Keep getting hacked over and over by Ymh

Just out of curiosity, was this a fresh install? Everything deleted from the server before upgrade?

No, and now I cannot find how the page is being redirected.

What I would do, considering that you have done everything that has been advised. It may not be the correct way, it may be unconventional, it may be impossible?

Wipe the server of all.. Create a new DB. Do a fresh install, one admin.. Do the necessary with the config.php etc...
Delete install folder

Post something to entice him in again.. Something that will make him a little pissed.

Record all the changes made when and if he returns..
Try to monitor everything, access logs, anything that you can..

Keep the forum as minimal as possible, bare bones.. Watch everything he does...Eventually there will be a pattern, there has to be...

He isn't going to leave you alone so there is little to loose..

Entice the bugger, make it strong.. Lay a trap... If there is no enticement, he will wait for your forum to build again before making his entrance..

I think server logs might play an important part..Keep your eye on plug ins and new additions to admin etc..Anything that you didn't do.
It may be a painstaking experience, it maybe a learning curve. It will certainly be exciting..

Your users may suffer on this one so it should be a consideration.

There has to be a way to bring this fish home.

Have you changed your main control panel password? You'll also want to check your server logs to see how he is accessing the site.

Ensure your main control panel password has been changed (your webhosting CP), and then make sure that you are using a different MySQL user for the database (not root). Whilst you're still being hacked, you'll want to assume that all passwords have been compromised. If your main Control Panel password has been changed (and is not used anywhere else, and never posted or PMed in your forum to other admins), then work from there.

As you've already removed plugins etc, you seem to essentially be running a default vBulletin setup. You can use the "Suspicious File Checker" in the AdminCP to check for modified PHP files in your install. As your setup has been stripped back to the default version already, your best option may actually be to just delete all files on the site and re-upload a fresh copy of vBulletin. You can then connect the new copy of vBulletin to your existing database - that way you can be sure there are no modifications in your PHP files anyway.

If you want to work out exactly where the exploit is, you'll need to look at your server files to find out what's happening. Check through every entry for his IPs, and look for suspicious/unusual URLs - e.g. "forums.php%00something.php".

All passwords need to be changed at the same time - Hosting CP, DB, FTP, Admin Passwords, htaccess etc.

Thanks for the suggestions, but all passwords where changed CPanel, Database, FTP, VB Admin and I changed the username of the DB as well as protected all the recommended folders with htaccess.

Im about to update to 4.2 Alpha, so I will remove all the files not vb related and see if that makes a difference.

I like the idea of post #4 but an update should - in essence - be more secure than the previous...

I also just ran the and found some entries, but Im not sure if those are legit or not.
SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

Have you changed your own admin pass?

Yes sir, we have 2 admins and I changed both. he is not listed as an admin, plus he deleted the entire database couple of days ago, so he either has something in the db which I cannot find or a backdoor. I just deleted every file in the server and doing an upgrade with new passwords again. This is getting old.

Well I guess that narrows it down to server side or your side...

Good luck! Do tell how it goes..

Upgrading removed that page however Im getting the errors below, always something LOL

Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. Please use the date.timezone setting, the TZ environment variable or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in ..../includes/functions.php on line 4912

Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. Please use the date.timezone setting, the TZ environment variable or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'America/New_York' for 'EDT/-4.0/DST' instead in ..../includes/functions.php on line 5104

U N B E L I E V A B L E !

Please post a link to your forum!

The pieces of advice from other members (especially the axiomatic DemOnstar) amount to a big bunch of baloney. You can’t wipe out the server and lose all those posts and maybe subscriptions — that would be irresponsible! It would be like in the ancient fable: “Demolish the house because of the mice”.

The link has already been posted Mr Saliu, asthmatic friend of mine..

need2speed.com/vb_forums/forum.php