Forum hacked...

I got hacked this morning too. Running vb 4.2.0 exact same exploit by the looks of it. There were a couple of new admin accounts and subscriptions got locked into a pluging same as above...

title - init_startup

Deleting that pluging got my subscriptions page back. I did have the install directory, which has now been deleted.

I'd like to know what the common factor is here, everyone on vb 4.2.0? Install folder?

This is a TOR ip https://www.torproject.org and is not a user from sweden.
Most hackers use this anonymizer service.

I not understand how user can have INSTALL folder in forum system. After install/upgrade you MUST delete it to login as admin!? Why you have a INSTALL folder in your system?

No, you have to delete the install file after installation, not the folder - unless it's changed since I last did an update.

It has. You now need to delete the entire /install folder (or /core/install on vB5) to avoid security issues.

Ahhh - so is the existance of the install folder the exploit here? Is 4.2.0 Patch Level 2 secure with the install dir removed?

Yes that's correct.

Kyo-dono: “I not understand how user can have INSTALL folder in forum system. After install/upgrade you MUST delete it to login as admin!? Why you have a INSTALL folder in your system?”

Mark.B: “You now need to delete the entire /install folder (or /core/install on vB5) to avoid security issues.”

vBulletin has had serious security issues after the new ownership (post v3) — yet, they have treated problems childishly quite often. I was shocked when I did my first vB upgrade — my entire website became vulnerable because of the upgrade. Yet, vBulletin Team blamed… my webhost!



I said previously that all these security issues originate inside the vBulletin hou’ (e.g. former employees who became disgruntled). I was NOT implying that vBulletin creates security issues deliberately. That is, they intentionally want access to the forums run by their software. You know, some forums have paid subscriptions, paid advertising… things that hackers can redirect to their coffins…

Still, even involuntary security problems can be legal snakes for any company. It is called negligence. I remember in the good ol’ DOS era, a company promised the doubling of RAM via software. In reality, that piece of software caused serious losses. I was hit by that problem. The RAM company became the subject of a class-action lawsuit that destroyed the company. I remember well I received a check issued by a court in California.

With so many security issues, vBulletin is lucky they haven’t been the subject of a class-action lawsuit. Just imagine a law firm who runs a paid-for forum (they usually demand high fees for such membership). Now, the forum of the law firm is powered by vBulletin. Imagine this latest grave security problem — the law firm would lose lots of money. Their paid-for-membership redirects all the money to a bunch of hackers (with IPs spread all over the world)…

Take care, vB axiomatics! You skating on thin ice…

Ion Saliu,
Well-Wisher At-Large

Found this existing thread so I'm putting my oar in the water. I can log into Admin panel and Cpanel, but when I try to access the site, I get "This website is temporarily suspended." Host thinks there is a malicious line of code inserted but I don't know how to find it, much less remove it. I've read through Zachery's blogs but I am too ignorant of computer coding etc. to understand any of it. I don't even know where to look for the /install folder. Please hold my hand and offer some simple instructions an old lady can follow.

just a bit of an update, I am getting hacked on a daily basis now. I have took all the recommended steps, changed site and database passwords amongst many other things but they still get in. if the dont create a rogue admin account they redirect the site to some islamic nonsence with a notice saying hacked by 747 crew... getting really pi$$ed of now.. when i figure out how to get my 15Gb of attachements to phpBB im gone.. everything else transfers fine except the attachments

You've missed something then. For one your AdminCP is not behind .htaccess. I suspect you you're not getting hacked repeatedly just they are reapplying their maliciousness through a backdoor they installed and hasn't been removed. You would need to open a support ticket to have someone look deeper.

Hi All, I find that I was hacke today. I run VB 4.1.2 . It is a closed forum and does not accept new members. Today I discovered a new Admin "aventus67"
They had deleted their IP addrfess but I found it in the logs:- 88.230.120.188. Host Name 88.230.120.188.dynamic.ttnet.com.tr
A search shows this to be someone in Turkey.
He/She used a Yopnet disposable email address.
I then checked my plugins and found that they had installed something called Skimlinks. I have never seen this in my P&P folder before so I assume they installed it.
A check of my logs show the following activity:
10939 aventus67 10:56, 28th Sep 2013 plugin.php 88.230.120.188
10938 aventus67 10:56, 28th Sep 2013 plugin.php doimport 88.230.120.188
10937 aventus67 10:56, 28th Sep 2013 plugin.php files 88.230.120.188
10936 aventus67 10:56, 28th Sep 2013 plugin.php files 88.230.120.188

My Install folder was deleted ages ago and the forum is set up with All Ajax features disabled.
The one thing I have always had problems with in the past was some members could sign up and start posting without requiring moderation whilst some would.
Anyway, I am going through Zacharys blogs to check everything but is there anything else I should know or does anyone have an opinion of what this person was trying to do and how they managed to get in.
Thanks for reading

Coppers Lot:

The IP addresses are easy to fake, axiomatic colleague of mine. There is plenty of software that hides the real IP address. Even Google Chrome has several extensions that hide the real IP of the visitor. Still, I believe it is a good action to ban the skumbullows (cyber criminals) by their IP numbers. I did it immediately after this latest Psychosama hack-attack:

AdminCP > Options > User Banning Options > paste the IP in the corresponding textbox.

I collected several IP addresses of bad guys in these forums. I mean, I copied the IPs other members posted here. I added them to the ban list of the IPs I discovered.

You might still have problems even after you deleted the /install folder. The reason: You did not change all related passwords immediately after the attack. It is specified in a dedicated blog written by Zachery:


vBulletin email alert should have also specified the changing of passwords immediately after the deletion of the /install folder.

Ion Saliu
“A good man is an axiomatic man; an axiomatic man is a happy man. Be axiomatic!”

Thanks for the heads up and tips Ion

I see that Skimlinks was asked about above, with no answer. My install folder was deleted last year, and today I looked at the plugins for the first time, and see:

Product : Skimlinks Plugin

Add Skimlinks Classes to PostBit postbit_display_complete
Add Skimlinks JavaScript to footer template showthread_complete
Add Skimlinks Option to Edit Options Form profile_editoptions_start
Extend User DataManager userdata_start
Update Skimlinks Preference profile_updateoptions



I searched the forum, and Skimlinks seems to be a feature, not a problem. Is this correct?