5 05 2011
Fixes for vbulletin forums hacked by Team Animus
A lot of vBulletin forums were hacked/exploited recently by a flaw in the advanced forum rules modification.
You can read all about it here: http://www.vbulletin.com/forum/showthread.php/379072-Site-hacked-can-someone-please-help
This is not a vBulletin flaw, only those with the advanced forum rules mod are affected.
vBulletin user vktechnology has posted some good instructions on how to clean up in the initial damage (posted below) however you need to look in /includes and /includes/xml for a file called vba.php or vbf.php. It’s a php script ‘encoded’ using eval(base64_decode that is basically a hack tool. If you want to see what it looks like, visit it in your browser, it allows the person to see your server configuration and browse your files among other things.
It is important to note that a lot more damage could have been done to the affected boards, so that is something to be thankful for.
Here are the instructions to remove, some steps may not be needed for your board. i.e not all forums were turned off. Make sure you look for vba.php and vbf.php
Instruction how to remove “Hacked by Team Animus”
1) Restore files
Download the latest vbulletin from vbulletin.com, you will need to replace the index.php files as they have been overwritten.
Find these files and delete/replace
2) Reset login to admin cp
If you are locked out of your admin cp, upload tools.php to admincp to reset your admin login
3) Login to admin cp and disable Cyb rules and install new version do not forget to over write it
4) Run these queries on your database (use phpmyadmin etc)
All user titles have been overwritten with ‘Hacked by Team Animus’, run these queries to delete that.
UPDATE user SET usertitle = '' WHERE usertitle = 'Hacked by Team Animus';
UPDATE user SET customtitle = '0' where customtitle = '1';
5) Delete user id 13371337
This is the administrator user ‘Team Animus’
6) Reset AUTO INCREMENT
This step is optional, a user called “Team Animus” would have been created with the ID 13371337, this means that all future users will have an ID greater then this number which may make your board look unbalanced. Using a tool like phpmyadmin, go to the ‘user’ table, click operations and reset your auto increment number.
A problem occurs if legitimate users have registered after the hack because their user IDs will be 13371338 etc and so on, you may want to ask these users to re-register after you reset the auto increment.
7) Go to admincp > update counter > update user title