I'm still investigating the site defacement / spam emails that were sent last night. I've been on the latest version of vBulletin, so I'm not sure what happened.

What I know:

-- It seems to have been vBulletin specific; nothing on the main site was touched.
-- Once into vBulletin, they replaced all of the templates with their garbage and did a "send message to all users" email.
-- It's all been cleared out. I erased all files, reuploaded, restored all templates.
-- Passwords are safe. vBulletin automatically salts and encrypts them, so even when this kind of thing happens, they're safe.

I'm very sorry for the troubles. I've done a few more things to better secure the site (beyond what even vBulletin recommends), but I'm still digging. I hate days like this.

Mickey

A few more notes:

-- It was indeed all done via vBulletin, and not directly on the server. This is slightly good news in midst of it.
-- They came from two IP addresses in India. I've banned the entire range (59.95...).
-- They didn't send very many of their email messages. I can't get an exact number, but it seems to be about 5,000. That's certainly a lot, but just a fraction of our 100,000+ users.

Hi Mike

Good to see you up and running again. I was logged on this morning at 08:17 AM. Some minutes/half hour later the forum was "HACKED BY..." - Only forum listning seems to have had a problem. During the period I have seen everything else like files and postings being okay. Only forum access/listing seem to have been 'defaced'.

Fight back, good luck and all possible support from here :yep:
Tom

Hi Mike

Good to see you up and running again. I was logged on this morning at 08:17 AM. Some minutes/half hour later the forum was "HACKED BY..." - Only forum listning seems to have had a problem. During the period I have seen everything else like files and postings being okay. Only forum access/listing seem to have been 'defaced'.

Fight back, good luck and all possible support from here :yep:
Tom
Eventually they replaced EVERY template file with their junk. Maybe you caught it while I was reverting it back or something. Arrrgh.

Thanks for your support.

Hi Mike!
I got one of such mails. Happy to hear, the passwords are safe and everything is up again. Hope I don't get too much spam now.

Greetings, Al

I didn't recieve any mails in eithe my ibox or spambox.

But now I can't upload new files. I recieve this error message:

Warning: require_once(./includes/functions_bbcodeparse.php) [function.require-once]: failed to open stream: No such file or directory in /home/google/public_html/added.php on line 6

Fatal error: require_once() [function.require]: Failed opening required './includes/functions_bbcodeparse.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/google/public_html/added.php on line 6

Do you have the same problem, Mickey? Because no files have been uploaded since it happened.

Sorry about that. It's been a long two days...

Should be working now. Thanks.

Hi Mike,
today I received an email from "mickey(at)gearthhacks" saying:

"this is to show all user of this community that this forum had a very week security and has been crashed by proxyserver
so guys visit us at hackerzhub [link deleted] and enjoy ur stay...

we have everything movies,music,games,softwares and everything..

regards
proxyserver(owner)"

Just want to tell you, because a gearthhacks-address was used. I received it today, but it is dated 10/25/2009 10.40 AM

Regards, Al