A new type hack method?

Yes, that was a big mistake. I don't know why CP message didn't incluse this "added admins" warning.

By the way, are you sure that these messages were deleted by this hacker called "abdou" ?

He gets admin priviliges when registering to the forum (using the exploit) So he can do whatever he wants.

Another warning to forum owners: if your password in config.php is equal to your ftp/server passwords, you have to change these passwords.

Agreed!! I "happened" to see this in the CP yesterday, and went ahead and did what they said. BUT, they didnt say "check to see if you had admin accounts to see if you have been compromised. I did what they asked and researched no further. Today I am out like 40,000 posts that were deleted early this morning.

how about an email to all owners, not only with a fix, but what to check to see if you've been compromised? Handled very badly

I agree, what about all those admins not visiting the forums ?

VB should have contacted all forum owners. It is not too late to do that and provide this basic support !

The way Vbulletin have handled this serious exploit has really got me annoyed. If ever Vbulletin want use to buy something such as VB5 we get an email, but with such a serious exploit such as this, the best Vbulletin staff can manage is an announcement post! No good enough Vbulletin, I'm now seriously looking to move to another Forum system.

Same happened on my Forum.

Wouldn't it have been better for Vbulletin to email all customers about this serious exploit?

Problem resolved, for now. Somehow, whatever Abdou did he installed a new index.php over our old one. All I had to do was fo into ftp and copy our original index.php over the "new" one. Sorry I'm not clever. If I was I might have thought of this sooner.

Now the question is, how does Abdou/Federal install his files?

I got the same "federal" member who got admin access on one of my site.
Apparently he tried to add an announcement with no success and looked at user.php --> viewjoinrequests
No plugin added on my site and no file edit.
IP used: 41.248.180.132 (morocco)
I deleted the install folder and banned the IP from my server.

Sorry for my english. I meant directory. I removed the directory.

You need to remove the install DIRECTORY, not FILE.
Keeping the /install/ directory open and accessible, will just keep your forum getting hacked.

You should also check for suspect files through ACP.
Most probably some of the files have been changed.

As above. This problem was found on Tuesday morning about 11 am Japan time. Like reignman, we had 2 people registered as federal. One is now deleted and the other had all permissions removed an PW changed. I have no idea how he got in. All new members receive an email with an activation link in it. They have to click to become active but even then they only go into a admin queue for final approval. Supposedly, no one can do anything until admin approval and only admins can do it, not mods. Maybe Abdou found some way to make himself an admin but I don't know how.

I have also found a file "federal" in the plugin and that is removed. We only have vb software and vb advanced for the front page (with all our language forums). vba is the only plugin that is set up. All "abdou" did is deface our frontpage. The forum works fine from forum/php page. I have removed the install file as Zachary has indicated. But the problem has not been resolved.

NB; vis a vis Abdou, we may have identified him and some of his hacker friends. Since our website runs on a US server Abdou has violated federal law (maybe USC Title 18 but I don't have the citation in front of me). Abdou has been reported to law enforcement agencies in the USA and UK among others. If anyone else has been hacked and you have any LE friends, let them know.

Then you should follow the same steps as above.

same happened to me : homepage replaced(index.php and forum.php), new plugin and a new admin user was created named : federal

Well, Joe I've checked my admin usergroup now and saw that there are 2 admin accounts named "federal"

So, it's certain that I was victim of same hack. I've removed admin accounts, install directory and plugin he created. My forum version is 4.2.1 and there is nothing suspicious on 3rd party addons.

Thanks for help!

You should remove it completely (You may want to copy the code to a text file just s you have it for future reference)

You should also go to the Admin CP -> Maintenance - > Diagnostics -> Suspect File Check. If any files say "Does not contain expected contents" you should re-upload a fresh set of files for your version of vBulletin.

Make sure you are running the latest version of vBulletin as well.

Also if there are any files not recognized as part of vBulletin you will need to manually check them to be sure they are clear of exploits. If you have a lot of 3rd party add-ons this can be time consuming. Consider removing add-ons and reinstalling fresh copies of the latest versions.

Double check your list of Administrators in Admin CP -> Usergroups -> Usergroup Manager, if you have an Admin account you didn't create then this was likely the result of the exploit announced yesterday.

There is sttiil the possibility that your case was caused by a 3rd party add-on or server vulnerability, if no new Admin account was created it may not be the same hack.