Site has just been hacked (again) by Mr.HAiL & Spyhail - HELP!!!

1) Fixing the damage:

You need to restore a backup from before the forum was hacked. If you don't have a backup then you should ask your host if they have one.

2) Preventing future attacks:

Here are some security tips to help prevent this in the future:



3) Finding out exactly how they hacked you:

If an admin or mod account was hijacked then you might find evidence of their activities in the vBulletin logs:

Admin CP -> Statistics & Logs

It can be difficult to track down exactly how the hacker got in. You will need to consult with your host to examine the server logs for evidence of intrusion. Otherwise you can just follow the above security tips to help prevent future attacks.

Hi Trevor,

Thanks for the quick reply.

I have contacted my webhost and they say they have checked the account logs and found no evidence of any passwords or malicious FTP access. They believe there is a script on my account which was compromized allowing this hacker access.

They can restore the site from a backup (for a small fee, of course) and they are suggesting I review the site's content and upgrade any scripts or plugins I've installed.

I'm going to email my webhost back and let them know the last time the site was functioning properly. However, before doing so I'm going to review the security tips link you've posted above. Once the site is back up and running (and I REALLY hope that a restoration from a backup will do the trick; I'm not convinced it will) I want to implement these security tips right away to help prevent any such attack again.

I know this is beyond your relm of support, but are there any agencies or authorities where this type of activity can (and should) be reported to? I realize there's little in the way of legislation to put people like this behind bars (or put a bullet in their head) but if there's a way to either shut someone like this down or prevent them from attacking anyone else's site, then I'd like to submit some kind of report to the proper authorities that could see to it this doesn't happen again.

A simple restoration will not help in the long run until the point of entry has been discovered and patched up. Otherwise it will happen again and again.

You should do a scan and thorough checkup of all your files and folders in your server space for anything suspicious and/or things that shouldn't be there. The change all your passwords (forum admin, ftp, cp and db). Also do a scan of your pc with an antivirus/antispyware program.

Thanks for the response borbole.

It looks like my site is back up and running again. I contacted my webhost about restoring from a backup (as per my earlier post) but the site came back online before they could run restore it from a backup. I have since turned the bulletin board off while I investigate how this occurred and what I can do to prevent this sort of attack from every happening again.

Interestingly, one of the support personnel at my webhost reviewed the hack further and she believes it is indeed the vBulletin install which has been compromised. She says the hacker inserted data into my template database tables, but she is unsure how they managed to do that (SQL Injection via a hole or one of the plugins/modules). Based on the last attack, it looked like the hacker had gotten access to a previous admin's account. If that's true, it would have given this person access to the vBulletin control panel, but it wouldn't have given any access to the web server's control panel or the site's directories.

My webhost has also suggested that I delete everything from the public_html folder and upload a clean copy of vBulletin. Can I do that without loosing everything?

I am going to upgrade my vBulletin install to the latest 3.x version in order to maximize vBulletin's built-in security features. In fact, I may even upgrade to the latest 4.x version... haven't decided yet.

Thanks again for the response.

I saw that you are running a very old version of vb. There have been a lot of known security issues since the version that you have. Keeping your forum up to date with the latest version is very important, security and everything wise. That goes for any other third party mods/applications etc that you have installed/run in your server space.

In my opinion you should upgrade your forum a.s.a.p. to the latest version of either 3.8x serie or 4.1.x branch.

Well, it looks like the attacker is back again. Just as I was preparing to update the vBulletin software to the latest 3.8.x, I visited the site and sure enough there was another "Hacked By" page courtesy of Mr.Hail. And while I can access my webhost cPanel, I can't access the vBulletin Admin Control Panel so I can't reset the templates back to their defaults or uninstall any 3rd party plug-ins.

I guess I'm S.O.L., huh?

Restorer from your previous backup. Or reload your vb package and see if that helps.

I've actually gone through the upgrade process, which I believe was successful. However, once the upgrade completed and I was brought to the admin control panel login page, I tried to log in and the "this site has been hacked by...." thing came up.

Can I perform a clean (we're talking delete everything in the public_html directory) installation of vBulletin and still have the vBulletin software access my site's databases?

I'm at the point right now where I think that may be my only option.

as long as you make a copy of the config.php from inside includes or remember your database user/pass then yes..

Thanks for the reply WEBDosser. I've just tried to perform a clean installation of the vBulletin software, and I don't know what to do when I get to the point where it asks which database(s) to delete. Should I just unselect all of them? I don't want to lose any of the databases themselves... all (I think) I'm looking to do is reset the vBulletin templates to their defaults (eliminating any scripts that this hacker may have planted in them). Can I still conduct a new installation WITHOUT having to delete any of my existing databases?

Have your host restore your database only, and print out your config file. Put up a single index.html page to notify your users.

Make a copy of your database, and do a couple test upgrades on your database copy (not your production database), at different directory (or a new test directory). Ensure that you turn-off plugin support in the config file.

That will help you determine how to go through the upgrade process. If you make a mistake, it won't be on your production database.

Do not run the installer, that is not necessary. All you have to do is replace/overwrite your forum files. But do not overwrite the config.php file.

But whatever you do, make first a backup of your database. Did you check also the server space?

A few months back I was contacted by an user here who was hacked repeatidly like you and after checking his server space I found a backdoor. After I patched that up they did not have any issues anymore.

Thanks for the responses everyone. I really do appreciate it.

motowebmaster - I've taken your advice and put up a single index.html page notifying users of the hacking activity and that the site will be back up soon. Far better than the taunting "HACKED" page from Mr.Hail. Thanks for the suggestion.

How do you turn off plug-in support in the config file? Doing that may help me at least get into the admin side of the forum.

borbole - I've already run the upgrade installer, and the site SHOULD be updated to the latest 3.8.x version of the vBulletin software. Unfortunately, this hacker's actions are preventing me from logging into the admin control panel so there's no way I can even verify that the software has even been updated.

I should also mention, prior to performing this upgrade, I went through each and every directory of the latest 3.8 version of vBulletin and compared it to what was on my installation, and deleted any files that I no longer needed or were VERY old (some dated as far back as 2003!). I've also been combing through the remainder of the server space to see if I can find anything "odd" or out of place. I have found a couple of directories that I can't recall seeing before (I don't poke around on the server side very often) but to be honest I'm not really sure what I'm looking for and I don't want to delete anything that might render the site completely unusable.

I've been in contact with my web host, and while they can restore the site (and databases) at my request, I am not convinced that will solve the issue. Based on a previous investigation, they determined that the hacker inserted some information (a script perhaps...?) in the templates database tables. Unfortunately, they are unsure as to how this happened, but they suspect it was a hole in either the version of vBulletin I was running (3.8.6 PL2) or one of the modules/plug-ins. I wasn't running many plug-ins or modules on the site though, only vBadvanced, vBPro Garage, and vBStopForumSpam... all well-known third party plug-ins.

My web host has said they will investigate this issue further and get back to me. They are bothered that this issue has become a recurring one and that it shouldn't be taking this long to resolve. So until I hear back from them, all I can do is try to figure out a way to circumvent this hacker's activities so that I can find the issue and eliminate it permanently.

Here is a post that includes the process to disable plugins in your config file.

Is anyone from vbulletin helping you?