The hack originally came thru SQL injection. The attacker got complete shell control of the account and altered all the php files with a script. The revised php files deliver ads, enhance the attacker's site's pagerank, etc.
The hacker also leaves a backdoor because the halflife of the hack is not usually that long and he may want to come back. You probably uploaded replacement files by now. The backdoor provides him shell access to your site, without having to look for another sql injection vulnerability in vbulletin.
By creating a dummy php file and monitoring it, you can detect if he tries it again. The first thing he will do is run a script that alters all the php scripts on the site with his code.
Most hackers are inept "script kiddies" who Google for sites displaying markers to scripts with known vulnerabilities and run attacks that someone else discovered. They are looking to 1) deface your site for underground fame and glory (pretty rare actually) or more commonly 2) subtly undermine your site while leaving main functionality for personal gain. Unlikely he is going after cash or passwords as there is no advantage to taking them on a non ecommerce site.
Google automatically monitors sites, and the search results for compromised pages will display the link "this site may harm your computer". A lot of webmasters find out about the hack that way. |