vbulletin hacked?

One idea - they don't know what they are looking for, and reported everything as correct, when it isn't.

In your writeable folders (customavatars, customprofilepics etc), do you have .htaccess files set up to ensure nothing exploitative gets into them?

Read https://www.vbulletin.com/forum/entr...orums-(Part-1) and make sure you follow the tips Wayne gives there.

Hello again,

1.) My admin checked file permissions and i added .htaccess files to 777 folders. He also "locked" vbseo files to prevent any modifications.

2.) There are no bad .php files.

3.) Also "base64_decode" search went well (only clean files).

4.) I also went to "chrome", cleared everything (cookies, browsing history, etc.) and tried to access my board through "google search". It went ok, no redirection. But i'm not really sure, problem is solved.

Clever exploits don't trigger 100% of the time, so that might be a false negative. Good work on securing the other things though.

Are you running the latest versions of vB/vBSEO/all other plugins/addons?

That's good, but a little alarming. Files are not the only place these things can hide. Did you check your database also (plugins/templates can have the redirect in them too.)?

1.) I only use VBSEO and AME. Yep, newest versions.

2.) I will ask my admin, but he said he looked everywhere and there was no files that were modified lately. Beside, he is really good.

3.) The weird thing is, i browsed many international vbulletin boards today, trying to find solutions to my problem and on many of them i stumbled upon same issue as mine. I mean, when i tried to access them through google i had this redirection.

4.) One photo i found on the web. This is exactly how it looked why i tried to enter my board...

As Ace says, you also need to check the database.

We checked everything. But today redirection came back (after 24h).

Follow these steps:

1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you. See step #7

5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

The following query can be run in phpMyAdmin and will provide results for steps 5 and 6 -
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

If you a plugin that you can't read or the code is obfuscated then you should probably contact the addon author. If it is assigned to the vBulletin, vBulletin CMS, vBulletin Blog or Skimlink products, delete it.

7) Using PHPMyAdmin run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

It checks the templates for compromising code. You will need to review the results from this. If you can't read it or the code is obfuscated then you should revert the template in the Admin CP.

8) Check .htaccess to make sure there are no redirects there.

9) Check all plugins in reference to cache or cookies. If they are similar to any of the above, delete them.

My admin just found this code in MySQL (datastore, plugins)


Is this related to any known issue?

I would say that is the entire cause of your issue. you need to delete that plugin from the Admin CP under Plugins / Products -> Plugin Manager.

Any plugin with base64() in it should be considered insecure and not installed on your site.

Either that appeared recently (meaning they still have access to your database) or he's not as good as he says he is.

Now that the exploit is gone, you need to find out how they got in, and plug that hole.

I'm just telling you guys, what he said to me. I'm really green at this. Do you guys think it may be related to this?

No... that exploit is different.

I have only VBSEO, VBSEO Sitemaps and AME installed.

1.) So if this "virus code" is in "datastore", then if i disable/enable any plugin, datastore will be cleared and "virus code" will vanish?

2.) But from what i understand, it will come back and attach "virus code" again. So how do i find it source and delete it completely?

Do i understand that correctly?