[johnmat]

I see 29 Admin accounts in my vbulletin, my forum was hacked and later I hired a pro to fix the forum. I implemented security measures listed here - http://www.vbulletin.org/forum/showthread.php?t=193930

Now I am surprised to see 29 admins in my forum. How to remove them and identify the damage they did to the forum and secure the forum against this security issue?

[ForceHSS]

http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
I would do the following, to ensure everything is clean.

First you need to follow our advisory about deleting the install folder off your forums.

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

[johnmat]

The Config.php still compromised after upgrading to - 4.2.2 Patch Level 1

How to fix this issue and other issues in 4.1 Version after upgrading to 4.2.2 Patch Level 1

[Zachery]

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site

[ForceHSS]

Just follow the blog posts and don't skip any parts

[johnmat]

My config.php file is severely hacked and I want to upload new file from downloaded installation files from vbulletin Members Area.... Where is the config.php file located and are there any changes required in it to make vbulletin forum run properly?

[Lynne]

The config.php file should be in your /includes directory. And yes, you need to enter your mysql information into that file in order for vbulletin to be able to connect to your mysql server.

[johnmat]

Where to enter the --- 'List of Email domains to ban ' ?

[Lynne]

AdminCP > Settings > Options > User Banning Options > Banned Email Addresses

[johnmat]

Where to check the Super Admin or Admin users? As I can't delete or give infractions to the posts or users.

[blind-eddie]

Look in the config.php file again, scroll down to or search for... USERS WITH ADMIN LOG VIEWING PERMISSIONS....

Make sure this section in your config.php looks like this...Remove all user id's but yours. Your user id is 1 I would assume, if not change 1 to your userid.

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

SAVE......

Once that is complete, you should be able to remove the other "admins"

[blind-eddie]

How did it go johnmat, where you able to fix your issue?

[Disco_Stu]

If someone is hacking your database you might try adding a trigger to your user table that can send you an email anytime a record is added for a specific user group

Here's a sample of a trigger checking for a column value on an insert operation.

CREATE TRIGGER upd_check BEFORE UPDATE ON user
-> FOR EACH ROW
-> BEGIN
-> IF NEW.usergroupid = 6 THEN
-> send yourself an email
-> END IF;
-> END;//


And here's a link to how to use a trigger to send yourself an email:

http://stackoverflow.com/questions/3...from-mysql-5-1


Now no matter how they access your database (directly , ftp or through vbulletin) you will be alerted immediately

It may be easier to have the trigger write the info to a text file then set up a cron job to actually send the email.

I haven't tested this yet but will so shortly