hello! hoping some of you guys can shine some light on this strange issue. Tonight we had a person register on our Forum with a username of an Admin. They didn't have perms,only the username and we can't figure out how. We have our install directory deleted long ago so it's nothing to do with 0day exploit. No special ascii characters were used either...

hopefully someone can help me on this one :) thanks.:confused:

The name was Admin, or they were in the usergroup Admin?

It was an admins name, in fact it was mine. The user registered with the name "Dez" but with no admin permissions and I already have that name. They then asked other admins to give perms but they refused. Strange and I can't figure out how it was done. I also use ^[A-Z]+$ in regular expression settings.

Delete it and your install directory.

Please read the notices in your Admincp about deleting the /install directory. Now please delete any new Administrators and plugins they made and template edits they may have done.

If I understand the OP correctly at all:
1. A person registered using the (seemingly?) same username as an already existing admin.
2. That newly registered user did NOT have any admin permissions, i.e. did not make himself admin, but tried to get those permissions by asking other admins for them

While it is of course smart to remove the install directory, what indication is there that the forum was hacked? Is this something that has turned up in the recent situation (just curious)?

I would use this:

^[a-zA-Z0-9\s.\-_']+$

Which allows for characters but still prevents the 'hidden' ones.

Thanks for the the answers guys

If I understand the OP correctly at all:
1. A person registered using the (seemingly?) same username as an already existing admin.
2. That newly registered user did NOT have any admin permissions, i.e. did not make himself admin, but tried to get those permissions by asking other admins for them

While it is of course smart to remove the install directory, what indication is there that the forum was hacked? Is this something that has turned up in the recent situation (just curious)?


As I've said above, the install directory has been deleted a while and everything else above from cellarius is correct. The Forum wasn't hacked but I can't figure out how they managed to use an existing name. Something that could easily cause problems.

They somehow used a hidden character, by using the code I posted for Username Regular Expression that should stop issues like that.