None of my physical files on my server were modified with this exploit.

Clarify -- Advanced Forum Rules, or Advanced Permissions? Because so far only people are reporting the first...

how can I clear all the usertitles at once?

also, the tools.php is the fastest way.

Thank you very much.

Nice work around but the tools.php method I posted is faster.

yeah fare enough mate. cheers.

NASIOC.com was hit tonight at 6:40pm EST.

We just spent the last few hours checking over the servers to ensure there weren't any other issues before going live.

We did have to roll back to a backup from Tuesday morning, I personally didn't trust that the rest of the db was good.

Oddities I found in the database after the hack:
1) The user created has a userid of 13371337 (well above my current autonumber in the users table)
2) The adminlog had been wiped clean, so no record were available of what was done in the admincp.
3) The administrators table was cleared of all admins except the 13371337 userid.

So the hack created an administrative user, through SQL injection as we are all presuming, locked me out of the admincp and cleared all trace of anything they were doing while mucking around my control panel.

A cookie to the first person who guesses what hack I also used on my site!
CYB's forum rules.

As a precautionary measure I have uninstalled the hack entirely. Looking over the code with my programmer the update looks like it corrected the issue, but with reports of people saying they are still getting hacked with the update I'm not taking any chances.

My two questions about those who have been hacked again with the update are:
1) Did you check overwrite when installing the new version of the plugin?
2) Did you ensure your servers were clear of any backdoors that may have been installed before going live again?

So we're back up as of 10:30PM EST. Hoping this wasn't the result of another hack we have installed.

Good luck to anyone else who gets hit with this, I really do hope you all have backups. And for those people that complain backups take up too much space... be thankful your db isn't 15GB.

EDIT: To those posting IPs... be careful... I actually had 5 legit registrations after the hack was planted. The user registered was TeamAnimus and there was no registration IP in the table associated with the account, which further supports the SQL injection theory. The email associated with the account was [email protected].

The uploaded files outside of my forums root directory into my main sites directory. Is this significant? I do not see how they would do that with an sql injection, how would they upload an index.php outside of the forum root?

I've got mine fixed. To fix it, you have to find the user that is admin. On my forum it was TeamAnimus. Then I reset his email in phpmyadmin to my email. Then had to log in as his username...and use the forgot password link to reset his password.

Then after in, had to remove myself from undeletable users in the config.php. So that then I could use TeamAnimum's account to set myself as an admin again. Then reupload config.php with correct settings. Then I had access once again to admincp.

(Of course you also need to replace the index files on your server that were overwritten with good versions...this includes the one in admincp. There is also an extra file they placed in /includes directory that had some code in it. For me it was called vba.php.)

Oh you can also rewrite user's titles in phpmyadmin for a quick fix...to at least get rid of the hacked by under your member's names.

I'm willing to help you out if you need it. But because this took quite awhile, I'd prolly want a little something for my time.

i had this happen to me with the one forum i manage that has the Cyb - Advanced Forum Rules v4.0.1 mod installed.

someone mentioned not having admin cp access and i know why. the hackers [if they can be called that] went into an account that had admin access, then proceeded to change the usergroup this account belonged to. once it was changed, you would not have access to the admin cp at all. i noticed they did this with my account, and the Administrator, because neither were hard coded into the config file as an "Undeleteable / Unalterable User".

since i have database access, i was able to log in securely to the db, change the usergroup for both through the user table, then i could log into the admin cp.

i should have thought something was odd when i received the quarantine email.


the IP's that i have are these:

• 67.142.130.24
• 67.142.130.25

both belonging to hughesnet in MI.

i've since updated to the latest version [v4.0.3]. so far, no issues.

Well, the good news is it seems that they haven't touched anything except the updating user titles via query and turning off the forum. I doubt that they managed to upload a shell or else they would f*ck everything up regardless. Anyway, best of luck to all you guys in restoring your forums!

Yep I know they need to be changed and a sql query was run to blank the user title field but what do i need to insert in there to allow the normal user titles to appear?

I understand that but regardless vbulletin has been a headache for 5 years and this is the final straw. Anyway, I should shut up this is no place or time to rant or cry like a baby.

user table as in where please mate?

i'm looking into it now.

usertitle needs to be changed in the user table.