The idea and accusation that this hacking was the result of XF customers without any evidence whatsoever is, and was, stupid. I make no apologies for that. Sorry if you think that this allows you or anyone else the right to say or do whatever you want. I assure you that is not the case.

Since this thread has gone off the rails, I am closing it. If anyone that needs help with their site being hacked, please feel free to start your own thread or send us a support ticket and we will be glad to help.

So is it ok for support to encourage calling members' thoughts and questions "stupid"? Because if it is, oh here go hell come!

http://www.youtube.com/watch?v=ax4IUgMq0Aw

(i had some kip too shortly after you.)

re: "root" account. i see. oh well... would it be safe to assume you guys looked at the possibility before? i'm just curious.

so can you answer my pre-ticket questions? you do know i'm a customer right. (i mean that you can already see my details, right) ..because i almost get the feeling you don't want to "engage" me until after i submit that very sensitive info and i'd just like to know how things normally go down once submitted. like i said, i fixed everything, and in fact 3 minutes ago finished updating the forums to 3.8.7.
as far as i can tell nothing further needs to be done. having said that i would have no issue at all if you did take a look-see. for example, can i pm you my admin username/pw to the forums so you can log in and do what you'd do? if not via pm i can send the forum info via the support ticket? or do i have to also send the domain/phpmyadmin user/pw et al?

Are you for real?

Exactly.

and a stupid thought at that.

A root administrator account that cannot be removed is not possible.

i understood what it does. so then they did not access the admincp like we do. in fact if they did, vb should have their ip's logged. it may not have been their real ip but still something. i assumed the hackers were using the forum's admincp like we do. in that context, my concerns would have been valid. perhaps if it's technically possible vbulletin should look into making a built-in admin account, perhaps called Administrator as part of the forum software. it should be "hard-coded" so it could never be removed or modified - by anyone including the forum owner. the only thing the forum owner should be able to do is change it's password. that too should be made so that: it uses the maximum amount of characters possible including a mix of all characters (alpha-numeric, symbols etc) the password could be reset via the tools.php or such.

i'd also like to know if in order for this hack to work they had to rely on the admiccp folder? does anyone know? because there was one guy who mentioned he changed the default name of both mod/admin folders to something else, and he was also hacked.

Note that this is mis-understood by many people.

All this does is prevent you altering the account from within the normal user edit function in the ACP. It will not prevent the account from being altered by a direct SQL query - including via queries from the [other] relevant section of the ACP.

i was going to, but i re-read this thread and did the fix myself. it's really important because i want to learn. and i did some.
like i said, i'm sure it was the mod as it's the only one i used. i now uninstalled it and will never use a third party mod again.

* i fixed the userid so when someone new joins the next number is the correct one, and not 13371337 and above.
* i changed all registered titles back to the default "Member" title and also any new users have it too. i created a couple new users to check this. both the userid went as expected and their title is Member.
* i deleted the teamanimus admin account.

all the above was using phpmyadmin and not much knowledge other than general computing experience and this thread.

so do we know if the hackers actually had access to admincp at all? or was all their doing done via some "injecting" or whatever?
does anyone have factual data to say that the teamanimus admin user actually was ever logged in to the forums once created?


as for the ticket i can still submit one. perhaps it's a good idea. could you describe what happens in such a case? im mean will you or another vb employee log in and verify the forum software does not have exploits left over or what?
will you check the database? if yes, for what? if things need to be changed do you do them or ask first? is there a chance that if/when this would happen we could be on the phone as well? i there a charge?

in conclusion, i think i'm back to normal. i only have vb installed and will keep it that way. no more mods for me. lesson learned.

FYI going to bed now, if you haven't put in a ticket yet the next person to be available would be trevor, then other staff as the day progresses.

Yes.
Yes,when they have the time for your forum.

i just logged in and am in the ticket screen. so you DO want that sensitive info like the passwords and such?
if yes, does that mean you or someone will log in right now?
should i log out from the admincp?
what else should i know?

The config file only protects from editing a user via the admincp.
Anything that can be done in vBulletin can be done via sql. They either could have dumped your user from the administrator table, or ran an sql query to update that table.
Unless you're logging a lot of data you likely wont ever know.

You also have no open support tickets on the account linked via the forums.

so i get no reply now? do i need to open a ticket? just tell me.
please tell me how to do the 3 database things i asked.

also, why can i NOT delete or even edit the TeamAnimus user from within admincp? i am now logged in with admin user i created when i first installed the forum. userid 1.

edit: and what i mean is that the GO button does nothing when pressed for that user. all other users i can do stuff to. did they somehow make their user "read-only" via the database? if so, they seem to have done done a better job then you guys with the config.php file setting. i have also uploaded a backed up config.php where my main admin user is set to not be deleted/edited, as it was for months, so i still would like to know how they were able to demote it? (me)