How to fix a hacked vBulletin forum

Do you run a forum powered by vBulletin? Have you recently been the victim of a hacking attack on your site which has compromised user access, as well as their data? Read on for advice on how to not only fix your hacked vBulletin forum, but also how to harden it to further hacking incidents.

So you run a forum powered by vBulletin, it could be for a variety of things. Business purposes, one which focuses on a hobby, or perhaps a combination of the two. Things are going ‘swimmingly’ (that’s an english colloquialism for ‘very well’), plenty of people are posting and it is thriving with a high user and individual poster account. You update your vBulletin forum on the most rudimentary basis, ensuring that things keep ticking over rather well. You’re privately chuffed with yourself (another colloquialism in use here, for being happy with oneself), and give yourself an imaginary pat on the back.

All seems to be going well until some day you notice some strange behaviour on your forum not just on the user side, but also the backend. Not only has your site been defaced, but someone has posted the account details of your users on PasteBin where they are there for the world to see. Sure the passwords are all hashed (this is the ‘hash’ #), so they can’t be seen, but by brute-force attacks they can and will be unearthed and shared. It’s the stark and often harsh reality of being online and running your own website. A quick internet search shows you that this is all too common an occurrence.

But how did they get in? You ask yourself. It could be a number of reasons, passwords are not strong enough, or even a plugin exploit. Regardless, in this instance the hacker has managed to gain access and change your vBulletin forum with a malicious SQL injection code, and you need to regain control and clean house.

If your site is hacked, you will need to perform a scan and see exactly where you have been compromised. This is the bit where I advise you to take a momentary breather... or rather to advise you on the next steps to take. 

  1. Download the simple to use exploit scanner from HERE (LINK: www.fixhacked.com free-website-scanner/). This creates a vBulletin specific file which will download to your computer. 
  2. Upload this to your vBulletin forum AdminCP, it works exactly like installing a third-party addon. 
  3. Activate the scanner, and let it do all the work of scanning your files. Initially there may be a slight impact to the website speed, but in the long run it will resolve the issues you have. 
  4. Following the scan, we tell you which files are corrupted and which could be exploited. Providing you with a solution to any exploitation issues you may have. 

Now you can get to work on fixing all of the issues present with your vBulletin forum.

By following the steps below you regain control not only of your hacked vBulletin forum, but you can also repair all of the damage caused and harden it against further attacks. It is an extreme route to take, but sometimes it is better that you eradicate all threats in one fell swoop rather than having to continually put out fires that pop up. Nothing will ever make you totally secure and free from every threat, but it’s always advised you take every precaution or responsive action available to you.

Step 1 - Change All Your Login/Access Passwords

If you believe or have irrefutable proof that your vBulletin forum has been defaced or even hacked, then you need to change all of your passwords. This means all the FTP/SFTP/SSH/cPanel/MySQL and email passwords (especially important if you were using SMTP for your vBulletin).

These initial steps make it much harder for a hacker to get back in once you have eradicated all the mess the hackers have created and restored some semblance of normality. It’s also recommended that you change your vBulletin login at some point, although as a rule it’s recommended you wait until you are sure the hackers cannot gain access again. If you need help in changing any of these things in the initial process, you can always contact your web host for advice on how to implement the necessary changes. However your vBulletin login details would need to be changed by you, the web host could not help here.

Step 2 - Restore The Default vBulletin Files

Now you have changed your passwords, you can go about restoring your vBulletin forum files to a safer state, the default files. This will purge any plugins you’ve previously had installed and reset your vBulletin forum back to its ‘vanilla-state’ essentially.

Login to the ‘Members Area’ and download a copy of the vBulletin software, or the latest stable version of your software. It’s always advised you keep on top of updating the software versions of your vBulletin software not only to add new features, but to plug new security holes, especially due to the increasing sophistication of the hacks on the platform over the years.

For more help on your specific software version click on the following links:

Extract the .zip file, and upload the contents of the folder. Make sure you delete the /install/ folder, if you’re not upgrading or after you’ve updated. This is often used as a ‘backdoor’ by hackers and removing this now removes that opportunity.

Now that you have uploaded all the files you need to make some adjustments, add the following line to your includes/config.php file:

[code]
define("DISABLE_HOOKS", true);
[/code]

Inserting this code shutsdown the plugins, by doing this you can then prevent a hacker gaining access to your admin control panel (AdminCP) login. This is a precautionary step taken just incase anything malicious was inserted by the hackers initially and can no longer be exploited. It will be deleted later in the process, but essentially takes your vBulletin forum ‘offline’ until you have resolved the issues present.

After this change your admin login password. If you can’t access your admin control panel follow the the instructions on step 3 to gain this back.

Step 3 - Recovering Admin Access

In some instances the hacker will remove your admin rights and access, you can restore this access to the AdminCP via the tools.php.

Upload the tools.php to the AdminCP (vB3/vB4), or core/AdminCP (vB5) folders and go to: http://www.myvbulletinforum.com/forumfolder/admincp/tools.php

Once here enter your ‘customer number’ (you would have this from when you set up your account initially), then to reset ‘admin access’ enter ‘your username’.

If you can’t gain access this way, setup a ‘new user account’ and promote that to ‘administrator privileges’. 

Step 4 - Rollback To An Earlier Version

If the damage to your vBulletin forum is too much, you may have to roll back to a backup version previous to the hack occurring, which let’s be blunt is a bit of a ballache. Hopefully you have regular backups of your site, if you don't you can always contact your web host for a backup. This may not be comprehensive however and you may lose some data in the process.

Restore the database with a ‘new name’, ‘database username’ and ‘password’. This will ensure that the exploits that affects your previous database will not carry over and essentially create a new start. If you’re using third-party files follow the steps listed in step 2 as a means of reimplementing them and re-upload the default files.

It is advised that you also check the files that are in your vBulletin directory, make sure that you do not leave any backdoors such as the /install/ file. Your web host can help with advice on doing this, so it’s always good to ask them for help in this regard. If you are stuck at any point on this you can always contact an Expert who can provide insight and clarification on this.

Step 5 - Remove Unknown Files And Plugins

As a rule it is always good to vet the files in your directory and audit those you are not sure about. vBulletin AdminCP has an inbuilt tool that can scan your directories for unknown or mismatched files. If something stands out as not belonging chances are it may not belong. So be vigilant and get rid.

Take the same approach to your plugins. These will all be third-party addons, added by an administrator. vBulletin does not have plugins as a default and any plugins will have to be added by the user or through a third-party. 

Under vBulletin Products on the “AdminCP” > “Products and Plugins” > “Plugin Manager”, disable the plugins and review each one before reenabling. If you’re sure of what each plugin does you can reenable it, if you’re unsure it’s best not to activate it. If you’re still not sure you can always ask in the vBulletin forums or by opening a ticket and asking for support there.

Step 6 - Final Checks And Prevention

In the final stages, you are almost ready to ‘go live’ once more. Before you do you will need to check your ‘Templates’, ‘Notices’ and ‘Announcements’, and the ‘Ads’ . If hackers had gained access they would no doubt have changed some of these… so it’s best to check to be sure.

To check your ‘Templates’ it’s probably easiest to insert a ‘New Style’, you can do this fairly simply by going to the AdminCP > Styles & Templates > Style Manager > Add New Style. Following this go into Settings > Options > Style & Language Settings and set as the new ‘Default’, you can then make adjustments as necessary. It’s long and laborious but once it’s done everything is that much easier.

Next, check your notices, AdminCP > Notices > Notice Manager, make sure everything looks how you want it to, or how it used to look. Apply the same approach to each other section.

AdminCP > Announcements > Announcement Manager, and so on.

Now you need to check your Ads… AdminCP > Ads > Ad Manager, making sure all of the ads still have your original Ad code in them. This is another place where an SQL injection from a hacker can mess up things for you down the line, they’re sneaky bastards like that.

Finally, you want to do a quick review of your usergroup permissions, and user titles: AdminCP > Usergroups > Usergroup Manager. You will need to edit each usergroup and double check their permissions. Then check the user titles, AdminCP > Users Titles > User Title Manager. You also need to make sure you check the ranks of your users, AdminCP > User Ranks > User Rank Manager.

Once you have followed all these steps you need to do one more thing to make sure that your vBulletin forum goes live. You need to secure your site via htaccess, or other methods to available from your web host, two-factor authentication where available should be utilised in all instances. 

Now you need to ensure that the exploit scanner you used earlier is reinstalled and scanning your files and folders for any more malicious code that may still be present, or any that may crop up in the future. If at any point of this process you are unsure about what to do you can always contact and Hire an Expert to assist you with this.

Earlier on in the process you inserted some code to deactivate the vBulletin forum and took it offline to repair the damage caused.

Remove the following code from your config.php file to make sure everything goes back online.

[code]
define("DISABLE_HOOKS", true);
[/code]

There you have it… you are now back online.

It is a lengthy process, and perhaps an OTT (over-the-top) approach to take, but it is one which will resolve the issues you may have and set you up for a smoother experience going forward. Hackers will always be there wafting around like a fart in the wind, but by remaining vigilant, taking advantage of solid security solutions and by continual monitoring of your vBulletin board with the fix hacked exploit scanner, you will be in much safer hands.

If you are unsure of what to do following a scan of your vBulletin forum or during this reparatory process, you can always contact one of our Experts who can assist you with fixing any problems you may have and exactly how to remove the malware that has infected your vBulletin forum. 

Until next time. 

Try FixHacked for free for one month

Try our free scanner!

Hire an Expert

I need an Expert

Livechat

Chat with us and find out what you need to know!

Start livechat