5 05 2011
Fixes for vbulletin forums hacked by Team Animus
A lot of vBulletin forums were hacked/exploited recently by a flaw in the advanced forum rules modification.
You can read all about it here: http://www.vbulletin.com/forum/showthread.php/379072-Site-hacked-can-someone-please-help
This is not a vBulletin flaw, only those with the advanced forum rules mod are affected.
vBulletin user vktechnology has posted some good instructions on how to clean up in the initial damage (posted below) however you need to look in /includes and /includes/xml for a file called vba.php or vbf.php. It’s a php script ‘encoded’ using eval(base64_decode that is basically a hack tool. If you want to see what it looks like, visit it in your browser, it allows the person to see your server configuration and browse your files among other things.
It is important to note that a lot more damage could have been done to the affected boards, so that is something to be thankful for.
Here are the instructions to remove, some steps may not be needed for your board. i.e not all forums were turned off. Make sure you look for vba.php and vbf.php
Instruction how to remove “Hacked by Team Animus”
1) Restore files
Download the latest vbulletin from vbulletin.com, you will need to replace the index.php files as they have been overwritten.
Find these files and delete/replace
2) Reset login to admin cp
If you are locked out of your admin cp, upload tools.php to admincp to reset your admin login
3) Login to admin cp and disable Cyb rules and install new version do not forget to over write it
4) Run these queries on your database (use phpmyadmin etc)
All user titles have been overwritten with ‘Hacked by Team Animus’, run these queries to delete that.
UPDATE user SET usertitle = '' WHERE usertitle = 'Hacked by Team Animus';
UPDATE user SET customtitle = '0' where customtitle = '1';
5) Delete user id 13371337
This is the administrator user ‘Team Animus’
6) Reset AUTO INCREMENT
This step is optional, a user called “Team Animus” would have been created with the ID 13371337, this means that all future users will have an ID greater then this number which may make your board look unbalanced. Using a tool like phpmyadmin, go to the ‘user’ table, click operations and reset your auto increment number.
A problem occurs if legitimate users have registered after the hack because their user IDs will be 13371338 etc and so on, you may want to ask these users to re-register after you reset the auto increment.
7) Go to admincp > update counter > update user title
Post Thumbnails in WordPress 3.0.4 Automatically add alt tags to wordpress featured images
Thanks for this, but I cannot make sense of some of the instructions and therefore cannot confirm if this works or not…
**UPDATE user SET usertitle = â€ WHERE usertitle = â€˜Hacked by Team Animusâ€™**
I deleted the term ‘Hacked by Team Animus’. Do I add the ” symbol in place of where that term was, or just leave it blank?
**4.2 Update this field customtitle = 0**
**UPDATE user SET customtitle = â€™0â€² where customtitle = â€™1â€²**
I cannot make sense of this at all, please explain.
**4.4 Table: user > AUTO_INCREMENT**
**set number to you real latest user**
Where do you enter the number?
If my forum has 1801 members, do I enter 1801, or 1802, since that would be the next member number generated?
I thank you, if you’re able to clarify these few steps a little more clearly.
Tom, I apologize if the post was harder to understand, I made a few changes, does this make sense now? I hope your issue was resolved.
Looks like a portion of the attacks has been modified since you posted. My site had z.php and mod5_cod.php installed in the includes directory.