I wrote a 10 page guide for VPS and dedicated hosting users on my personal blog outlining my how I'd handle cleaning up hacked vBulletin forums if you have root user and SSH telnet access (for VPS and dedicated hosting users). Please note the emphasis on involving and notifying your web host at the earliest suspicion that you have been hacked as some of the guides recommendations and tools for clean up require root user/SSH access and an understanding of what that entails.

I also wrote a custom bash shell script vbplugincheck.sh (illustrated from step 4) which is a handy tool to partially automate some of the manual leg work outlined by Zachery's blog article where you needed to check your vBulletin database and files for infections and embedded malicious files, scripts or plugins.

The vbplugincheck.sh tool only helps with detection of the infections by hackers - illustrative examples of the tools usage is shown in step 4. You will still need to manually clean up the infections and malicious files left behind by the hacker(s). I say hackers, because in some instances more than one hacker could have gotten in and not necessarily from the same security flaw i.e. if you have an outdated plugin i.e. vbseo or mismatching vB version files.

Full set of options available for vbplugincheck.sh with explanations outlined in step 4

./vbplugincheck.sh quick
./vbplugincheck.sh full
./vbplugincheck.sh quick {dbname} {dbprefix}
./vbplugincheck.sh full {dbname} {dbprefix}
./vbplugincheck.sh adminlogfull
./vbplugincheck.sh adminloguser
./vbplugincheck.sh adminlogtemp
./vbplugincheck.sh adminlogactions
./vbplugincheck.sh adminlogfull {dbname} {dbprefix}
./vbplugincheck.sh adminloguser {dbname} {dbprefix}
./vbplugincheck.sh adminlogtemp {dbname} {dbprefix}
./vbplugincheck.sh adminlogactions {dbname} {dbprefix}
./vbplugincheck.sh qkeyword
./vbplugincheck.sh fkeyword
./vbplugincheck.sh qkeyword {dbname} {dbprefix}
./vbplugincheck.sh fkeyword {dbname} {dbprefix}
./vbplugincheck.sh tempcheck
./vbplugincheck.sh temphistcheck
./vbplugincheck.sh tempcheck {dbname} {dbprefix}
./vbplugincheck.sh temphistcheck {dbname} {dbprefix}
./vbplugincheck.sh usertitle
./vbplugincheck.sh ads
./vbplugincheck.sh usertitle {dbname} {dbprefix}
./vbplugincheck.sh ads {dbname} {dbprefix}
./vbplugincheck.sh ranks
./vbplugincheck.sh ranks {dbname} {dbprefix}
./vbplugincheck.sh setting
./vbplugincheck.sh setting {dbname} {dbprefix}
./vbplugincheck.sh pluginlist
./vbplugincheck.sh pluginlist {dbname} {dbprefix}
Side by side comparions

If you save your vbplugincheck.sh output to text file, you can easily use a file comparison tool like BeyondCompare to compare side by side visually your infected database output to a known restored clean database backup (restored in a new database name) - making it easier to visually detect differences you need to investigate.

Saving output to text files is as easy as adding > filename.txt to end of script and option command.

 ./vbplugincheck.sh quick > filename.txt
For example below is saved text output from vbplugincheck.sh quick option run on an infected database as well as another run against a known clean restored backup.

The screenshot shows where left side has infected MySQL database’s output compared side by side with clean MySQL database’s output. As you can see a hookname, init_startup is present in the hacked database and not in the clean backup. This needs further investigation and when you look in your plugins, you will find this init_startup hookname and within it will be embedded malicious code or even a PHP backdoor of cmdshell. In some instances, if your home computer has proper anti-virus and/or malware detection software installed, accessing or editing init_startup hookname may trigger a virus alert for your home computer depending on what type of code is embedded. So all you need to do is delete that init_startup hookname.

Note: vbplugincheck.sh quick and the other listed options above can also report false positives for infections or malicious code as the search are on wildcard terms i.e. %base64% and %iframe%, so you need to take a closer look and determine if any custom code or plugins you have added are legit. If unsure, you can always revert all custom templates, remove and reinstall all plugins and there associated php files (that you uploaded via ftp).

Other vbplugincheck.sh option examples
Checking your usergroup’s usertitle table for malicious html code embedded via the usertitle option. Below I altered the Senior Member title and added an exclamation mark ! as an example. Hackers could add malicious script html code here if they wanted.

./vbplugincheck.sh usertitle vb422a1
| usertitleid | minposts | title           |
|           1 |        0 | Junior Member   |
|           2 |       30 | Member          |
|           3 |      100 | Senior Member ! |
Check your ad table for managing ads for altered or additional malicious html code in your advertising html snippets. Here I added a test ad titled ‘test ad‘ with snippet of html code. Normally you should see your advertising banner code snippets, check to make sure they are correct for your advertisements.

./vbplugincheck.sh ads vb422a1
*************************** 1. row ***************************
        adid: 1
       title: test ad
  adlocation: global_below_navbar
displayorder: 10
      active: 1
     snippet: html code
Check user ranks table for malicious html code in ranking field via ranks option. Here I added a new rank with some innocent html code text Noob.

./vbplugincheck.sh ranks vb422a1
*************************** 1. row ***************************
     rankid: 1
   minposts: 10
  ranklevel: 1
    rankimg: Noob
usergroupid: 0
       type: 1
      stack: 0
    display: 0
Check vB setting table’s value field for unwanted code i.e. embedded js script %script%. This option prompts for a keyword to search for. In below example looking for < script > tags embedded in value field i.e. Forum Name I added < script > to the field in AdminCP. Use wildcard %script% as keyword. (Thanks Lynne for heads up on table to check)

./vbplugincheck.sh setting vb422a1
Enter keyword to search for i.e. %script% or %refresh : %script%
   check setting tables value for %script%
       varname: bbtitle
    grouptitle: address
         value: vB 4.2.2 PHP 5.4 Test Forums <script>
  defaultvalue: vBulletin Forums
  displayorder: 10

Other checks

The 10 page guide also illustrates other potential precautions and checks you should do. For example:
  1. checking for malicious files in user uploadable content directories such as /customavatars, and /attachments (if you make mistake of placing attachments in filesystem on public web accessible directory).
  2. running anti-virus and malware scans on your files and directories. I recommend at least AVG Anti-virus for Linux and Linux Malware Detect (maldet).
  3. locking down vB config.php and it's settings and ensuring proper vB upgrade procedures are followed and in general securing other non-vB scripts which are installed on same server.
  4. file and directory permissions checks
  5. use of usergroup password expiry feature and ensuring folks are changing passwords

Sources & other recommended reading: