Register Members List Search Today's Posts Mark Forums Read

Thread Tools
Old 25 Apr 2015, 22:51
katie hunter's Avatar
katie hunter katie hunter is offline
Join Date: May 2007
A hacker doing - question

Hi everyone, if i was hacked, well i was and found the hacker messing with my plugin and i see in the logs he was modifying plugins via id, how can i tell which plugin did he modify ?

Reply With Quote
Old 25 Apr 2015, 23:02
ForceHSS's Avatar
ForceHSS ForceHSS is offline
Join Date: Apr 2008
He might of installed some plugins so he can get back in. Go to your plugin manager and hover the mouse over each one it will show you the id. If you need help making your site secure pm me

Last edited by ForceHSS; 25 Apr 2015 at 23:10.
Reply With Quote
Old 25 Apr 2015, 23:32
Lynne's Avatar
Lynne Lynne is offline
Join Date: Sep 2004
Real name: Lynne
Go to: admincp/plugin.php?do=edit&pluginid=xxx

(change xxx to the plugin id)
Former Staff Member

Try a search before posting for help. Many users won't, and don't, help if the question has been answered several times before.
W3Schools -
Online vBulletin Manual
If I post some CSS and don't say where it goes, put it in the additional.css template.
I will NOT help via PM (you will be directed to post in the forums for help.)
Reply With Quote
Old 29 Apr 2015, 13:23
Princeton's Avatar
Princeton Princeton is offline
Join Date: Nov 2001
Real name: Joe Velez
I recommend hiring someone to look into your files and database for injected code. Editing a plugin could have been a way to get into the system as a whole (not just the primary area to inject malicious code).
Former Staff Member

Latest Articles:
Liquid Layout = Less Ad Revenue?
How to Monetize Your Site
Improve Web Page Performance
How To Write For The Web

If it needs instructions, there's room for improvement.
Give users what they actually want, not what they say they want. And whatever you do, don't give them new features just because your competitors have them!
Reply With Quote
Old 29 Apr 2015, 19:10
SaN-DeeP's Avatar
SaN-DeeP SaN-DeeP is offline
Join Date: Jun 2002

Originally Posted by katie hunter View Post
Hi everyone, if i was hacked, well i was and found the hacker messing with my plugin and i see in the logs he was modifying plugins via id, how can i tell which plugin did he modify ?

As the administrator said above do needful.
If you are still finding anything suspicious (contact the developer who did those changes) and/or as others recommended.
Reply With Quote
Old 19 May 2015, 16:31
thetechgenius's Avatar
thetechgenius thetechgenius is offline
Join Date: Jun 2014
Do you have a backup you can restore, a backup from before the hack? If you do, restore the backup, and ban that users IP, Email, and Account, and you can also blacklist his IP.
TheTechGenius.Net Official IRC Network (ONLINE)
Port: 6667
TTG IRC Web Client -
Reply With Quote
Old 19 May 2015, 18:49
BirdOPrey5's Avatar
BirdOPrey5 BirdOPrey5 is offline
Join Date: Jun 2008
Real name: Joe D.
Unless you are skilled at looking through PHP code it is often easier to just re-run an upgrade of whatever version of VB you are running and then reinstall (overwriting original products) all the 3rd party products you have. Doing both will replace all the original and add-on VB files and plugins with their original/clean versions.

You also need to check Plugin Manager to see if you have any plugins listed at the top under the vBulletin product- if so treat these as suspicious and disable them unless you are absolutely sure what they do. VBulletin would not normally have any plugins listed under the vBulletin product.

Also you need to check your server for any additional files uploaded by hackers. Check especially for php files in image and/or attachment folders. There shouldn't be php files in these locations.
Former Moderator. Retired.

@BirdOPrey5 | All Things BOP5 | Joe's Ultimate Off Topic
Note - I no longer making new VB mods, sorry.
Reply With Quote
Old 20 May 2015, 11:42
Dave Dave is offline
Join Date: Jun 2010
Real name: Dave
There are always a few things I do when I do a security check:
1. I run the "Suspect File Versions" tool at AdminCP > Maintenance > Diagnostics to find most of the files on the server which do not have vBulletin's MD5 or do not belong to vBulletin at all. I then check the code of each file one by one to see if there's anything suspicious in it.
2. I go to AdminCP > Plugins & Products > Plugin Manager and I check all of the top plugins. Those are manually added and "hackers" usually add a backdoor that way. If those are fine then I check every single other plugin on that page.
3. When I get given SSH access, I can execute commands on the server to search through all the files for certain keywords. I typically look for: "system, shell_exec, exec, popen, file_put_contents, fwrite, phpinfo, base64" since most backdoors and shells make use of those functions.
4. I also check the access/error logs and try to find out what caused the hack.

I do a few more things, but the things listed above are the important ones.
__________________ - security, development, exploits, vBulletin

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

New To Site? Need Help?

All times are GMT. The time now is 06:04.

Layout Options | Width: Wide Color: