New user made himself an admin

**In Omnibus** · Wed 2 Oct '13, 7:47am

Did you delete the "install" folder from your server? If not, that's likely your answer.

**Teascu Dorin** · Wed 2 Oct '13, 8:06am

Originally posted by ProSportsForums

Did you delete the "install" folder from your server? If not, that's likely your answer.

Also if he did created an admin account you most surely have some hackers plugins installed.

**Zachery** · Wed 2 Oct '13, 8:35am

First you need to follow our advisory about deleting the install folder off your forums.
Then please read the following two blog posts:

Fixing your site after you have been hacked. - vBulletin Community Forum

http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked

This guide is for what to do, after youve been hacked, exploited, and or defaced. Step 1, Change everything: If you believe, or think your site has

Best practices for securing your vBulletin site. - vBulletin Community Forum

http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site

Getting Started This guide is intended to be a starting point for helping to keep your site safe and secure in the long run. It is not a be-all, end-all guide

Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

**Nauti Rogue** · Wed 2 Oct '13, 8:36am

Ironically, I have just noticed 3 users who have done the same on my forum within the last week or two. The issue was the fact that I had failed to delete the install folder. I've corrected this now, and I've deleted the other Admin accounts, but is it too late? Have I shut the barn door after the cows got out? What could they have done? What should I look for?

**DemOnstar** · Wed 2 Oct '13, 8:59am

Check your plug ins for something you didn't install and remove it..

**Nauti Rogue** · Wed 2 Oct '13, 10:25am

Thanks. I uninstalled Skimlinks and Postrelease. I now notice that I'm getting the following warning: "Warning: Plugins are currently globally disabled via config.php." in the Plugins page. Is this normal, or should I go check that out? It seems like that's a good thing, except that I had previously had Forum Runner working correctly for the forum. I assume for Forum Runner to be working correctly in the past, I plugins must not have been globally disabled. Why would a hacker install plugins and then disable plugins?

**Mark.B** · Wed 2 Oct '13, 10:54am

No real need to remove Skimlinks and Forum Runner...your rogue plugins are probably under the "vBulletin" product.

The message you are receiving is because plugins are ALL disabled, which is normal.

In this instance I would suggest raising a support ticket so we can get your login credentials and take a quick look around.

Customer Login

http://www.vbulletin.com/go/techsupport

vBulletin Community Software

Please include AdminCP login and FTP credentials in the "Sensitive Data" field.

vBulletin 4 End of Life

New user made himself an admin

New user made himself an admin

Comment

Comment

Comment

Comment

Comment

Comment

Comment