Hi guys,

Most if not all of my server vBulletin installation were hacked a few times now. I was able to fix them all but this is being repeated a few times per day.

I know exactly how these kids are able to hack vBulletin installations. It's by uploading a CGI file and using the symlink function. I have just tested that and it worked immediately:

symlink("/home/username/public_html/vb/includes/config.php", "/home/anotherusername/public_html/con");

So the hackers are able to copy the config.php file then simply using the database name, username and password to alter the template table and display the hacking black screen.

How can we stop this from happening?

Your help on this issue is greatly appreciated as it's truly ruining our business.

Well, first off, is your vbulletin installation up to date? Sounds like they are using an exploit to upload the file in the first place. And is this a dedicated machine, or are you on a shared server?

Hello,

We are offering shared hosting services for hundreds of people and we can't really prevent these files from being uploaded, we need them not to function after uploaded.

Thanks.

Disable CGI on the account you use?

Start using suphp / suexec and make sure each customer has a separate account?

suexec and suphp should stop users from linking to other users directories.

If you have cpanel, enable open basedir-restrictions. It will take care of your issue.

If you're allowing file uploads you should have the program immediately change the name of the uploaded file to something random. That way it can't be accessed from outside.

In addition to having openbasedir restriction enabled, do make sure that insecure functions like
symlink is disabled from the server-wide php.ini file.
Also make sure that allow_url_fopen is disabled.