Just noticed that from yesterday someone has logged into admin and was running some scripts unauthorized.

And just now, I seen a new plugin get created which I deleted right away

I have already changed permissions for that admin and password, but I think they can use any as I seen my name used from a Russian ip address.

What an I do to find & remove their way in?

Here is log shot from first attack:
30151 smolinaro 12:16, 22nd Jun 2015 plugin.php update plugin id = 1869 178.73.196.73
30150 smolinaro 12:15, 22nd Jun 2015 plugin.php edit plugin id = 1869 178.73.196.73
30149 smolinaro 12:15, 22nd Jun 2015 plugin.php update plugin id = 1869 178.73.196.73
30148 smolinaro 12:15, 22nd Jun 2015 modlog.php choose 178.73.196.73
30147 smolinaro 12:14, 22nd Jun 2015 plugin.php edit plugin id = 1869 178.73.196.73
30146 smolinaro 12:13, 22nd Jun 2015 plugin.php 178.73.196.73
30145 smolinaro 12:13, 22nd Jun 2015 plugin.php update 178.73.196.73
30144 smolinaro 12:06, 22nd Jun 2015 plugin.php add 178.73.196.73
30143 smolinaro 12:05, 22nd Jun 2015 plugin.php files 178.73.196.73
30142 smolinaro 12:05, 22nd Jun 2015 plugin.php modify 178.73.196.73
30141 smolinaro 11:59, 22nd Jun 2015 cronadmin.php edit 178.73.196.73
30140 smolinaro 11:58, 22nd Jun 2015 adminlog.php choose 178.73.196.73
30139 smolinaro 11:57, 22nd Jun 2015 subscriptions.php transactions 178.73.196.73

Here's one artcile from vbulletin.com on things you should do if hacked: http://www.vbulletin.com/forum/articles/community-tutorials/4023667-recovering-a-hacked-vbulletin-site

You might look at your web server access log to see if you can tell how they got in. Otherwise, it's difficult. If they logged in as you then the most obvious answer is they somehow guessed or got your password, but it's also a possibility that they have access to the database. (Do you use the same password on other sites? If so then it's a good bet that's how they got it).

Look over your plugins. By default there shouldn't be any under product "vbulletin". Also use Maintenance > Diagnostics > Suspect File Versions to see any changed files or files that aren't part of vbulletin. You might also look at the server directly to see if there's anything outside your forum directory that shouldn't be there.

Edit: Oh, from that log you posted it looks like they might have changed a scheduled task or done something to a subscription (or they may just have looked at those pages).

Thank you!

Well they are logging in somehow not using a username or password,
I don't see any damage or changes right now (no added plugins), looks like they delete them when done.

I don't see any updated files on my server, suspect files some but none modified this year (probably a product I added)

I banned and change the password to the other admin so they used another

I am currently upgrading to 4.2.3 now, hopefully that helps.

Can see anything else to check or fix here...

Here is yesterdays log (can you tell what they are trying to do?)

30509 Nicky 17:39, 23rd Jun 2015 plugin.php 84.33.43.76
30508 Nicky 17:39, 23rd Jun 2015 plugin.php update plugin id = 1871 84.33.43.76
30507 Nicky 17:38, 23rd Jun 2015 plugin.php edit plugin id = 1871 84.33.43.76
30506 Nicky 17:38, 23rd Jun 2015 modlog.php view 84.33.43.76
30505 Nicky 17:38, 23rd Jun 2015 modlog.php 84.33.43.76
30504 Nicky 17:37, 23rd Jun 2015 plugin.php 84.33.43.76
30503 Nicky 17:37, 23rd Jun 2015 plugin.php update plugin id = 1871 84.33.43.76
30502 Nicky 17:37, 23rd Jun 2015 plugin.php edit plugin id = 1871 84.33.43.76
30501 Nicky 17:36, 23rd Jun 2015 plugin.php 84.33.43.76
30500 Nicky 17:36, 23rd Jun 2015 plugin.php update 84.33.43.76
30499 Nicky 17:34, 23rd Jun 2015 modlog.php view 84.33.43.76
30498 Nicky 17:34, 23rd Jun 2015 modlog.php choose 84.33.43.76
30497 Nicky 17:34, 23rd Jun 2015 cronlog.php choose 84.33.43.76
30496 Nicky 17:33, 23rd Jun 2015 plugin.php add 84.33.43.76
30495 Nicky 17:32, 23rd Jun 2015 plugin.php modify
30494 Nicky 17:32, 23rd Jun 2015 stats.php index 84.33.43.76
30493 Nicky 17:32, 23rd Jun 2015 cronadmin.php modify 84.33.43.76
30492 Nicky 17:32, 23rd Jun 2015 admininfraction.php dolist 84.33.43.76
30491 Nicky 17:31, 23rd Jun 2015 admininfraction.php list 84.33.43.76
30490 Nicky 17:31, 23rd Jun 2015 user.php edit user id = 2 84.33.43.76
30489 Nicky 17:30, 23rd Jun 2015 banning.php modify 84.33.43.76
30488 Nicky 16:51, 23rd Jun 2015 plugin.php modify 84.33.43.76
30487 Nicky 16:50, 23rd Jun 2015 user.php edit user id = 2 84.33.43.76
30486 Nicky 16:50, 23rd Jun 2015 modlog.php view 84.33.43.76
30485 Nicky 16:49, 23rd Jun 2015 modlog.php choose

Block all of those IPs right away using htaccess to begin with ...

Check your ftp files for files in there that should not be there

Check your plugin list, in phpmyadmin you can easily sort the tables to see which pluginid is last (i.e. newly added as it shows in the log record: 30144 smolinaro 12:06, 22nd Jun 2015 plugin.php add 178.73.196.73).

The part of the log in red:
30147 smolinaro 12:14, 22nd Jun 2015 plugin.php edit plugin id = 1869 178.73.196.73

^ Is the actual pluginid they modified so check that plugin asap and also in phpmyadmin sort by descending to see the last few plugins and check them as well. *Replace all default vBulletin files with 100% fresh vB files from a brand new .zip (download from https://members.vbulletin.com) IMMEDIATELY AFTER removing any bad plugins, its best to do those two things within a few mins of each other to ensure whatever is present or was present can't come back i.e. if base64 code is in a .php shell file or similar that will simply make the code re-insert itself if they have scheduled tasks (cron jobs) calling the file to do just that etc.