Vbulletin Forums easily hacked?

Discussion in 'vBulletin Discussions' started by Superboy, Jul 16, 2012.

  1. Superboy

    Superboy Most Likely, I'm Insane.

    Joined:
    Jun 13, 2012
    Messages:
    524
    Likes Received:
    168
    Location:
    New Jersey
    I recently joined the VB crew as an owner not too long ago. I actually joined because of the negative feedback I always hear about Vb and i was curious to see "what was so bad about it?"

    Aside from that atrocious Admin panel....I like the sofware.

    As i get ready to launch my VB 4.2 forum in Mid-August, I am a bit worried. I've been reading on various forums I am a member of that VB forums are easily hacked and/or closing down temporarily.

    At first it was silly warez forums so of course that was a bit of a laugh to me and others....

    But these are some forums I have heard about
    having faced some type of hacking or potential hacking.....

    1. Android Forums
    http://androidforums.com/site-updat...rtant-notice-security-breach.html#post4645422

    2. Blackhat
    http://www.blackhatworld.com/blackh...-recent-bhw-member-passwords-compromised.html

    3. Nvidia
    http://www.nvidia.com/content/forums/index.html

    So it does get me wondering are VB forums the premium version of Phpbb aka are they more susceptible to hacking attempts vs XF or IPB?
     
  2. cpvr

    cpvr Regular Member

    Joined:
    Aug 14, 2009
    Messages:
    3,219
    Likes Received:
    823
    @Forever Young I beg to differ. Those getting hacked are those forums that aren't keeping their forums up-to-date. If they're not using the license updates, nor updating certain scripts when exploits are out, then of course, they'll get hacked. I think @Brandon @Dan Hutter @digitalpoint can also touch base on this.
     
  3. Dan Hutter

    Dan Hutter aka Big Dan

    Joined:
    Jul 20, 2006
    Messages:
    1,412
    Likes Received:
    515
    Location:
    New York
    I don't think vB is any more susceptible than any other software. Knock on wood, my vB boards have never been hacked. For a while in the last couple of years there would be a release then a security patch or two within a couple weeks. At least you know vB is working to patch issues as they arise.

    General rules apply to vB as they do any other software:

    1. Keep the software up to date.
    2. Use secure passwords (admin account and database).
    3. Don't login from open Wifi networks.
    4. Only use add-ons that are either widely used or have code that you can read and understand exactly what it's doing.
    5. Make sure your file permissions are correct.
     
  4. Superboy

    Superboy Most Likely, I'm Insane.

    Joined:
    Jun 13, 2012
    Messages:
    524
    Likes Received:
    168
    Location:
    New Jersey

    I am guilty of not doing number 2...My admin password is WAY too easy.
     
  5. Dan Hutter

    Dan Hutter aka Big Dan

    Joined:
    Jul 20, 2006
    Messages:
    1,412
    Likes Received:
    515
    Location:
    New York
    www.lastpass.com <---- Awesome service that's what I use. One master password unlocks everything. It's completely free for desktop/laptop use but for a pittance ($12/yr) you can get access on your mobile phone too.

    In the mean time go generate yourself a secure password: http://www.pctools.com/guides/password/
     
  6. Superboy

    Superboy Most Likely, I'm Insane.

    Joined:
    Jun 13, 2012
    Messages:
    524
    Likes Received:
    168
    Location:
    New Jersey
    I am afraid that i'll forget the password.....I know it is bad but i literally use the same password forALMOST everything
    with a slight variation.
     
  7. Dan Hutter

    Dan Hutter aka Big Dan

    Joined:
    Jul 20, 2006
    Messages:
    1,412
    Likes Received:
    515
    Location:
    New York
    Not good, that means whenever a site gets hacked you have to go around changing all your passwords. I used to use the same password for almost everything (except important stuff) until Life Hacker was hacked a couple years ago and I had to go around changing 50 bazillion passwords. Not fun. Now if a site is hacked I just go there and generate a new password with Lastpass.

    Even if you write down your Lastpass password and stick it in your wallet it's still a whole lot more secure than having the same password for everything.
     
  8. Superboy

    Superboy Most Likely, I'm Insane.

    Joined:
    Jun 13, 2012
    Messages:
    524
    Likes Received:
    168
    Location:
    New Jersey
    I lose my wallet from time to time :D I am a careless soul. I'd lose my head if it wasn't attached to my body :D

    But i am going to use the site you told me and at least get a good password for my forums. I don't care so much about the password here or on other forums but i should protect myself better than I do on my own website :P

    Off-topic: Did you ever decide whether you were going to switch softwares?
     
  9. Dan Hutter

    Dan Hutter aka Big Dan

    Joined:
    Jul 20, 2006
    Messages:
    1,412
    Likes Received:
    515
    Location:
    New York
    Good deal on the password. :)

    Yup, I'm planning on moving back to vBulletin whenever I find someone to lend me an IPB license or can come up with the extra money for an IPB license. I really don't want to drop $175 on IPB that I'm likely never to use. Maybe it will be a good thing as I'll get experince with another platform.
     
  10. digitalpoint

    digitalpoint Regular Member

    Joined:
    Jul 9, 2012
    Messages:
    193
    Likes Received:
    313
    Location:
    San Diego, California
    It's not any more susceptible to hacking than other commercial software. Once in awhile a security exploit is discovered, and it's quickly patched. But like others have said, just be smart... Don't use easy passwords, don't log in from other people's computers (who knows, maybe they have a keylogger on it that they don't know about), don't log in via wifi unless you are doing it through a VPN, don't allow your web server to be able to write files, password protect your admincp area with an extra HTTP AUTH password (or better yet only allow users from certain IPs into it).

    If you want to get fancy, you can build a two-factor authentication system. For XenForo, I actually built a two-factor authentication system that requires you to be in physical possession of your cell phone to log in (I also allow users to use the system as well to protect their own accounts).

    af.cl.ly_items_2a2Y3E3o0P2P3M2T1X00_Image_202011.12.23_207_33_49_20PM.png
     
    Brandon, Forever Young and Dan Hutter like this.
  11. CM30

    CM30 Regular Member

    Joined:
    Jul 1, 2012
    Messages:
    901
    Likes Received:
    500
    I think the big issue with all the sites given is a mixture of using outdated versions of vBulletin and possibly some poorly coded modifications. Really, look at the versions they're all using. Many are still using vBulletin 3.8 or whatever, and many of them are using a significant amount of major add ons from sites like vBulletin.org. With those things kept in mind, of course their forums would be more likely to be hacked.

    In fact, this is kind of a problem with large forums in general. Why? Well due to all their code modifications and the size of the database they can't upgrade their software at a whim to fix any security issues. So as a result, they're often a sitting duck due to how long it takes them to upgrade, and it's not that likely most of their tech staff have figured out how to code their own patches for the outdated software they're running.
     
  12. Superboy

    Superboy Most Likely, I'm Insane.

    Joined:
    Jun 13, 2012
    Messages:
    524
    Likes Received:
    168
    Location:
    New Jersey

    Cant you also rename your admin/mod folders so they are not the default folder names in VB?
     
  13. CM30

    CM30 Regular Member

    Joined:
    Jul 1, 2012
    Messages:
    901
    Likes Received:
    500
    ^Yes you can. They suggest doing that to increase security, along with using .htaccess to add another layer of password protection to the admin cp folder.
     
  14. benjaminp

    benjaminp Regular Member

    Joined:
    Mar 22, 2008
    Messages:
    218
    Likes Received:
    101
    @digitalpoint

    That's a nice system. I use the two step verification on my Google account already, but like the idea of it being integrated with forums I use.

    Out of interest, what happens if the user loses their phone? Do you offer backup codes like Google do?
     
  15. digitalpoint

    digitalpoint Regular Member

    Joined:
    Jul 9, 2012
    Messages:
    193
    Likes Received:
    313
    Location:
    San Diego, California
    Right now, in order to utilize the two-step verification, the user has to have their account linked to at least 1 third party account (the system allows them to link to Facebook, Twitter, PayPal, Google Analytics, Google AdSense or Google Plus). Basically to be able to use that as a method to verify the account ownership should they lose their two-factor device.

    Depending on how popular it becomes and how prevalent it is that people lose their device, I'll add the one-time use passwords and phone numbers as a backup. But right now it doesn't have that.
     
    benjaminp likes this.
  16. Iconic

    Iconic The Original

    Joined:
    Nov 2, 2011
    Messages:
    353
    Likes Received:
    135
    Location:
    Australia
    Yes you can, I have done it. All you need to do is rename them and in the config.php file change the folder name of the admin and mod cp.
     
  17. Carlos

    Carlos Regular Member

    Joined:
    Apr 20, 2003
    Messages:
    751
    Likes Received:
    251
    Location:
    California
    Actually @cpvr, these hacked sites are for the most part, nulled. So, what the OP is saying, is that if vB is hackable on nulled site, that says a lot about how secure vBulletin is now.

    The damage is astromical, that iB has a lot on their plate. And I think vB5 is good as dead at launch. Mark my words.

    Why? Because a nulled software is already a hacked software; if a hacker is able to hack a nulled software, then the real meat of the software, as in the software that's being sold to customers is far more vulnerable than it has been in the past..

    To reiterate: If iB does not fix this right away, vB5 is dead on arrival.

    I expect widespread hackings of vB3/vB4 if iB lets this fester into oblivion.
     
    cpvr likes this.
  18. Superboy

    Superboy Most Likely, I'm Insane.

    Joined:
    Jun 13, 2012
    Messages:
    524
    Likes Received:
    168
    Location:
    New Jersey

    Carlos, I linked two forums that I am almost positive since they are tied into big companies or projects are NOT nulled(Androidforums and Nvidia.....Especially Nvidia)
    Blackhatworld I can't be sure about.

    What i was saying was it started with hearing about VB hackings which started on warez sites or the likes and now it is spreading to seemingly legit sites.

    I head about it hear as well
    http://xenforo.com/community/threads/vbulletin-pirate-sites-hit-by-hackers.33714/

    While I won't say VB5 is dead on launch....I still think it already will have a leg up on XF 1.3 or whatever is out then....IB really should look into it as on other forums, they are already equating the hacking attack to the quality of VB
     
  19. Carlos

    Carlos Regular Member

    Joined:
    Apr 20, 2003
    Messages:
    751
    Likes Received:
    251
    Location:
    California
    See, you further prove my assessment. Because I also saw this thread...
    As I've said.
     
  20. eva2000

    eva2000 Regular Member

    Joined:
    May 22, 2012
    Messages:
    138
    Likes Received:
    107
    Location:
    Brisbane, Australia
    FYI, Nvidia forums uses IPB and not vBulletin if it hasn't already been mentioned and Android forums was compromised from server level not software http://androidforums.com/site-updates-announcements/580371-important-notice-security-breach.html

    And as folks already mentioned there's many reasons for hacked/insecure forums regardless of software used

    1. not keeping software up to date
    2. compromised email accounts linked to admin user of the forums
    3. 3rd party plugin addon vulnerabilities
    4. as mentioned by Shawn, insecure wifi access
     
    Iconic and Dan Hutter like this.

Share This Page