Announcement

**Mohammed Abu Risha** · Sun 29 Sep '19, 11:34pm

I am having the same problem. The hacker cannot get access to the passwords, but it is horrible to tell you that he manipulated the login area. I found in the system several password-stealing bots. I will ask my members to change their passwords immediately after a clean installation.

**Hoca** · Mon 30 Sep '19, 1:00am

I had the same problem
September 27, the site was attacked
authorized to give information on how to clean files from viruses

**Hoca** · Mon 30 Sep '19, 1:24am

Mohammed abu risha thank you

My hosting service is still working on a backup
Has a backup of 25 September

**Wayne Luke** · Mon 30 Sep '19, 9:15am

Follow these steps:

Download vBulletin 5.5.4 Patch Level 1.
Create a new directory on your server (i.e. forums_new)
Upload 5.5.4 Patch Level 1 to this new forum.
In the new directory rename /config.php.bkp to /config.php.
Rename /core/includes/config.php.new to /core/includes/config.php
Rename /htaccess.txt to .htaccess
Turn off your forums
Create a Database Backup.
Rename the old vBulletin directory (i.e. forums_old)
Rename the new directory to replace your old vBulletin directory (i.e. forums)
Run /core/install/upgrade.php in your new forum directory.
Delete /core/install
Turn on your forums.
If you store attachments and avatars in the file system inspect your attachment and customavatar directories for any PHP or HTML files. Delete these Files. Move the attachments and customavatar directories to your new vBulletin forum directory.
Delete the old vBulletin directory off the server.

Outside of vBulletin, you should review any files that you have for other services as well.

**Wayne Luke** · Mon 30 Sep '19, 9:19am

Originally posted by clearvue View Post

Can someone please explain what we should look for/address in the database itself?

Unlike vBulletin 3 and 4, we don't store a lot of PHP code in the database in vBulletin 5. We do store parsed versions of the templates in the database. However, when you run the Upgrade script, all of the templates in the master style will be replaced with valid copies. You would only have to look at templates that are modified. They show with Red Titles in the Template Editor. If you're not using one of the provided Language Packs, you'll want to reimport your language as well.

**pdisme** · Mon 30 Sep '19, 10:56am

Originally posted by clearvue View Post

Our forum was compromised by the zero day hack. In our case, the forum code folder was completely deleted. We have downloaded the lasted update and plan to install fresh in the folder and run the upgrade script as directed. Can someone please explain what we should look for/address in the database itself? Additionally, did this exploit potentially expose usernames/passwords and other private information about the users?

Thank you.

Depending on the age of your forum, and password changing policies, you may have had very weak (by current standards) password hashes stolen from the database. Those are typically easy to brute force, so you should change the password of anyone with elevated privileges regardless (admins, moderators), but also lock out users with old passwords, or email them and let them know their password may have been compromised, as many users use the same password in many places. You can look at the 'users' table in your vB database and the token field, if the password hash starts with $2y$ it's more recent and less vulnerable, but if it's something like 1b8083c18193c5c812d17b6a83216e1d then it's vulnerable.

**Wayne Luke** · Mon 30 Sep '19, 12:17pm

Originally posted by pdisme View Post

Depending on the age of your forum, and password changing policies, you may have had very weak (by current standards) password hashes stolen from the database. Those are typically easy to brute force, so you should change the password of anyone with elevated privileges regardless (admins, moderators), but also lock out users with old passwords, or email them and let them know their password may have been compromised, as many users use the same password in many places. You can look at the 'users' table in your vB database and the token field, if the password hash starts with $2y$ it's more recent and less vulnerable, but if it's something like 1b8083c18193c5c812d17b6a83216e1d then it's vulnerable.

When using default files, all vBulletin 5 forums will automatically store passwords in the bcrypt format after the first login.

**NeoDB** · Mon 30 Sep '19, 1:48pm

Originally posted by Wayne Luke View Post

Follow these steps:

Download vBulletin 5.5.4 Patch Level 1.
Create a new directory on your server (i.e. forums_new)
Upload 5.5.4 Patch Level 1 to this new forum.
In the new directory rename /config.php.bkp to /config.php.
Rename /core/includes/config.php.new to /core/includes/config.php
Rename /htaccess.txt to .htaccess
Turn off your forums
Create a Database Backup.
Rename the old vBulletin directory (i.e. forums_old)
Rename the new directory to replace your old vBulletin directory (i.e. forums)
Run /core/install/upgrade.php in your new forum directory.
Delete /core/install
Turn on your forums.
If you store attachments and avatars in the file system inspect your attachment and customavatar directories for any PHP or HTML files. Delete these Files. Move the attachments and customavatar directories to your new vBulletin forum directory.
Delete the old vBulletin directory off the server.

Outside of vBulletin, you should review any files that you have for other services as well.

Are these valid instructions for upgrading? Where would I find the "attachments and avatars in the file system"?

Also, I followed the instructions to the letter but it says this after I execute install.php

Startup Errors
Due to the following errors, the install/upgrade can not continue:

Error description: 2: mysqli_real_connect(): (28000/1045): Access denied for user 'root'@'localhost' (using password: NO)
The database has failed to connect because you do not have permission to connect to the server. Please confirm the values entered in the core/includes/config.php file

**clearvue** · Mon 30 Sep '19, 7:42pm

When I perform these steps listed above, I receive an error on the upgrade.php step. Any thoughts as to what may cause a blank page and "PHP Parse error: syntax error, unexpected '?' in /xxx/core/vb/request.php on line 68 in the error_log

**In Omnibus** · Mon 30 Sep '19, 7:51pm

Originally posted by clearvue View Post

When I perform these steps listed above, I receive an error on the upgrade.php step. Any thoughts as to what may cause a blank page and "PHP Parse error: syntax error, unexpected '?' in /xxx/core/vb/request.php on line 68 in the error_log

Are you running a proxy server like CloudFlare?

**Wayne Luke** · Tue 1 Oct '19, 10:49am

Originally posted by clearvue View Post

When I perform these steps listed above, I receive an error on the upgrade.php step. Any thoughts as to what may cause a blank page and "PHP Parse error: syntax error, unexpected '?' in /xxx/core/vb/request.php on line 68 in the error_log

This usually means you need to upgrade to PHP 7.1 or higher. I recommend PHP 7.3 if your hosting provider allows it.

**clearvue** · Fri 11 Oct '19, 11:06am

After an install as described above, is there any chance of corruption of the forum data in the database? In other words, I've fixed the folders and the install, but am I sure that my data isn't still exposed?

Additionally, I'm currently on in Forum Site "Off Mode", but I've seen forum members login (although it doesn't appear they can do anything) and I currently see Guests in the site. Is this normal?

Thank you

**Wayne Luke** · Fri 11 Oct '19, 11:17am

The only way to tell if your data was exposed would be to inspect your server logs for the webserver and MySQL. vBulletin has no methods to download the database. To run queries, the person would need a super administrator with permission to do so. If you use strong passwords and two-factor authentication as recommended, this would be difficult to do.

**Wayne Luke** · Fri 11 Oct '19, 11:18am

Additionally, I'm currently on in Forum Site "Off Mode", but I've seen forum members login (although it doesn't appear they can do anything) and I currently see Guests in the site. Is this normal?

They would be seeing a maintenance message. Turning off your forum doesn't remove logging in or and some other actions. If someone visits the page, they will be logged in with remember me, issued a session and so forth. If that is a guest, they get a session and can sit there and view the page.

Announcement

Zero Day Hack - Database

Zero Day Hack - Database

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Related Topics