Random account set to Administrator?

[ThatGreenAlien]

Today I woke up to see the newest member, some random account named qaz001 was in the administrator group? We banned them before anything was done, but what is this and what can we do to stop it? Is this like a hack or something?

I did a google search on the name, and a lot of other random boards have the same account set as an administrator... what's up with this?

[ForceHSS]

Yes its a hacker u would be best to do a full check and plug the hole were they got in

[ThatGreenAlien]

Okay, I'm pretty new to server stuff, what should I do exactly? And I looked in their log and saw something with plugin.php, what should I be looking for?

[Paul M]

Have you folowed the recent security advice and removed your install folder ? Thats almost certainly how they created the account.

[ThatGreenAlien]

I'll check that when I get home. Thanks!!

Edit: All install folders have been deleted. Anything else?

[ozzy47]

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

[afonseca]

Hi, I'm having the exact same issue, down to the username that was used. I banned those accounts and the hacker started creating other named accounts also in the Administrators group. The links on vbulletin.com are throwing this error:
"An internal error has occurred and the module cannot be displayed."

Did vbulletin.com get hacked? Any help appreciated.

[ForceHSS]

Quote:

Originally Posted by afonseca

Hi, I'm having the exact same issue, down to the username that was used. I banned those accounts and the hacker started creating other named accounts also in the Administrators group. The links on vbulletin.com are throwing this error:
"An internal error has occurred and the module cannot be displayed."

Did vbulletin.com get hacked? Any help appreciated.

Sorry are we talking about ur forum being hacked or are u asking that vbulletin has also been hacked

[afonseca]

I was referring to vbulletin.com there as none of the links shared were working for me, they were throwing that error message. They seem to be working fine now.

[Grimes]

Quote:

Originally Posted by ThatGreenAlien

Today I woke up to see the newest member, some random account named qaz001 was in the administrator group? We banned them before anything was done, but what is this and what can we do to stop it? Is this like a hack or something?

I did a google search on the name, and a lot of other random boards have the same account set as an administrator... what's up with this?

I have the same exact thing happening. Same user, same situation. The email is qwe@qwe.com and the ip is the same each time out of the Ukraine. It comes up in spam ip searches online. They were able to set the usergroup to admin and registration ip is blank. I believe I caught it in time, but I noticed that that same user account was created multiple times, and their location under 'who's online' was plugin.php?do=doimport&do=doimport.

Check your plugins for strange plugins. I had multiple entries (one for each account) of a plugin titled 'ech' that uses the hook init_startup. I deleted them all. This just happened moments ago. I had registration turned off, but it was still creating that same account. Banning the username and ip + email seems to have stopped it. Bizarre. I'm in the process of a security check right now to see if there's a hole somewhere.