Our site was hacked yesterday by a new user that was able to give himself admin rights, then create a plugin to upload files directly to our server. He uploaded a php script that overwrote index.php to his own (thankfully mostly harmless) code. This is what he did: http://www.youtube.com/watch?v=wwmqV8fMmfY

We are running 4.2.1 and I have not been able to find much info about how one could maliciously gain admin access. SQL injection to change his usergroup? There are no entries in the control panel log showing that a real admin account was compromised and used to give that user admin privileges (we have all changed our passwords anyway). The user's IP does not appear in the server's raw access log leading me to believe it was accomplished through scripts on the server. I have cpanel, WHM and FTP access restricted to my IP, and SQL is restricted to the server's. I have verified all file permissions are still set correctly. Config.php has not been altered and tools.php is not on the server.

For obvious reasons no one should post a how-to gain admin access here, but how can we protect against someone maliciously using vbulletin scripts? And how can we prevent ajax.php from connecting to external servers?

Edit: Sorry, just saw we're not alone. - http://www.vbulletin.com/forum/forum...pe-hack-method

I started to create this thread yesterday but wanted to research a few more things first. Install directory deleted.