The Arcive of Official vBulletin Modifications Site.

r5e · #1 10-20-2013, 12:44 AM

Yeah, I got hacked a few weeks back, just like so many others. I spent some time cleaning up and then took the extra time to follow best security practices (including password protecting my adminCP & modCP folders on cpanel).

I thought I was OK, but when my host migrated my site to a new server, seems they had pulled an older filesystem backup and my install folder was restored.

I didn't notice until yesterday when I got word of new admin accounts appearing and checked the filesystem to find the admin folder back again. I deleted it immediately of course!

So, after all my clean up work, I have again been repeatedly hacked over the last 1.5 weeks. Fortunately, this time there is nothing nasty (that I've seen so far) and no scripts/redirects and other malware trying to run off my site. I suspect this was due to the extra security I'd added as above.

So, now I have 762 other admin accounts I want to delete. I can't use any prune or delete tools from the adminCP, as they deliberately do not work on admin accounts. I can't spend all day and night sitting and deleting them 1 by 1. I have in the past done some direct SQL queries to remove various spammers that fell outside of the built-in abilities to remove, but I did so by copy/pasting bits of code others had shared and I'm not really confident to try myself. Does anyone know of a mod that can allow this to be done, or of any code that I might try?

The main offender is a user called "supportvb" that has hundreds of accounts. All of the accounts are recent (last 10 days) and none of them have any posts. Any help/advice appreciated. I'm sure that since all these hacks, there must be other forum owners trying to bulk delete or mass remove these bogus admin accounts.

ozzy47 · #2 10-20-2013, 01:05 AM

Create a new usergroup called hackers, move all the users into that group, then mass delete thru that group.

r5e · #3 10-20-2013, 04:24 AM

Can't do any operations (including move, as recommended) using prune function to the admin group. I can generate a list and display all the bogus admin accounts I want to delete, however, next to the delete or move buttons, I am told:

"Users marked with the [ ! ] button are not editable using this system."
(as they are members of the admin group - this is deliberate)

I can presently only do this 1 by 1 and I have 745 "supportvb" admins still to delete. I need a better way!

CAG CheechDogg · #4 10-20-2013, 05:08 AM

If you have access to your cPanel go to phpMyAdmin and delete them that way ....

r5e · #5 10-20-2013, 07:42 AM

Yes, I do have access to phpMyAdmin. I had considered this was probably the easiest option, but every official answer I always see to this suggestion is not to delete users directly from the database as it can cause problems.

I'm not 100% confident in exactly how to do it from phpMYAdmin. I can look at the table "user" on my database, select "search" and then in the "username" column, select "=" and type "supportvb" This will return me a list of all of these users. I then click on "select all" and then delete. Is this correct? It seems simple, but I didn't want to trash my DB through lack of knowledge on this. Appreciate if someone can confirm, or provide me better instructions.

--------------- Added [DATE]1382260489[/DATE] at [TIME]1382260489[/TIME] ---------------

Just did some other research and found someone else with a similar requirement. I modified their query slightly and I got the following:

Code:

UPDATE user SET usergroupid =17 WHERE (
CONVERT( `username` USING utf8 ) = 'supportvb'

I ran this via phpMy Admin. This looked for the username "supportvb" (which was the hack that inserted itself hundreds of times into the admin group) and then changed the group from 6 (admin) to 17 (a new group I created for this).

I now see the numbers in my Usergroup Manager reflect this. I check on one of the supportvb users and I can confirm that the group is no longer Admin, and the primary usergroup for these accounts is now the new group I created for them.

I now use the pruning system to clean up the rest. However, I find that when I search on this new usergroup, all the supportvb users show there, but they have 2 groups listed - the new one I just modified them to and also moderators. The "!" still appears on every account and it will not let me prune them.

What did I miss?

ozzy47 · #6 10-20-2013, 09:15 AM

Sounds to me like there may be a plugin running to make them un-editable. Try disabling all your mods via config.php and see if the "!" still appears next to their names.

r5e · #7 10-20-2013, 09:42 AM

Interesting suggestion, but sadly no luck. I disabled all plugins via config.php and confirmed that the "Manage Products" page says "Warning: Plugins are currently globally disabled via config.php."

Attempting to prune this usergroup correctly lists all 744 instances of the "supportvb" user, but on each of them it shows they are also in the "moderator" group. The ! appears next to every one of them and therefore I cannot perform any actions.

Curiously, looking at the tables directly via phpMyAdmin, they seem to only show only "17" (the group I put them in) for the usergroupid column and nothing at all in membergroupids. Looking at any of these users from admincp, they all show they are a member of only this group and no others. However, as soon as I see them from the prune list, it shows them as moderators.

If there is a safe way to simply remove them all from the database directly, I'll give it a go, I'm just loathe to try it in light of the funny way they are already responding from my first attempt.

sreeve · #8 10-21-2013, 11:18 AM

I too have the same problem with r5e.. would appreciate more ideas to resolve this "cannot" delete "supportvb" users that are in the admin group.

r5e · #9 10-22-2013, 09:18 PM

Still have the same problem.

I have posted in vbulletin.com's forum as well. I expected that as many of their customers had this problem and because it was caused by a security exploit, they may have been keen to offer some sort of "official" solution. Many of their customers are still compromised by these same admin accounts that they are unable to remove and VB staff in their forum are studiously ignoring my posts for 4 days now, while answering others.

While I am confident that by password protecting from cpanel my admincp and modcp folders, I have prevented these accounts being able to do anything worse than posting, it still feels uncomfortable having them around. I want to be able to cleanly delete them.

The work I have done so far shows that it may not be as simple as a database edit (especially if you don't know what you're doing). I would like someone to assist me (and the loads of others) who have this problem. A bulk delete mod would be nice, but a simple step-by-step instruction and a few lines of SQL query would be even better.

Anyone?

squidsk · #10 10-22-2013, 09:25 PM

Have you checked your config.php to see if the hack added the accounts to the uneditable/undeletable list?

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04216 seconds Memory Usage 2,266KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)bbcode_code (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (10)post_thanks_box (2)post_thanks_box_bit (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (2)post_thanks_postbit (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start fetch_musername post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start post_thanks_function_fetch_thanks_bit_start post_thanks_function_show_thanks_date_start post_thanks_function_show_thanks_date_end post_thanks_function_fetch_thanks_bit_end post_thanks_function_fetch_post_thanks_template_start post_thanks_function_fetch_post_thanks_template_end pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

Благодарность от:
Max Taxable

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!