Site Hacked? Please help!

Indeed, your forum has been injected. Did you do any change to your forum before you got hacked? What mods do you have installed?

If I were you I would do a scan and thorough checkup of all your files, folders in your server space and the db as well for anything suspicious and/or things that shouldn't be there. The change all your passwords (forum admin, ftp, cp and db). Also do a scan of your pc with an antivirus/antispyware program.

Also contact your host and ask them to check their logs and see how exactly your forum security was compromised. That is very important to find the security hole and plug it otherwise it will happen again and again.

Your forum.php is also forwarding the pharmacy site.

To troubleshoot this, first download a fresh copy of the vBulletin ZIP file from the Members Area then reupload all the original vB non-image files (except install.php). Make sure you upload these in ASCII format and overwrite the ones on the server. Also be sure to upload the admincp files to whichever directory you have set in your config.php file. Then run 'Suspect File Versions' in Diagnostics to make sure you have all the original files for your version and that none show 'File does not contain expected contents':

Admin CP -> Maintenance -> Diagnostics -> Suspect File Versions

[Note: In some cases you may also need to remove any of the listed .xml files in the includes/xml directory.]

Next, disable all plugins.

Note: To temporarily disable the plugin system, edit config.php and add this line right under <?php

define('DISABLE_HOOKS', true);

Then if you still have this problem, create a new style and choose no parent style. This will force it to use the default templates. Finally empty your browser cache, close all browser windows then try again. Make sure you change to the new style and view your forums with it.

Do you have the same problem?

Awesome replies... thanks so much. Will do this as soon as I can later tonight and let you know.

Ok, I uploaded fresh files from the Members Area.

I ran Suspenct File Versions. Everything either has the directory highlighted in blue, and just indicates that it was scanned, or it says the file is not recognized as part of VBulletin. Many of these I recognize as plugins, as they contain names such as "album" in the filename. Also, several files in the "install" directory. But nothing says 'File does not contain expected contents'.

There is one file in the includes/xml directory:
bitfield_vbhtabs.xml (File not recognized as part of vBulletin)

Looking at the file, it just contains this:

<?xml version="1.0" encoding="ISO-8859-1"?>
<bitfields product="vbh_newtabs10">
<bitfielddefs>
<group name="misc">
<group name="vbhdistabs">
<bitfield name="vbh_cms" >1</bitfield>
<bitfield name="vbh_blogs">2</bitfield>
<bitfield name="vbh_whats_new" >4</bitfield>
</group>
</group>
</bitfielddefs>
</bitfields>

Doesn't seem significant, but I still deleted it.

I then disabled plugins through the config file as suggested. It became quickly obvious that I successfully disabled them as I have a gallery that suddenly didn't show. The problem was still there though.

I created the new style as directed. My forum switched over to look like a generic vbulletin board, so It seems that was all done correctly too.

Unfortunately after doing all this, the issue is still there.

Any other ideas? If I can't get this can anyone recommend someone who can? I'd be happy to pay a reasonable fee.

No I haven't been messing with it at all. I replaced files when I upgraded, so they should be pretty fresh. The plugins I have are:

Navtab menu for Gallery 1.00
New Album Picture Forum Home 1.0
Picture and Album Gallery 1.08
Skimlinks Plugin 4.1.11
vBH - Add new tabs 1.2 1.2
VSa - Advanced Registration 2.0.1
VSa - ChatBox 3.1.6

If I can't get this figured out tonight, I'll definitely call my host tomorrow and see if they can help. I'm using servint.net as it was recommended here on the board when I was getting ready to set it up.

(UPDATE: I put in a ticket with them just now.)

Thanks... Any other ideas?

Where do you save attachments/avatars/signatures? (Database or file storage)
And does your server allow .php files to be ran in those folders? (Theoretically you would only want .php files to work in folders that contain them, any other folder without it should be disabled by the php parser, that way no one can upload any scary stuff, even an image can be a scary php file)

Any ideas? I'm hacked too...

my plugins:

"Automatic Tagger From Content and Title 4.4.0 Automatically adds tags to according to message content, title and already existing tags in forum.
GlowHost - Spam-O-Matic 2.0.2 Ultimate solution to defend against SPAM: Check new registrations from StopForumSpam database, auto moderate posts against custom word-list and Akismet service.

Post Thank You Hack 7.82 Post Thank You Hack

Separate Sticky and Normal Threads 4.0.1 Separate Sticky and Normal Threads

Skimlinks Plugin 4.1.11 Official Skimlinks plugin for vBulletin

VSa - ChatBox 3.1.6 VSa - ChatBox"

I haven't done any upgrades to the site for months except for playing around with some BB custom codes.

When I hit WHAT'S NEW it goes to the same site: drugs tab.ru exactly the same as cookie!

Tried using the default template (I don't know how to delete the old ones!) but it has the same results.

My site is www.backalleynoir.com -- my server is downtown hosts

Sorry, I'm not real savvy on some of this stuff. I am pretty good at following directions though. Do you know where in admin I go to see where these things are saved? I poked around but couldn't find it.

Likewise, not sure where to check on the server settings for those php settings.

Thanks - would really appreciate some help finding these.

Mike

VERY good to know I'm not alone... makes it more likely we'll find a solution (hopefully.) Please keep us updated on this thread if you find a solution. Out of curiosity, do you also host with servint.net?

Well to figure out where things are stored just look in the left side bar for "Avatars" or "Attachments" then go to the "Storage Type" option, there you can see if its in the database or in the file system.
Avatars should be on this page http://yoursitehere.com/admincp/avatar.php?do=storage
Attachments should be here: http://yoursitehere.com/admincp/attachment.php?do=storage

And to be honest, I have not done a lot of work with php parsers at all, and I am not sure if you have access to it (if you have a dedicated server you should have) I suggest talking with your host about that :/

EDIT:
hmm, think I meant HTML Server by the way, some examples can be Apache and nginx, I think in both of those you can choose where php files are to be executed.

Cool, once they reply to my ticket I'll ask them about that. Thanks for pointing me in the right direction for those other items... Here's my status on those:

Attachments are currently being stored in the database
Images are currently being served from the database

Mike

Not sure if it would help any, but in many cases it is better to have them as files, though I am not sure if it has anything to do with the current situation, though some people are crafty, and if they have been able to make a php file look like an image and run that on your database, its bad news, but its very hard to tell :/

my attachments and avatars are also "are currently being stored in the database"

my server host is Downtown hosts so it sounds like we have different servers.