A little while ago I reported to this group what seemed like some sort of attack on sites I run using XOOPS - essentially there was a spate of many, many registrations that did not make sense. Canvassing users known to me suggests they have had a dramatic increase in SPAM since the 'attack', but it's difficult to be certain about a correlation between these events.

Anyway, I am currently trying to sift thru these and find if I try to delete them via XOOPS admin I get:

"Admin user cannot be deleted. (User: <some user name>)"

Looking thru the user database table I see that the suspicious registration all have admin rights.

Now, there is no way known that the users were given admin rights by me, the only legitimate administrator for these sites.

I'm worried.

The sites are generally updated with the latest XOOPS on release.

Well, don't panic is the first thing I say. Those users are not in the admin group, just a mistake in the core files. The fix is listed here:
https://xoops.org/modules/newbb/viewtopic.php?topic_id=16466&forum=21&start=15

Hope this helps.