I've Been Hacked !!! Don't know where to start to Resolve !

Just a follow up to my previous post, some additional information. I can access the admin panel. The version I was running is: 4.2.0 Patch Level 3 But I still cannot access the Front-End of my site !
Any suggestions on how I should go about resolving this problem.
Thanks
cammot

You would want to start by uploading a new set of files and upgrading to 4.2.2, then you want to follow the steps outlined here:

Then go through your entire parent directory! Every folder and file, they add lot's of stuff for later.

OK - Thanks for the help and guidance. However, I am still stuck.

When I download vBulletin 4.2.2 - it down loads successfully. But when I attempt to upload to 4.2.2 to my server over writing older files, it goes thru this process satisfactorily, but then when I come to the ..../install/upgrade.php for my site, it says that I am upgrading to 4.2.0 !!!!, I did this twice, both downloads and uploads, and it seems that 4.2.0 patch 3, which is my existing version is what is upgraded to !!. I don't understand why it won't recognize the 4.2.2 upload and instead doing my existing version !. I don't what I am doing wrong in the upload process - Question: Do I need to overwrite ALL the files from the upload directory or only the "newer than source" files ?

Please advise.

Thanks
cammot

Overwrite all the files.

OK - THANKS - I was able to successfully update to vB 4.2.2 and made this progress.

However - my front page is still showing the Hacker's Message !!!. So my front page looks somewhat broken. The good news is that I have access to my CP. On the CP there is a note stating that there is an out of date template - for administrative attention. It states "There are currently 1 customized template(s) that need to be updated or reverted. Some sections of vBulletin may not function if you do not do this!" When I examine this default template - it seems like it is the cause of what is happening on the front page. There are three options for the default template (which has a name - Headinclude, which is probably the creation of the hacker). I can (1) Edit the Template, (2) View Highlighted Changes or (3) Revert.

Please advise on next step to resolution. I was thinking maybe I should Revert - but this is not reversible, so I am on hold pending a decision . I could Edit the template but don't know what to Edit. When I view the highlighted changes I see New and Old Values - maybe there is something here that I need to adjust, but not sure.

I am not sure where to go next to resolve the broken font Page - kindly advise.
Thanks
cammot

I should add that the CP note stating the out of date template also states this:
The attempted merge failed due to conflicts

I would Create a new default style with no parent:
- Styles & Templates > Style Manager > Add New Style
- Parent Style: No Parent Style
- Title: Default vBulletin
- Allow User Selection: Yes
- Save

then delete the old one. also check your plugins for anything suspicious. Paste them here if your not sure.

I Added a New Style, and made it the default. I also disable all the plugins. But still get the Hacker Page in Front !!!.

Not sure what or where I can go to resolve this.

Is it possible to reinstall a completely new install of vBulletin, but use the existing database ?.

Please advise.

Thanks

That's pretty much what you have done already, go through the list again to see if there is anything you have missed.

First you need to follow our advisory about deleting the install folder off your forums.
Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
There are four steps to securing your site. If you don't do them all or you do them in the wrong order than you're still susceptible to being attacked again.
Close the hole...
This has three subparts in this instance.
1. Delete your install folder
2. Review your admin users and delete any that don't belong. Don't ban them. Don't make them regular users. Delete them.
3. Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.
Fill the Hole...
There are seven subparts in this instance.
1. Review your files for changes. You can do this under Maintenance -> Diagnostics.
2. Delete any Suspect Files.
3. Replace any files marked as "Does not contain expected contents"
4. Scan your plugins for malicious code (exec, base64, system, pass_thru, iframe are all suspect keywords). Delete any you find.
5. Repair any templates. Any templates that you don't have notes on changing, you need to revert. If you're using a custom style, it is best to delete your existing style and reimport from a fresh download.
6. Update your Addon Products.
7. Rebuild your datastores. You can use tools.php in the "do not upload" folder to do this. Upload it to your admincp directory, delete when done.
Secure the Hole
Parts of this were done by closing the hole but there are still things to do here.
1. Keep notes of all changes you make to the system - what templates and phrases you change, what files belong to which addons, what plugins do the addons install.
2. Consider using a separate Super Admin who has access to admin logs in the AdminCP. There should be only one Super Admin.
3. Create a lower permission Administrator for every day use.
4. Review your permissions in the system.
5. Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.
6. Move your attachments outside the forum root directory.
7. Create a complete backup of your site. Make database backups weekly.
Vigilance
You need to keep active on the security of the site.
1. Give out the fewest permissions necessary for anyone to do their job
2. Make sure your hosting provider updates the software.
3. Update to the latest vBulletin when it is released.
4. Make sure your addons are always up to date.

Actually, I went back and checked - and I did miss a step. I did not change the default style in CP Options, and it was not deleted. Now after following your earlier instructions again, of adding a new style and deleting the default style - it got rid of the hacker's face on the front end - I have now managed to get the site back up. THANKS.

Now - while the Front end looks fine. Its difficult to tell is there is anything malicious lurking and waiting to strike back again. Are there any suggestions you could make to ensure that all is fine ?.

Also, with the new style, my original Banner/Logo has disappeared. Could you kindly point me to where I could find instructions of adding a banner (picture) and or including a logo (Site name).

Thanks
cammot

If you followed all the above steps, you should be fine, I am not am not very good with logos and customizing someone else will advise you I'm sure.