In my admincp > paid subscriptions > subscription manager, I see this shell "C99madShell v. 2.0 madnet edition".

It is showing all the files on the server. Looks like any file on the server can be accessed from here. I believe this is causing a vulnerability which is enabling someone to hack my forum.

I upgraded from 4.2.2 to 4.2.3 in hopes to get rid of this when all new files will be uploaded. But it's still there.

How do I get rid of this?
Please help.

Yes, you have been hacked. I just fixed a site like this not long ago. Too much to go into here.

For starters search your plug ins and delete the ones that do not belong! You will see debase 64 code and they will be running upon start up usually... and the your files..over write them with fresh vbulletin files! Upgrade your Vbulletin now to the latest 4! I am willing to bet you are using an older version.

Yes, you have been hacked. I just fixed a site like this not long ago. Too much to go into here.

For starters search your plug ins and delete the ones that do not belong! You will see debase 64 code and they will be running upon start up usually... and the your files..over write them with fresh vbulletin files! Upgrade your Vbulletin now to the latest 4! I am willing to bet you are using an older version.

As mentioned in my first post, I already did all this.

Checked the plugins.
Upgraded to version 4.2.3.
Overwritten all previous files with fresh 4.2.3 files.

It's still there.

Disable your plug ins globally using config. I am sure you are missing a plug in. If possible find the plug in search mod and use it to search for the debase code.

Any you did not mention in your post anything about plug ins. I am telling you there is one there or more. Not in your product manager, in the plug ins.

Also use your diagnostics in the admincp to look for files that do not belong. I usually download the files and do a filewide search.

Disable your plug ins globally using config. I am sure you are missing a plug in. If possible find the plug in search mod and use it to search for the debase code.

Any you did not mention in your post anything about plug ins. I am telling you there is one there or more. Not in your product manager, in the plug ins.

Also use your diagnostics in the admincp to look for files that do not belong.

Found it.
It was named 'vBulletin' so I didn't suspect it before.
Deleted it now and subscription page is normal.

Is there anything else I need to do to secure site and server?

Yes, check your files and database again.. Change admin log ins, database, etc..server ftp..change all those log ins and tighten things up if you know how.

"check your files and database again"

What do you mean by this?

Well look at your diagnostics to see if you have files that should not be there. Take into account your plug ins and be sure those files are clean.

Also, none of this can guarantee that someone did not get further into your server.

Another easy way to find suspicious files is by logging into the FTP of your server and by sorting all files and folders by last modification date. From there see if you can find any suspicious files.

Another easy way to find suspicious files is by logging into the FTP of your server and by sorting all files and folders by last modification date. From there see if you can find any suspicious files.
Yeah Dave, great tip. I was going to mention that as well but he had mentioned that he did the upgrade in which he uploaded all the Vbulletin files. It could be useful though to find anything else possibly.

I usually use the diagnostics and download the files that seem suspicious and do a filewide search using Notepad++. Ofcouse if there is anything on the server files or in the database he will still be in trouble.