HELP! forum hacker somehow creating admin accounts

[michelle86]

Since mid September someone has been trying to hack my site.

This person has tried creating multiple admin accounts. I'm not sure how he is able to create the accounts (it isn't recording an IP address or anything).

I have the first username he tried, and when I google it, I find other sites he has hacked. Their main pages are wiped and he has his name in big font and a scrolling message at the top saying the site has been hacked and things like, "Islam is the way of life." And most often awful music playing.

He has since tried creating several other admin account names.

My admincp, is not located at mysite.com/admincp.php - I have renamed it a long time ago to prevent hackers from uploading files into the admincp (I'm not sure if this has been the reason why he hasn't been able to mess up my site - it would make sense if it is a robot that is doing it).

My site is hosted on bluehost.

Does anyone have any idea where he is getting in and registering the admin accounts? How do I stop this before he really gets in and ruins my site?

Any help is appreciated!

[Digital Jedi]

Have you already deleted your install directory, as was suggested when the vB4 exploit was announced?

[tbworld]

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

[michelle86]

Quote:

Originally Posted by Digital Jedi

Have you already deleted your install directory, as was suggested when the vB4 exploit was announced?

Thank you! Just deleted it. Totally missed the announcement in the admincp.

I hope this solves it.

[tbworld]

Sorry you were hacked. I hope it solves it to.

[ozzy47]

Just deleting the install directory won't solve the issues, you need to follow the links that tbworld posted as well.

[michelle86]

Yes, I already changed passwords and I'm going through and deleting files they added (found a bunch in the clientscript directory). I just hope that deleting the install directory will close the backdoor that was letting someone come in and do all this.

[tbworld]

Make sure you follow the guidelines completely, be thorough and take your time. If you can do backups after every step, do so. If you have any questions please ask, most of us try to help others if we can.

[DoubleGlasses]

((hugs)) Michelle

I'm still dealing with this chaos and am in your exact same boat. They are completely right - there's a lot more to fixing this issue than deleting the install folder.

Also - one thing that I think ( can't say absolutely for sure ) that might not have been in those guides - but I added another layer - using htaccess to restrict access to my admincp folder as well. This would prevent them from even being able to log in and use their admin accounts through the admincp. Of course the password file sits above the public folder.

Oh and my attack happened around the same time as yours.

[Zachery]

Password protecting the folders is part of the guides