Well theres an issue. I followed your guys security advice to the T after SEVERAL hacking attempts. Anyways this hacks whatever it is lets the person delete whoever they wish.

Every time it shows invisible users on the dash. i have included an image.

That person is not deleted, theres an option to set Invisible users to have some name.n I cant seem to find where it is though.

actually it does delete them. However i can re-create them if i go in and manually add there userid via mysql back. I have upgraded to vb4 we will see what happens :P.

LOL okay then. Good luck ;)

Hacker still got in T_T. Same method. I am upgrading to a new semi dedi server hopefully that helps.

get the mod, track guest views so you can get the hackers ip address and then block his op address via .htaccess or vBulletin ip address banning method.

I have his ip address T_T You dont get it. These are skilled hackers(changing ip/mac ip is a simple task."onion router:). I run a hacking website...... Possibly a form of xss. The method doesnt seem like he is hacking a users account(like an admin). So im not sure what to think. Well we will see if semi dedi stops him.

They have left a backdoor in your system, there were many many people, in the past week, with similar issues because of a vBSEO hack which granted the attacker full access to the system.

Even if you were not hacked through that specific hole, there is little doubt these people have some backdoor. Check the world-writable directories, and make sure that ALL your products are updated to the latest version (please note that the patched vBSEO version is still called 3.3.2, but the patch was added just a few days ago without a version number change).

Check for php files you did not remember having in your directories, and use the vBulletin suspicious file checker to help with this (in your diagnostic tools in vBulletin ACP).

Until you do not cleanup properly, they will be able to do whatever they want to.

i do not have vbseo. Is it possible to put any info in the sql? I am debating on clean install.

Definitely. For example, they could have injected a plugin if they hacked your database. Sometimes, they try to mask their malicious code/backdoor into existing plugins. But first, check for all php files in directories where they should not be; then use vB diagnostic tool to check for suspicious files. This find command might help you identify some files:


find . -type f -mtime -5 -name '*.php'


Change the mtime value depending on how back in time you want to go; -mtime -5 will return only files edited in the latest 5 days.

Disabling all shell execution/inclusion functions in PHP, unless you really need them, is also a good idea to stop most attacks. Check this: http://www.cyberciti.biz/faq/linux-unix-apache-lighttpd-phpini-disable-functions/

Also, try to go through your access logs to determine the point of entry: if you find that, then you have the key to clean-up everything more easily.