I see 29 Admin accounts in my vbulletin, my forum was hacked and later I hired a pro to fix the forum. I implemented security measures listed here - https://vborg.vbsupport.ru/showthread.php?t=193930

Now I am surprised to see 29 admins in my forum. How to remove them and identify the damage they did to the forum and secure the forum against this security issue?

http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/michael-miller/3934768-recovering-a-hacked-vbulletin-site
I would do the following, to ensure everything is clean.

First you need to follow our advisory about deleting the install folder off your forums.

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked (http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked)

http://www.vbulletin.com/forum/blogs...vbulletin-site (http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site)

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5 (http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5)
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions (http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3993204-vbulletin-5-connect-security-patches-released-all-versions)

The Config.php still compromised after upgrading to - 4.2.2 Patch Level 1

How to fix this issue and other issues in 4.1 Version after upgrading to 4.2.2 Patch Level 1

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site

Just follow the blog posts and don't skip any parts

My config.php file is severely hacked and I want to upload new file from downloaded installation files from vbulletin Members Area.... Where is the config.php file located and are there any changes required in it to make vbulletin forum run properly?

The config.php file should be in your /includes directory. And yes, you need to enter your mysql information into that file in order for vbulletin to be able to connect to your mysql server.

Where to enter the --- 'List of Email domains to ban ' ?

AdminCP > Settings > Options > User Banning Options > Banned Email Addresses

Where to check the Super Admin or Admin users? As I can't delete or give infractions to the posts or users.

Look in the config.php file again, scroll down to or search for... USERS WITH ADMIN LOG VIEWING PERMISSIONS....

Make sure this section in your config.php looks like this...Remove all user id's but yours. Your user id is 1 I would assume, if not change 1 to your userid.

// ****** USERS WITH ADMIN LOG PRUNING PERMISSIONS ******
// The users specified here will be allowed to remove ("prune") entries from the admin
// log. See the above entry for more information on the format.
$config['SpecialUsers']['canpruneadminlog'] = '1';

// ****** USERS WITH QUERY RUNNING PERMISSIONS ******
// The users specified here will be allowed to run queries from the control panel.
// See the above entries for more information on the format.
// Please note that the ability to run queries is quite powerful. You may wish
// to remove all user IDs from this list for security reasons.
$config['SpecialUsers']['canrunqueries'] = '';

// ****** UNDELETABLE / UNALTERABLE USERS ******
// The users specified here will not be deletable or alterable from the control panel by any users.
// To specify more than one user, separate userids with commas.
$config['SpecialUsers']['undeletableusers'] = '1';

// ****** SUPER ADMINISTRATORS ******
// The users specified below will have permission to access the administrator permissions
// page, which controls the permissions of other administrators
$config['SpecialUsers']['superadministrators'] = '1';


SAVE......

Once that is complete, you should be able to remove the other "admins"

How did it go johnmat, where you able to fix your issue?

If someone is hacking your database you might try adding a trigger to your user table that can send you an email anytime a record is added for a specific user group

Here's a sample of a trigger checking for a column value on an insert operation.

CREATE TRIGGER upd_check BEFORE UPDATE ON user
-> FOR EACH ROW
-> BEGIN
-> IF NEW.usergroupid = 6 THEN
-> send yourself an email
-> END IF;
-> END;//


And here's a link to how to use a trigger to send yourself an email:

http://stackoverflow.com/questions/387483/how-to-send-email-from-mysql-5-1


Now no matter how they access your database (directly , ftp or through vbulletin) you will be alerted immediately

It may be easier to have the trigger write the info to a text file then set up a cron job to actually send the email.

I haven't tested this yet but will so shortly