How to fix a hacked vBulletin forum?

Website Down

Know how to protect yourself from VBulletin Forum hack

Do you run vBulletin controlled forum? Have you been the target of a hacking attack on your website recently that has compromised user access, as well as their data? For tips on how to patch your hacked vBulletin forum as well as how to harden it against more hacking incidents, read on.

So you are running a vBulletin-powered platform, it may be for a lot of things. Company reasons, one that focuses on a hobby, or maybe a blend of the two. Things are going ‘swimmingly’ (that’s an English colloquialism for ‘very well’), tonnes of people are posting and a strong user and individual poster account is flourishing. On the most basic level, you refresh your vBulletin page, ensuring things keep ticking up very well. You ‘re chuffed with yourself privately (another colloquialism that’s in use here for being pleased with yourself), and give yourself an imaginary pat on the back.

All seems to be going well until you find some odd activity not only on the user side but also on the backend of your forum some day. Not only has your site been defaced, but somebody posted your users account information on PasteBin, where they are for the world to see. Sure all passwords are hashed (this is the ‘hash’ #), so they can’t be identified, however they can and will be exposed and spread through brute-force attacks. It’s the simple and sometimes simple truth of running your own website and being online. A quick search on the internet shows you this is a phenomenon all too popular.

But in what way did they get in? You ask yourself this question. It could be a variety of factors, passwords are not powerful enough or even an exploit plugin. Regardless, the hacker has managed to gain access and change your vBulletin forum with a malicious SQL injection code in this case, and you need to get back control and clean house.

If your account has been hacked, you’ll need to check to see exactly where you were compromised. This is the part where I suggest that you take a momentary breather … Or perhaps to guide you on what to do next.

  1. Download HERE’s easy-to-use exploit scanner (LINK: free-site-scanner/). This generates a special vBulletin file that will be downloaded onto your computer.
  2. Upload this to your AdminCP forum on vBulletin, it functions just like downloading a third-party addon.
  3. Trigger the scanner, and allow it to search your files all the way through. It will may have a small effect on the pace of the website, but in the long run it will solve the problems you have.
  4. After the scan we’ll tell you which files are compromised and which files can be manipulated. Providing you with a solution to any problems you might have with manipulation.
  5. Now you can get to work with your vBulletin community to solve all of the problems present.

By following the steps below you regain control of your hacked vBulletin forum as well as restoring all the damage caused and hardening it from further attacks. It’s a drastic route to take, but sometimes it’s better to eliminate all risks in one fell swoop instead of constantly having to put out fires that pop up. Nothing can ever render you completely safe and free from every danger, but it’s still advisable that you take any precaution or action at your disposal.

Step 1 – Change All Your Login/Access Passwords

If you assume or have irrefutable evidence of defacing or even breaching your vBulletin website, then you need to update all of your passwords. This means all the passwords for FTP / SFTP / SSH / cPanel / MySQL and email (especially if you used SMTP for your vBulletin);

These initial measures make it much more difficult for a hacker to get back in until you have eradicated all the chaos created by the hackers and restored some sort of normality. It’s also suggested that you update your vBulletin password at some point, but in general it’s suggested that you wait until you’re sure the hackers won’t be able to get in again. If you need assistance in the initial process of changing either of these items, you can always contact your web host for guidance about how to incorporate the required changes. You will need to update your vBulletin login information though, the web host couldn’t support here.

Step 2 – Restore The Default vBulletin Files

Now you have changed your passwords and you can restore your vBulletin forum files to a more stable state, the default files. This will uninstall any plugins you have already installed and effectively reset your vBulletin forum back to its ‘vanilla-state.’

Login to the ‘Members Region’ and download a copy of your vBulletin app, or the latest stable software update. It is always advised that you keep updating the latest versions of your vBulletin latest not only to add new features, but also to plug new security holes, particularly as the hacks on the platform have become increasingly sophisticated over the years.

Click the links below for more support on your particular version of the software:

VB5: Manual Release=50004601

VB4: Official version=40201500

VB3: Directed version=30807603

Extract file, and upload the folder contents. Make sure that you uninstall the /install / folder, whether you are not upgrading or updating. This is also used by hackers as a ‘backdoor’ and this elimination now eliminates the chance.

Now that all the files you need to make any changes have been imported, add the following line to your Includes / config.php file:

[Codes]: [Codes]
Definition(‘DISABLE HOOKS, ‘true);
[/code] [/code]

By installing this code shuts down the plugins, you can then prevent a hacker from logging in to your AdminCP control panel. This is a precautionary measure taken only in the event that the hackers originally introduced something malicious and can no longer be exploited. It will be deleted later in the process, but effectively takes ‘offline’ of your vBulletin forum until you have resolved the present issues.

After that change your password for the admin app. If you are unable to reach your admin control panel follow the instructions on phase 3 to restore this.

Step 3 – Recovering Admin Access

In certain instances your admin privileges and access will be revoked by the hacker, you can restore this access to the AdminCP through the.php tools.

Upload tools.php to the directories AdminCP (vB3 / vB4), or core / AdminCP (vB5), and go to:

Upon enter your ‘customer number’ here (you will have this from the time you initially set up your account), then enter ‘your username’ to reset ‘admin control.’

If this means you cannot gain entry, set up a ‘new user account’ and encourage it to ‘privileges of the administrator.’

Step 4 – Rollback To An Earlier Version

If the harm to your vBulletin forum is too much, you may need to roll back to a pre-hack backup version, which is a bit of a ballache, let’s be honest. Hopefully you would have daily backups of your site if you don’t always have the option to contact your web host for backup. However, this may not be exhaustive and you may be missing some data in the process.

Restore the database with a ‘new name,’ username of the database, and password. This would ensure that the bugs impacting the previous database are not carried forward and effectively establish a new beginning. If you use third-party files, follow the steps described in step 2 as a way to re-implement and re-upload the default files.

It’s suggested that you also search the files in your vBulletin directory, make sure you don’t have any backdoors like the /install/ file. Your web host will assist in doing this with suggestions, so it’s always nice to ask them for guidance in this regard. If you’re stuck on this at any point you can always contact an Expert who can provide guidance and clarity.

Step 5 – Remove Unknown Files And Plugins

As a rule, checking the files in your directory and auditing the ones you ‘re not sure of is always pleasant. The AdminCP vBulletin has a built-in feature that can search your directories for missing or incomplete data. If something sticks out as not probably belonging it can not belong. So watch out, and get rid of it.

Take the same approach for plugins. These all will be add-ons from third parties, added by an administrator. VBulletin does not have the default plugins, and any plugins must be added by the user or by a third party.

Under “AdminCP” > “Tools and Plugins” > “Plugin Manager” in vBulletin Software, disable the plugins and check each before re-enabling. If you are sure what each plugin is doing you can re-enable it, if you are uncertain it is best not to trigger it. If you’re still unsure you can always ask for help in the vBulletin forums or by opening a ticket there.

Step 6 – Final Checks And Prevention

You are almost able to ‘go live’ once again in the final stages. You must review your ‘Templates,’ ‘Notices’ and ‘Announcements’ and ‘Ads’ before you do that. If hackers had obtained access they would certainly have modified some of these … just to be sure it is best to search.

It’s probably best to introduce a ‘Fresh Type’ to review your ‘Templates,’ you can do this very easily by going to the AdminCP > Styles & Templates > Add Fresh Type Manager. After that go to Settings > Options > Style & Language Settings and set as the new ‘Default’ option, you can then make changes as needed. It’s long and laborious but it’s all so much simpler once it’s done.

Next check your notes, AdminCP > Notes > Note Manager, make sure it looks like what you want it to look like, or how it looked. Apply the same approach to segment one to another.

AdminCP > Releases > Release Manager, and so on.

Now you need to check your Ads … AdminCP > Ads > Ad Manager to make sure that all ads still contain your original Ad code. This is another spot where a hacker’s SQL injection will screw up stuff down the line for you, they ‘re kind of sly bastards.

Finally, the user group permissions and account names can be checked quickly: AdminCP > User Groups > User Group Manager. — user group would need to be updated and their permissions double checks. Then search the User Names, AdminCP > User Title Manager. You must also be sure to verify your users levels, AdminCP > User Levels > User Rank Manager.

After all these measures you need to do one more thing to make sure your vBulletin forum goes online. You need to use htaccess or other methods to protect your site from your web host, two-factor authentication should be used in all cases where appropriate.

Now you have to make sure that the exploit scanner you used earlier is reinstalled and that your files and directories are searched for any more malicious code that might still be present, or any that may pop up in the future. If you are confused about what to do at any point in this process, you can always contact and Recruit an Expert to help you with this.

You installed some code earlier in the process to deactivate the vBulletin site, and took it offline to repair the damage caused.

Delete the following code from your config.php file to ensure it’s going back online.

[Codes]: [Codes]
Definition(‘DISABLE HOOKS, ‘true);
[/code] [/code]

You got it … now you’re back online.

It’s a lengthy process, and maybe an OTT (over-the-top) approach to take, but it’s one that will fix the problems you might have and set you up for a smoother future experience. Hackers will still be there wafting about like a fart in the wind, but you’ll be in much safer hands by staying vigilant, taking advantage of solid security solutions and constant monitoring of your vBulletin board with the fixed hacked exploit scanner.

If you are uncertain about what to do after testing your vBulletin forum or during this repair process, you can always contact one of our experts who will help you address any issues you might have and how to delete the malware that has infected your vBulletin forum exactly.