Posted in another tread, Plug Ins had a script "OverrideAdminRights" in ForumRunner, could be seen in "Product Management".

I did and noticed like 4 more admins were added, but this was the first attack - I deleted that database and rolled back to a pre-hack one. I tried a fix and the second time they got in they didn't do this, but rather just take over my admin account. They did add a plugin that was noticeable, "cumlauncher2000"

But like I said, I've rolled back to a pre-attack db and updated all plugins and so far so good...but don't know if they've just lost interest for this week or if I'm still vulnerable.

well good thing I deleted forumrunner altogether :D

Did you remember to change your passwords to both the server and the bbs after the rollback?

If they're changing the unmodifiable users list, it sounds like they hacked into the server, not just the BBS, at which point they could manually hack the config file where you set the umodifiable users.

You may wish to ask your hosting provider to check the server for exploit code as well.

If that config file is set to mod 777, ( -rwxrwxrwx), you probably should log into a terminal to the server, and chmod the file to 555 (-r-xr-xr-x).

I have chat box and top posters.

I am trying to confirm with Valter if I have all the right files.

Good article HERE about security.

I would also add THIS mod. Has helped us a lot in the past.

it's not 777, it was 644, should it be 555?

they hacked the site again. they know the name of the new sql database i made (it was named after the hacker) and his first move was to change my email address (the name he made up referenced the sql db name i made, trying to send a message or whatever) to a yopmail and i presume begin a password reset. config says i, the admin (#1) am an unmodifiable user...

how could he know the db name? should config be 555d?
how do i disable the password reset function in the interim?

Really sorry to read this, The Mailman :( No one should be able to hack your vBulletin like this, regardless of the config.php permissions. Who is your hosting company? Do you run on shared, VPS, or dedicated?

Have you changed root/whm, cpanel, FTP, and all vBulletin admin passwords?

If you have a good hosting company, please ask them to run a malware scan on your server. If they won't, you can install & run maldet for unix. If you have an amazing hosting company, ask them to find logs showing who is doing what. Have you grabbed IP addresses yet? Perhaps they can narrow it down that way? If they won't, please write back here and I can give you some starting logs to glance at.

Finally, set up Host Access Control in WHM. Do not allow anyone to run FTP, cPanel, or WHM unless it's from your IP address. Again, let me know if you need assistance with this. I just went through the same thing. They're still trying, and failing now. So they can be defeated!

Good luck :( This sucks.