Bulk delete bogus admin accounts following hack?
 

Yeah, I got hacked a few weeks back, just like so many others. I spent some time cleaning up and then took the extra time to follow best security practices (including password protecting my adminCP & modCP folders on cpanel).

I thought I was OK, but when my host migrated my site to a new server, seems they had pulled an older filesystem backup and my install folder was restored. :mad: I didn't notice until yesterday when I got word of new admin accounts appearing and checked the filesystem to find the admin folder back again. I deleted it immediately of course!

So, after all my clean up work, I have again been repeatedly hacked over the last 1.5 weeks. Fortunately, this time there is nothing nasty (that I've seen so far) and no scripts/redirects and other malware trying to run off my site. I suspect this was due to the extra security I'd added as above.

So, now I have 762 other admin accounts I want to delete. I can't use any prune or delete tools from the adminCP, as they deliberately do not work on admin accounts. I can't spend all day and night sitting and deleting them 1 by 1. I have in the past done some direct SQL queries to remove various spammers that fell outside of the built-in abilities to remove, but I did so by copy/pasting bits of code others had shared and I'm not really confident to try myself. Does anyone know of a mod that can allow this to be done, or of any code that I might try?

The main offender is a user called "supportvb" that has hundreds of accounts. All of the accounts are recent (last 10 days) and none of them have any posts. Any help/advice appreciated. I'm sure that since all these hacks, there must be other forum owners trying to bulk delete or mass remove these bogus admin accounts.

Create a new usergroup called hackers, move all the users into that group, then mass delete thru that group.

Can't do any operations (including move, as recommended) using prune function to the admin group. I can generate a list and display all the bogus admin accounts I want to delete, however, next to the delete or move buttons, I am told:

"Users marked with the [ ! ] button are not editable using this system."
(as they are members of the admin group - this is deliberate)

I can presently only do this 1 by 1 and I have 745 "supportvb" admins still to delete. I need a better way!

If you have access to your cPanel go to phpMyAdmin and delete them that way ....

Yes, I do have access to phpMyAdmin. I had considered this was probably the easiest option, but every official answer I always see to this suggestion is not to delete users directly from the database as it can cause problems.

I'm not 100% confident in exactly how to do it from phpMYAdmin. I can look at the table "user" on my database, select "search" and then in the "username" column, select "=" and type "supportvb" This will return me a list of all of these users. I then click on "select all" and then delete. Is this correct? It seems simple, but I didn't want to trash my DB through lack of knowledge on this. Appreciate if someone can confirm, or provide me better instructions.

--------------- Added [DATE]1382260489[/DATE] at [TIME]1382260489[/TIME] ---------------

Just did some other research and found someone else with a similar requirement. I modified their query slightly and I got the following:

I ran this via phpMy Admin. This looked for the username "supportvb" (which was the hack that inserted itself hundreds of times into the admin group) and then changed the group from 6 (admin) to 17 (a new group I created for this).

I now see the numbers in my Usergroup Manager reflect this. I check on one of the supportvb users and I can confirm that the group is no longer Admin, and the primary usergroup for these accounts is now the new group I created for them.

I now use the pruning system to clean up the rest. However, I find that when I search on this new usergroup, all the supportvb users show there, but they have 2 groups listed - the new one I just modified them to and also moderators. The "!" still appears on every account and it will not let me prune them.

What did I miss?

Sounds to me like there may be a plugin running to make them un-editable. Try disabling all your mods via config.php and see if the "!" still appears next to their names.

Interesting suggestion, but sadly no luck. I disabled all plugins via config.php and confirmed that the "Manage Products" page says "Warning: Plugins are currently globally disabled via config.php."

Attempting to prune this usergroup correctly lists all 744 instances of the "supportvb" user, but on each of them it shows they are also in the "moderator" group. The ! appears next to every one of them and therefore I cannot perform any actions.

Curiously, looking at the tables directly via phpMyAdmin, they seem to only show only "17" (the group I put them in) for the usergroupid column and nothing at all in membergroupids. Looking at any of these users from admincp, they all show they are a member of only this group and no others. However, as soon as I see them from the prune list, it shows them as moderators.

If there is a safe way to simply remove them all from the database directly, I'll give it a go, I'm just loathe to try it in light of the funny way they are already responding from my first attempt.

I too have the same problem with r5e.. would appreciate more ideas to resolve this "cannot" delete "supportvb" users that are in the admin group.

Still have the same problem.

I have posted in vbulletin.com's forum as well. I expected that as many of their customers had this problem and because it was caused by a security exploit, they may have been keen to offer some sort of "official" solution. Many of their customers are still compromised by these same admin accounts that they are unable to remove and VB staff in their forum are studiously ignoring my posts for 4 days now, while answering others.

While I am confident that by password protecting from cpanel my admincp and modcp folders, I have prevented these accounts being able to do anything worse than posting, it still feels uncomfortable having them around. I want to be able to cleanly delete them.

The work I have done so far shows that it may not be as simple as a database edit (especially if you don't know what you're doing). I would like someone to assist me (and the loads of others) who have this problem. A bulk delete mod would be nice, but a simple step-by-step instruction and a few lines of SQL query would be even better.

Anyone?

Have you checked your config.php to see if the hack added the accounts to the uneditable/undeletable list?

Yes, there are no undeletable users listed in the config.php file, so sadly not that easy. :(

If anyone can suggest an SQL query for me to cleanly and safely delete any user called "supportvb" from my database? (To save reading above, this cannot be done by the prune function). Additionally, I have managed to make all these users a member of usergroup 17, if that helps the query at all.
(There are still around 700 of these accounts in my database and removing them manually is beyond my time budget)

Anyone else have ideas to fix this? Im sure there are a lot of people in the same boat and need to delete this fake accounts.