vBulletin.com / vBulletin.org Hacked

they cut corners on everything else. You can't be surprised they cut corners on security.

 

No, I think it's a red herring to deny and minimize the extent of the hack on vBull dot com and org. And dot org was hit a second time in the last few days. As @AWS said the real evidence is out there.

 

What is really amazing is how the Vb support staff behave. They spin their propaganda tales, ban people for asking questions, protect unethical staff members, and delete or alter posts that do not praise them, then they have the gall to complain on here when inevitably their customers react.

When questioned, they play the martyr act ( I deign not to answer people because I am too superior to customers ) And so they run away like scared low life's who can only hide behind a mod button.

The word incompetent springs to mind.

 

In a timely and respectful manner?

 

vBulletin.org being compromised again is not an indicator that there is a 0 day exploit out there. It could also be interpreted that the adversary maintained persistence on the box, and Internet Brands did an extremely lousy job of cleaning up and removing persistence in the overall computing environment.

The adversary did mention they got root access as well as littered the environment with PHP shells.

 

This is what worries me. I don't want to speculate and cause trouble on the vB.org forums, because the people there have been nothing but helpful with developing my site. However, when it comes to security, I'm sort of a freak about it. We got hacked once, and that was enough for me. Never want to waste another week like that in 24/7 recovery mode.

The $7,000 exploit claims to utilize a vulnerability in the announcement system. Well, some mysterious user posted a global announcement on vB.org, suddenly resulting in password popups everywhere (the second hack, as everyone's calling it). I don't think it is unfair to speculate that this was a live manifestation of the aforementioned exploit.

Considering they just now discovered this summer hack (and it was snowing today), why shouldn't their customers be proactive in trying to figure out what happened? I wish these threads weren't getting closed on their forums, as I was very closely following them in an effort to keep my site as safe as possible.

For example, the Reddit article mentioned disabling HTML in Global Announcements. How can I do that? It's not an official vBulletin patch, and maybe it does nothing, but at least it's proactive instead of reactive.

 

vBulletin.org is also running vBulletin v3.6.12. MacRumors is also running vBulletin 3. This is merely speculation but could the security issue be one with vBulletin 3.x itself?

 

Interesting. If I remember correctly many of the "updates" and "patches" were along with other things, to update security features of the version being updated. This would indicate that the versions had security flaws in them ?

 

It's so untrue when they say "It was a staging server that got hacked".

Just fix the shit up rather than making b.s. statements.

 

A valid point. I think that they are now in so deep with the BS that to start telling the truth would show that they were lying before and to admit this to us mere mortals would be demeaning for them.

So the BS continues, with them not realizing that we can all see what BS they are spreading around. And see how totally incapable they are of doing the right thing.

Usually these things come to a grinding halt, with some of them being fired, then it is a look of amazement and the question "What happened" And still they will not understand about treating customers and members right.

 

According to Wayne Luke, the ability to enter HTML into notices was the weakness that was taken advantage of at MacRumors. A moderator's account was compromised and the hackers got through with cookie sniffing HTML/JS in the notice system.

So, your best bet to avoid this yourself is to make sure only very, very trustworthy people (if anyone other than yourself) have access to any system in vBulletin, where you can enter HTML into a text field and that field can be presented to the public.

IMHO, in today's Internet with the power of rich text editors and templating systems , it just shouldn't be necessary at all to have to enter HTML into a text field to format that text anywhere in a system like a forum or any other CMS. So, my suggestion would be, get rid of direct HTML input....everywhere!

As I mentioned in another thread, somewhere. What happened, happened. What is more interesting to me is, what is going to be done, to avoid this in the future and in what versions of vBulletin will this preventative security be added?

I'll bet IB will leave this issue open in vB3 and vB4. Taking responsibility isn't their best quality. It will be up to the admins to secure the HTML text fields against untrustworthy people.

But what about vB5? Ehem.......well, actually, I could care less about vB5, but they certainly should care.

And to lighten up the subject, here an informational, but humorful cartoon about passwords, which everyone should know.



Scott

 

I racked my brains trying to think of a software company that this could apply to.

 

I hear on the grapevine, IB are thinking of changing the forum software name from vBulletin to vHackable.

 

ROTFLMAO!!

 

Dealing with vB since Oct 2003, I've seen many things changing. Pitty that they're changing to worst. Once upon a time vBulletin WAS a great software, and vB.org WAS really a helpfull site. As for the topic now...:

• Being hacked, even if it's a bad situation, is not the worst that can be happen. Even big goverment sites have been hacked in the past. I believe that if hackers focus to hack your site, soon or late they'll hack it. At least this is my opinion.
• The real bad is to treat your members as idiots. "No, it's not true...", "No, this is a fake screenshot. I can do a similar in minutes..." etc etc. I can understand that the "soldiers" at vb.org have no other option to do than follow the orders. Those that I can't understand are some "followers" who look to get a position there, to shout (and sometimes insult) other members as a way to keep the true hidden. This is unacceptable.
• Many of you have wrote negative comments for Paul M. Why? He is trying to keep his salary safe. This is what he is doing for a long time now. He is a servant. Do you expect that he can understand your problem? He does not cares for you my dears. He cares only for his money and nothing more.
• The important question is: "What data the hackers got?". According to emails that I got from some vB owners with attempts to brake their mysql server, most probably they got the license domain. That's really bad.

 

The professional thing for Paul.M to do, would have been to say nothing until knowing for sure what happened. But he went on TAZ right away at first and tried to cover it up with lies, which soon backfired him.

You say, you don't blame him doing that trying to protect vBulletin. Na, all that does is prove you can never rely on anything he says as being the truth, or just BS he's spouting.

 

You didn't "catched" my sense It was irony for his action. I've read his reply at TAZ. Pitty for him that it was not at vb.org to do the only thing that he knows to do well (as most moderators EXCEPT Lynne do): "Out of topic. Thread closed".

 

Staging (aka Development Servers) are notorious as the root cause and culprit to a larger scaled attack. The biggest reason is because the developer mentality is that these servers are not "in production" therefore the security is not properly implemented, vulnerable applications have not been updated, and unpatched operating systems are still being utilized.

More often than not, these staging servers have credentials that lead to production servers allowing an attacker to widen their attack and compromise those production servers.

For example, our firm did a penetration test and we were about to give this organization a clean bill of health. On the off chance, we got lucky and landed into a machine that was sitting in the development environment being reimaged at that time. We were able to extract all the credentials and we were then able to compromise the rest of the network.

 

At this time, the following information has been accessed or could have been accessed.

• vBulletin.com Username, Password Hash, and Email
• vBulletin.org Username, Password Hash, and Email
• Magento (aka member's area) username, password, email, customer name, customer billing address and security question. No credit/debit card information is being stored.

 

I agree 100%.