No announcement yet.

Need help please. Lost most formatting and all admin buttons.My host identified a hack (fixed) and the line (I think)...

  • Filter
  • Time
  • Show
Clear All
new posts

  • Need help please. Lost most formatting and all admin buttons.My host identified a hack (fixed) and the line (I think)...

    Please be gentle; I'm a vB noob. I do not know how to make the changes needed. Site was hacked, malware has been removed, as have the infected/affected files. As a precaution, the host changed the location, login, and password of the adminCP.

    We already need to update to a newer version than we have. Updating to 4.2.2 would be the move at this time (at 4.1.0 Patch Level 2). Essentially, we took over the site from the previous owner, so we never did any installs or upgrades...we just left the site in place, as it was running fine, and transferred the license.

    Issues began yesterday: lost all formatting, many admin functions stopped working or worked intermittently, and lost the 'Admin' button that takes you to the AdminCP.

    Below is what the host sent me:


    The css files are failing to be loaded because your script is incorrectly writing the HTML when the PHP parser in running:

    <link rel="stylesheet" type="text/css" href="css.php?styleid=1&amp;langid=1&amp;d=1353798034&amp;td=ltr&amp;sheet=bbcode.css,editor.css,popupmenu.css,reset-fonts.css,vbulletin.css,vbulletin-chrome.css,vbulletin-formcontrols.css," />

    The & character is being changed to &amp; which is producing a bad result, changing that string to the correct code allows the css to be found:
    He gave me a link that seems to take me to the actual code, but I wasn't sure if it was okay to put that here.

    So, it seems my options are to upgrade to the more stable, more secure, newer version (which would overwrite the bad line of code, I guess?), or to manually re-write anything that needs changing. And, I would need to also point the adminCP stuff to the newly created adminCPurl, if I understand it.

    Is that correct? And, can an idiot do that?

    Anyone wanna earn a

    Thanks in advance, and I am sorry if this is not in the write place or format; we've never had occasion to require support before.

  • #2
    Do you have a back up from before the hack?


    • #3
      I will have to see. Backups were being done, but I know a new one was one since the errors started, so it may have overwritten a previous backup. I will say no to just assume a worst case situation. I know a backup was done last evening (post-hack) in anticipation of ugrading.

      The removal of the malware and affected files returned most of the formatting; there are still some issues for some users, and the admin issues are still there.

      Also, starting last night, we get this error at the top of every page:

      Parse error: syntax error, unexpected '<' in /home1/{name of forum folder}/public_html/forums/includes/class_core.php(4414) : eval()'d code on line 129

      Would an upgrade to 4.2 overwrite the bad lines? Or, would they return when the database is re-installed?


      • #4
        Try running the suspect file tool. maintenance -> diagnostics. and check and delete any plugins that you don't recognize, it would be better to get your forum cleaned before upgrading but yes upgrading to the latest (most secure version) is always a good idea.


        • #5
          Thanks for your help, Donald. I'm n day 3 with no response fro vBulletin, so I'm trying the forums to see if anyone has suggestions.

          Diagnostics -> Suspect File Tool identified quite a few files. Many are related to an old arcade that was removed years ago. All addons/plugins are still being used. We have made no changes to the site in 4 years, and it ran fine, with the exception of adding an admin only board 2 years ago (no problems sense). We were unaware of the hack until the host notified us (it was looking for credit card data in subscription files...we don't have subscriptions). These errors started out of the blue.

          How can I go about deleting these unused/suspect files?


          • #6
            You have to delete them manually from the server with FTP. Also try disabling all plugins by adding this code to your config.php file right under <?php
            PHP Code:
            to see if that stops the hacks as a lot of hacks are executed through insecure plugins


            • #7
              Thank you. I have no idea how to do any of that. As I posted earlier, we essentially just took over an operating site because the original owner wanted to shut it down since he was entering grad school and just didn't have time to deal with it anymore. We have never had need to even mess with the database/php/sql stuff, so we are all idiots to that. We can maneuver around the AdminCP well, but, again, the site never needed anything. Until now. :grrrrrr:

              Off to watch more video tutorials, I reckon....

              Again, thanks for the help.


              • #8
                The line of code above is correct under XHTML 1.0. The browsers should parse it correctly.
                Translations provided by Google.

                Wayne Luke
                The Rabid Badger - a vBulletin Cloud demonstration site.
                vBulletin 5 API


                • #9
                  Well, they don't appear to be doing so. I attached screen shots of the same page in different browsers in my email response to the ticket.


                  Firefox (looks the same in IE):


                  widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.