Either by clicking settings on the front end and then clicking "Change Email/Password" or by Users -> Search For Users in the Admin CP. Search for your username and then enter the new password in the password field.

Ideally though, you should have your user ID marked as uneditable in the config.php so you'd have to do it in the front-end.

Many thanks for your help Wayne.

A member contacted me and reported that they were receiving the following message when accessing my site: Kokosina Attack: Exploit Kit Variant 11. About a week prior to this, I installed the facebook plugin which was up and running. Since receiving the alert, I closed the board and all plugins until I have this totally fixed. I also upgraded from version 4.18 to 4.19. I ran the diagnostics for suspect file versions and received numerous unknown files before the upgrade. I'm still receiving the (same) following unknown files:
Which, if any of these, do I need to delete?

I contacted my hosting company and they provided me with the following info:
Unfortunately the logs show a gap in the time-period. This file is a malicious shell that was discovered in the account:
File: `/home/xxxx/public_html/forums/coms.php'
Size: 23342 Blocks: 48 IO Block: 4096 regular file
Device: 811h/2065d Inode: 39474339 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 694/ xxxx) Gid: ( 693/ xxxx)
Access: 2011-12-19 11:19:53.000000000 -0600
Modify: 2011-11-23 02:32:59.000000000 -0600
Change: 2011-12-19 13:19:24.000000000 -0600

The following are the two log entries that straddle the time-stamp for the uploaded content. The file "may" update its own time-stamps which masks the file origin.

79.143.179.181 - - [19/Dec/2011:11:14:27 -0600] "GET /the-12-cent-vs-the-65-million-spiderman HTTP/1.1" 301 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/200
90824 Firefox/3.5.3 GTB5"
184.172.204.131 - - [19/Dec/2011:13:22:45 -0600] "GET / HTTP/1.1" 200 68969 "http://richardbey.org/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
After our investigation we removed the malicious content from the account and recommend upgrading all installations/scripts on the account to help prevent future exploitation

So, my questions are the following:
What more do I need to do?
Does the facebook ap have anything to do with this virus infecting my site? I installed it just before I got the virus. Is it just coincidental is there a valid correlation?
How did I get this infection in the first place?
What can I do to prevent it in the future?

Thanks,
Frank

All of them except forum.php and index.php. bbhfi.htm is probably an exploit script. The rest are old files that are no longer used or unknowns.

Yep... coms.php is a bad file as well and not part of vBulletin.

The vBulletin Facebook App? Or the Facebook connect feature in vBulletin do not contribute to this virus issue.
Most likely cause is the searchpref exploit through the groups functionality. This was patched a while back. However the first patch didn't remove saved search exploits and a second patch was released for this. Further changes were made to prevent this type of exploit in future versions. The exploit relied on getting a database error that contained the hashed password of an administrator user.

Keep your vBulletin up to date. Use SSL protocols to access secure areas your server via FTP, Email and HTTP.
Place .htaccess protections on the admincp, modcp, install, includes, vb, and packages directory to provide a second layer of security and prevent unauthorized access.
Change your AdminCP password to something difficult to remember. Mine is actually a hash of a hash, before I enter it into vBulletin to be hashed again.

Thanks for the quick response!

So what do I do about forum.php and index.php? Are they corrupt?

I am (was) using both the facebook connect feature and facebook app. I only had the app up and running for a few days before I was alerted to this issue.



So I need to use SSL when uploading stuff via FTP? How do I do this? Should I be using the FTP with TLS/SSL connection option in fetch? So when I access the control panel from now on, should i be going to the https://www.richardbey.org/.... address?

I have no clue what this means or how to do it. Can you point me in the right direction to figure this out?

My password is very difficult to remember.

Thanks for the help!!
Frank

Probably not. They are false positives with the Forum only edition in some versions of vBulletin.

Purely coincedence. I have looked at sites that got infected but used neither of these features.

For FTP, yes. Either FTP with TLS/SSL or FTP over SSH. Ask your host which is preferred.

For the AdminCP, it would be best but not really required and could cause problems on your main site unless it is under SSL as well.

There are many tutorials on .htaccess available on the web. Here is one: http://www.yorku.ca/computng/student.../htaccess.html

I've been infected by this as well. I've found this thread very helpful. A couple of questions. [1] Is there an easy way to find all of the .htaccess files in my ftp account? I think this could be important since I understand that a sub-directory .htaccess file can override a higher level .htaccess file. [2] Is there an easy way to tell which VBulletin templates have been customized? It appears that the infection modifies templates. I have not customized any myself, but the footer template described itself as customized when I went to edit the kokosina.in reference out of it.

Thanks.

1) Not usually in FTP as there is no find command available. You would have to use commands on the command line or look manually.

2) The names of customized templates will show in a reddish-orange if they are customized in that style or yellow if they are customized in a parent style. This is using the default AdminCP style at least. There should be a color key on the right.

While deleting my files, I came across a directory that didn't seem to get checked: includes/facebook/jsonwrapper. The date is the same date as all the files I'm deleting. Should this folder exist? Same with install/cmsdefaultdata folder, and there is an index.html file in the /install folder with the date of all the suspect files. Thanks!

This happened on my 4.1.9 board, the only file that the checker found without default contents was class_core.php which I modified for cloudflare.

File found: edw.php
contents
Here's the log of it being created
178.16.22.59 - - [08/Dec/2011:02:27:26 -0700] "POST /forum/commons.php HTTP/1.1" 200 89892 "-" "Mozilla/4.0 (Windows; MSIE 6.0; Windows NT 6.0)"
178.16.22.59 - - [08/Dec/2011:02:27:43 -0700] "POST /forum/commons.php HTTP/1.1" 200 10162 "-" "Mozilla/4.0 (Windows; MSIE 6.0; Windows NT 6.0)"
178.16.22.59 - - [08/Dec/2011:02:27:44 -0700] "POST /forum/edw.php HTTP/1.1" 200 335 "-" "Mozilla/4.0 (Windows; MSIE 6.0; Windows NT 6.0)"

I was running an old VB version back then.

There is no directory jsonwrapper in vBulletin. The /includes/facebook/ directory is valid though.

Most directories include an index.html file. These are 0 byte empty files and put there just in case a web server has file indexing turned on for some reason. They prevent lookie-loos from seeing the contents of the individual directories.

Most likely your source of infection and why we recommend customers keep their software up to date.

So what should I do about the jsonwrapper directory? Delete it?

How about the cmsdefaultdata folder? I did some digging in it and it has a ton of files. It has a subdirectory with my admin name and files such as jimm-na-russkom.html, jimm-nastroyka-nokia-6233.html, and aska-na-telefon-samsung-gt-s5230.html. What the heck are these? Parts of the virus?? Most of the files in the cmsdefaultdata folder have the same dates as the files I deleted from earlier which leads me to believe they're part of the virus. There's also a ton of .jpgs and.pngs in the attachments subdirectory (same date as previously cleared out files) with names of 37236-37647. If these are still part of the virus then why didn't the file scanner find these? Is it because they're in directories that vbulletin isn't even looking for?


Thanks,
Frank

Like I said, the jsonwrapper folder isn't a valid folder in 4.1.9 so you can probably delete. Don't know if it is was added by an addon though.

The cmsdefaultdata folder contains the information that is optionally imported when you install/upgrade the Publishing Suite. If you delete it, it won't hurt anything but it is a valid folder.

ok thanks. the names of those html files seemed strange/foreign sounding to me, so i figured i'd ask.