I’m sorry to hear this, Mike. This is most likely a result of the vulnerability that we’ve reported a while ago. Please find an analysis, mitigations and solutions in https://discourse.igniterealtime.org/t/cve-2023-32315-openfire-administration-console-authentication-bypass
In the last few days, we’ve seen an uptake of exploits of this vulnerability popping up in the wild.
I’d appreciate it if you could share the malicious plugins in a private message to me. That will help us analyze things.