forum is hacked by change (Spacer_open )

**Maplewoods** · Mon 26 Jan '09, 1:53pm

Originally posted by Golzarion

I do not really know what they do .... but I am sure it is because of SERVER weak security .... and most of the time it happened on SHARED server hosting...
never forgot to change your DATABASE password after got hacked ...

Thanks for your reply but the question still is what can be done about it and what are my options.

You don't expect the server hosting company to admit that they have "weak security", right?

So unless I can find some way to prove to them, exactly where their flaw is, then I can't persuade them to fix a problem which they don't see, exists.

As it stands now, everyone passes the buck to the other party.

The Server company will say it's a flaw in VB and VB will say it's a flaw in the server shared hosting or whatever else and we as the consumers are stuck in the middle unable to show absolute proof of where the precise fault is at.

Are you suggesting to use non-shared hosting as a remedy? That a bit pricey.

**Maplewoods** · Sun 8 Feb '09, 9:16pm

"THE" way to fix it!

Their is no reason to Bulldozer your entire VB and have to undo all your customizations and reinstall everything and "what not" to undo the hackers replaced index.php page.

Instead there is a surgical precision method to change precisely only what needs to be changed and leave everything else intact.

Here is the answer of how to fix this type of Hacked VB page.

Style manager -> Edit Templates -> Forum Home Templates -> FORUMHOME

Then just hit "SAVE"

That will insert the correct data in to the database.

I found that this type of VB Hacker / Intruder will gain direct access to the Database entry and change it to display the hackers Web Page.

In my case (My Hacked VB Forum) I found that the intruder\'s text was in two entries in the templates table entitled FORUMHOME (template ids 366 and 887). In both cases the text was in the \'template\' column.

I first deleted the text entry (left it empty/blank) and that stopped the hackers page from being displayed.

I then restored the original forum index code to normal as described above.

All of the above is in reference to the SUB ZERO type Hackers described here:

forum is hacked by change (Spacer_open ) - vBulletin Community Forum

http://www.vbulletin.com/forum/showpost.php?p=1686346&postcount=14

**aldamon** · Tue 24 Mar '09, 10:33am

We're getting hacked regularly through spacer_open as well. I restored the database numerous times until our host showed a link about the exploit and how to fix it easily. We're on a shared server. What can be done to prevent this from happening? How can I move or rename the spacer_open template in the database?

EDIT:

I used the advice in this thread to remove spacer_open template from use:

Removing spacer_open & spacer_close - How? - vBulletin.org Forum

http://www.vbulletin.org/forum/showthread.php?t=119286

Removing spacer_open & spacer_close - How? vB3 Design and Graphics Discussions

This appears to have fixed the problem for now. I put the malicious code back in the template and now my bulletin board still looks good.

**Mr.FahaD** · Fri 3 Apr '09, 5:18pm

hi again,
one of my clients got hacked too by this way.
he is using latest vBulletin.
I know how to fix it, but is there any way to fix this expoloit to happen again !

waiting

**aussiefooty** · Fri 3 Apr '09, 7:07pm

Ban the hacker's ip address, email address and contact his isp

**subzero06** · Fri 3 Apr '09, 7:07pm

Originally posted by Maplewoods

I got hacked too.

Please let us know what you did to fix your site (precisely which files had to be re-uploaded or replaced).

Checking out their web site is seems that they seem to specialize in VB Hacking.

Is anyone familiar with this and exactly what they do to hack and exactly what needs to be done to fix the site and to PREVENT them from doing it again?

My Index.php loads their hacked version of their page, although as far as I can tell, my actual index.php is the genuine VB page.

I havn't been able to figure out where their hacked page is hiding and how they manage to exchange the real VB page for their hacked version.

All my other sub-pages of VB work OK

If someone doesn't really know the specifics of this particular group of hackers, then the easiest thing to say (if you don't know) is to recommend to "do everything" - listing a very long list of STANDARD security recommendations - but that's the "easy way out".

The "easy answer" is to recommend all the STANDARD recommendations which applies to anything and everything that can be exploited, but my question is, does anyone know the specifics of what this precise group of hackers do, so that past damage can be fixed and future damage stopped.

I assume that I am not the only VB hacked by them and that they have damaged thousands of other VB sites, regularly.

My hacked by pages stated:

[IMG]http://img214.imageshack.us/img214/1319/indexhp6te2.jpg[/IMG]
By SuB-ZeRo
FrOm:AlGeRiA
visite my forum www.dz-security.net/vb
who dont love mouslims he go f??? hi self
f??? u admin and f??? all users f??? israel & usa & danemark
WhErE Is ThE SeCuRiTy.. !?
we are mouslimme and we are all withe gaza
FoR CoNTaCTe
[email protected]

Why did he used my name to hack? lol

**aussiefooty** · Fri 3 Apr '09, 7:08pm

Change hosts. Tell your current host that you are getting hacked. Go with somebody else.

**subzero06** · Fri 3 Apr '09, 7:13pm

Yeah just change ur hosting company, and go with hostmonster

they are good.

**Mr.FahaD** · Mon 6 Apr '09, 2:27pm

I'm using VPS and i'm having tidy security for server.

Then, ...........?!

**aldamon** · Mon 20 Apr '09, 12:18pm

Originally posted by Mr.FahaD

I know how to fix it, but is there any way to fix this exploit to happen again !waiting

Yes, like I said above, remove what they're using to deface the pages:

Removing spacer_open & spacer_close - How?

Removing spacer_open & spacer_close - How? - vBulletin.org Forum

http://www.vbulletin.org/forum/showthread.php?t=119286

Removing spacer_open & spacer_close - How? vB3 Design and Graphics Discussions

It flat out works. Haven't been defaced since implementing this.

**Total666** · Mon 20 Apr '09, 4:52pm

Originally posted by aldamon

Yes, like I said above, remove what they're using to deface the pages:

Removing spacer_open & spacer_close - How?

Removing spacer_open & spacer_close - How? - vBulletin.org Forum

http://www.vbulletin.org/forum/showthread.php?t=119286

Removing spacer_open & spacer_close - How? vB3 Design and Graphics Discussions

It flat out works. Haven't been defaced since implementing this.

If the hackers have no access to the server how can they deface the site ??

**aldamon** · Tue 21 Apr '09, 3:58am

Originally posted by Total666

If the hackers have no access to the server how can they deface the site ??

If they had access to the server they could deface my board any way they wanted to. By removing spacer_open from the code they aren't defacing my board any more and it's been almost a month now. In fact, I've gone into the spacer_open template in pHpMyAdmin and they haven't even changed it. If they had access to the server, they would have tried to change the template as well and I doubt they would have bothered to revert it.

forum is hacked by change (Spacer_open )

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment