No announcement yet.

Site was hacked, experiencing strange thread issue

  • Filter
  • Time
  • Show
Clear All
new posts

  • Site was hacked, experiencing strange thread issue

    Hello Vbulletin community,

    Today my site experienced a pretty serious hacker attack. My password and moderator passwords were stolen and spam threads that had affected my site for a few weeks were invisible to the moderator staff until today. When I discovered the attack I attempted to remove the threads and delete the suspect users and found that my login credentials had been changed. Every attempt to change my password was greeted with the said attacker changing it immediately.

    After mostly resolving the attack and deleting the suspect accounts I found that while not logged into my account, all posts and threads are up to date. However, when I am logged in to my moderator account every thead and forum I've created since July is invisible. I know the threads are there, as other users can see them, but I am completely unable to view them on my account.

    Does anyone have any ideas to help resolve the issue?

    Thanks again

  • #2
    First I would disable hooks to see if it may be cause by a plugin-

    To disable the plugin/hook system open your config.php which can be found in your forumroot/includes directory

    Just below
    define('DISABLE_HOOKS', true);
    and save the file.

    If you would like to enable the plugin/hook system again, either remove the line again or simply comment that line out. To do so, add two forward slashes " / " so it will look like

    // define('DISABLE_HOOKS', true);
    Next time you would like to disable the plugin/hook system again
    you simply have to remove the " // ".


    If the problem does go away with hooks disabled then go to your Admin CP -> Plugin Manager and find any suspicious plugins, you may need to disable them 1 by 1 until you find the one(s) causing the problem.


    • #3
      Thanks for the reply.

      I took a look at my hooks and plugins and no products are listed in my admin control panel.

      One thing I noticed though- when I attempt to login I always get the incorrect password notifcation, and from there up until the time I log in with the new password I have sent to me I notice that my URL is no longer my domain name, but the ip address instead. If i manually type in the url of my site's forum it displays fine, and all the dates are current, but my password will no longer work. It seems like the only page I'm able to access is somehow an outdated version of my forum, and any changes I make to my profile from there aren't effective when viewing the current one.

      This hack has me completely dumbfounded. Any ideas?

      - - - Updated - - -

      UPDATE: I was able to remedy the problem for now by having one of my moderators manually change my password, rather than using the links provided by email. It seems whatever was done to my site yesterday had me visiting an old build of my forum from before when my servers were transferred back in July. Now my biggest concern is making sure that this doesn't happen to other members who need their passwords changed. I'm also curious as to how the hacker was able to hide entire threads from me during the attack.

      Hopefully this will be a quick fix and we won't have to deal with this again in the immediate future.


      • #4
        Not sure if you are using MySQL 5.5 or higher, but if so, you could use this to protect yourself from future hacks:

        Good luck!


        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.