Fixes for vbulletin forums hacked by Team Animus

A lot of vBulletin forums were hacked/exploited recently by a flaw in the advanced forum rules modification.

You can read all about it here: http://www.vbulletin.com/forum/showthread.php/379072-Site-hacked-can-someone-please-help

This is not a vBulletin flaw, only those with the advanced forum rules mod are affected.

vBulletin user vktechnology has posted some good instructions on how to clean up in the initial damage (posted below) however you need to look in /includes and /includes/xml for a file called vba.php or vbf.php. It’s a php script ‘encoded’ using eval(base64_decode that is basically a hack tool. If you want to see what it looks like, visit it in your browser, it allows the person to see your server configuration and browse your files among other things.

It is important to note that a lot more damage could have been done to the affected boards, so that is something to be thankful for.

Here are the instructions to remove, some steps may not be needed for your board. i.e not all forums were turned off. Make sure you look for vba.php and vbf.php

Instruction how to remove “Hacked by Team Animus”

1) Restore files

Download the latest vbulletin from vbulletin.com, you will need to replace the index.php files as they have been overwritten.

Find these files and delete/replace

index.php
index.html
admincp/index.php
admincp/index.html
modcp/index.php
modcp/index.html

2) Reset login to admin cp

If you are locked out of your admin cp, upload tools.php to admincp to reset your admin login

3) Login to admin cp and disable Cyb rules and install new version do not forget to over write it

4) Run these queries on your database (use phpmyadmin etc)

All user titles have been overwritten with ‘Hacked by Team Animus’, run these queries to delete that.

5) Delete user id 13371337

This is the administrator user ‘Team Animus’

6) Reset AUTO INCREMENT

This step is optional, a user called “Team Animus” would have been created with the ID 13371337, this means that all future users will have an ID greater then this number which may make your board look unbalanced. Using a tool like phpmyadmin, go to the ‘user’ table, click operations and reset your auto increment number.

A problem occurs if legitimate users have registered after the hack because their user IDs will be 13371338 etc and so on, you may want to ask these users to re-register after you reset the auto increment.

7) Go to admincp > update counter > update user title

3 thoughts on “Fixes for vbulletin forums hacked by Team Animus

  • Tom says:

    Thanks for this, but I cannot make sense of some of the instructions and therefore cannot confirm if this works or not…

    **UPDATE user SET usertitle = ” WHERE usertitle = ‘Hacked by Team Animus’**
    I deleted the term ‘Hacked by Team Animus’. Do I add the ” symbol in place of where that term was, or just leave it blank?

    **4.2 Update this field customtitle = 0**
    **UPDATE user SET customtitle = ’0′ where customtitle = ’1′**
    I cannot make sense of this at all, please explain.

    **4.4 Table: user > AUTO_INCREMENT**
    **set number to you real latest user**
    Where do you enter the number?
    If my forum has 1801 members, do I enter 1801, or 1802, since that would be the next member number generated?

    I thank you, if you’re able to clarify these few steps a little more clearly.

    Regards,
    Tom

  • Greg says:

    Tom, I apologize if the post was harder to understand, I made a few changes, does this make sense now? I hope your issue was resolved.

  • LPH says:

    Looks like a portion of the attacks has been modified since you posted. My site had z.php and mod5_cod.php installed in the includes directory.

Leave a Reply to LPH Cancel reply

Your email address will not be published. Required fields are marked *