The database was hacked on 11/13/2012.
So far the only thing I noticed was that a plugin was installed adding 3 banner ads in the header using their pub id.
And one file was edited.
I haven't noticed anything else odd.
Doubt they where looking to do anything else other than to generate some revenue.

If anyone notices anything odd, please let me know.

uh oh...

That's a bummer, hope it all works out. I'm not seeing anything out of the ordinary.

Should we change our access passwords or something like that as a precaution?

That's a bummer, hope it all works out. I'm not seeing anything out of the ordinary.

Should we change our access passwords or something like that as a precaution?
I wouldn't worry about passwords. They are encrypted.
The hacker inserted his own adsense publisher code for the banner ads.
Even if I'd edit the template a cron job would change it back every 5 minutes.

I've managed to extract 1 row of a table from a backup earlier in the week.
Its a table that keeps track of plugins. I haven't added anything so it shouldn't have changed in several months.

The banner hasn't changed yet. There is a dot to the right of the banners to tell me that nothing has changed.

There is just one more thing I need to hunt down.
When I revert a template it reinserts the hackers code in the template.

The site may be down for a little while while php is updated.
Hopefully is doesn't break anything.

It is very important to look for the backdoor!

Look thru the logs for a POST to an odd-named file. The datestamp on the altered PHP files will help you find it in the raw logfile

also, htaccess ban the offending IP ranges

It is very important to look for the backdoor!

Look thru the logs for a POST to an odd-named file. The datestamp on the altered PHP files will help you find it in the raw logfile

also, htaccess ban the offending IP rangesMy logs are only for 24 hrs.

Monitor your site with changedetection.com. make a 0-byte php file in your main directory and monitor it. You'll get the alert within 24 hours and track them down.

Monitor your site with changedetection.com. make a 0-byte php file in your main directory and monitor it. You'll get the alert within 24 hours and track them down.Don't see how that will help. :confused:
The hacker may have used the garage to gain access to the database.
It's still troubling that one of the vBulletin files was edited.

The hack originally came thru SQL injection. The attacker got complete shell control of the account and altered all the php files with a script. The revised php files deliver ads, enhance the attacker's site's pagerank, etc.

The hacker also leaves a backdoor because the halflife of the hack is not usually that long and he may want to come back. You probably uploaded replacement files by now. The backdoor provides him shell access to your site, without having to look for another sql injection vulnerability in vbulletin.

By creating a dummy php file and monitoring it, you can detect if he tries it again. The first thing he will do is run a script that alters all the php scripts on the site with his code.

Most hackers are inept "script kiddies" who Google for sites displaying markers to scripts with known vulnerabilities and run attacks that someone else discovered. They are looking to 1) deface your site for underground fame and glory (pretty rare actually) or more commonly 2) subtly undermine your site while leaving main functionality for personal gain. Unlikely he is going after cash or passwords as there is no advantage to taking them on a non ecommerce site.

Google automatically monitors sites, and the search results for compromised pages will display the link "this site may harm your computer". A lot of webmasters find out about the hack that way.

If he replaced the single banner ad I never would have noticed until next month.
There doesn't seem to be any other files that changed.

Sounds good, please let Google know of the attack and give them the adsense publisher's ID

http://adsense.google.com/support/bin/request.py?contact_type=unauthorized_code

Sounds good, please let Google know of the attack and give them the adsense publisher's ID

http://adsense.google.com/support/bin/request.py?contact_type=unauthorized_code
I already did but I used the feedback form.
I'll use this one too. Thanks!

I've been going through all my files to see if any have been added or changed on 11/13.

Sounds like a standard database inject. Find the exploit and lock it up for future attacks. But i would say site admins are doing a wonderful job ad keeping this forum alive this long with all the bad people out there with itchy fingers.

Sounds like a standard database inject. Find the exploit and lock it up for future attacks. But i would say site admins are doing a wonderful job ad keeping this forum alive this long with all the bad people out there with itchy fingers.Admins. :)
It's just me.
I have one mod that restricts registrations from spammers.
There are attempts every minute of the day. Literally.