, we don't know if you made modifications to vBulletin's core files. You could leave the plugins, you may want to check if all the plugins you use are safe though.

There are so many factors in this, it's not possible to know before-hand that you forum will not be "hacked" again. It's entirely possible that you have a vulnerable plugin installed, or a backdoor on your server, or had your FTP login stolen, or have a malicious hook installed, etc.

TheLastSuperman · #3 11-06-2015, 11:38 AM

Yes and no, if he specified Google flagged it then they might have had "hacked" on their radar per say. I always overwrite all files before attempting to clean a hacked site then sometimes again after finding and removing shell scripts to be extra safe although I've ran into some doozies lol!

Dave is right though, a lot of factors here however explaining all those is a job for everyone but me, it's field trip time with my youngest daughter so I'll have to check back on this and help if I can in a few hours, I shall wish you good luck until then!

Some links that might come in handy:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/artic...vbulletin-site

digif · #4 11-06-2015, 02:29 PM

Thank you both for the reply. So last night I've asked my hosting provider to manually check and remove malware from my forum, they've said they did, so I've applied for review from google again, which resulted badly - google said there is still a malware.

So I've decided to overwrite only files which were showing as infected on google (index.php and forumdisplay.php, while I was doing that, users told me that forum already works, so I don't know how was it suddenly removed from google blacklist. Even on my google webmasters my forum still shows malware infected, but it's not on google's blacklist anymore..

Lynne · #5 11-06-2015, 05:30 PM

I just tried the site in your signature and there is something going on there. Try clearing your site cookies and then go to your site and you will see it.

digif · #6 11-06-2015, 05:45 PM

I did but can't see anything, how do you mean something is going on? I know my site is back, that's what I wrote in the last post, if you meant that.

Lynne · #7 11-07-2015, 05:42 PM

This is what I get when I go to your website:

Attachment 153630

digif · #8 11-08-2015, 10:07 PM

Yes, it's happening again. Can you help me? How do I fix this issue?

--------------- Added [DATE]1447033158[/DATE] at [TIME]1447033158[/TIME] ---------------

Guys, so I went to phpmyadmin, forum database, table datastore and field pluginslist, in there I found this line at the top of it - Noob @ +++++++ . vn

I believe that's the guy who broke there and put some lines but I don't know which ones. I've googled something that vBSEO plugin has a leak so I've removed it, but now I need to remove those lines.

I've contacted my hosting provider to see if they have old backups of this, but if they don't what is my next step? How do I find out which ones did he put there?

--------------- Added [DATE]1447034562[/DATE] at [TIME]1447034562[/TIME] ---------------

I guess that's just the mail of one plugin creator. But I went to my plugins page and checked my versions, and found out that my ibproarcade plugin doesn't exist on this forum and that there is a thread that everyone needs to upgrade it to new version because of security issue - https://vborg.vbsupport.ru/showthread.php?t=279245. Could this be the way they've inputed malware on my hosting?

--------------- Added [DATE]1447036147[/DATE] at [TIME]1447036147[/TIME] ---------------

I've updated arcade plugin anyway, just in case. The other outdated plugin is vBadvanced which is 3.2.1 and latest is 4.3.0 but I think they don't have security issues with older versions.

--------------- Added [DATE]1447077012[/DATE] at [TIME]1447077012[/TIME] ---------------

I've installed latest version of vBadvanced as well, just in case..

Lynne · #9 11-09-2015, 08:42 PM

To rebuild the plugins line in your datastore table, just go to your plugins and disable one, then enable it again.

If you go to admincp > plugins & products > plugin manager, are there any plugins listed at the top under the header of "vBulletin"?

digif · #10 11-09-2015, 10:09 PM

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04247 seconds Memory Usage 2,276KB Queries Executed 12 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!