More security breaches reported

More reports http://www.vbulletin.com/forum/foru...-running-vbulletin-5-0-3-got-hacked-yesterday and of special interest is post #10 in which the customer states there were no /install folders on his sites. Also he got censored in another thread where he talked about his sites being hacked.

 

Site and server security is not just about removing the install folder and no one has ever claimed that. Locking the front door is useless if you leave the back door and all the windows open - or perhaps a more appropriate analogy is leaving an extra door key under the welcome mat where anyone can find it.

Most security breaches with ANY software come down to pretty basic safeguards that are still not implemented in most forums, vBulletin, Xenforo, IPB, phpBB, or anything else.

 

And then there is this where a customer claims his site was installed by vBulletin staff, his site got hacked and then they refused to help other than to tell him to remove the /install folder as per their directive notice. Place a ticket they said, which he had done and even that was ignored for a time.
http://www.vbulletin.com/forum/foru...n-hacked-and-no-support-at-all-from-vbulletin

 

See http://www.vbulletin.com/forum/foru...t-at-all-from-vbulletin?p=3997895#post3997895

Wayne Luke:

So when had he already submitted a ticket about this issue? Two years before he had the issue?

Do you seriously wonder why they call you a troll?

 

@djbaxter Seriously you seem to have some pathological urge to argue every post I make by using personal attacks to prove your point and distort the point so others find it hard to follow. I thought it was bad when you showed tendencies of being a cyber bully but now you've up the game by demonstrating you are a cyber stocker as well? You really should get some professional help son.

 

Yeah really, because you're just that fascinating and important. By the way, it's "stalker", not "stocker".

 

You assume I wasn't referring to you as a stocker, one who pigeon holes people puts them on a shelf with quaint labels. Stalker? Yeah you are that too and it's interesting you recognize that in yourself. Either way you cut it, you are pathologically compulsive in your being a cyber bully and cyber "stalker". In rational conversations you seem to find it difficult to state a difference of opinion without first trying to over power others with your self importance and bully them with derogatory insults. You need help son and venting or displaying your pathology publicly here or elsewhere on people is counter productive to you recovering your mental health.

 

More than 35,000 vBull sites hacked as reported on KrebsonSecurity

 

That's crazy, I read this post yesterday and the link.
I see it's hit the AP, here is another report.
Nice GUI!!




Guess this means I'll be getting a few calls of concerned clients. I should be thanking vBulletin for such magnificent work.

 

How long has it been since vBulletin warned people via the AdminCP and email that they need to remove the install directory?

Are we supposed to feel sorry for forum owners who are too lazy to do that?

 

Now, I'm so glad I moved to Xenforo or we'd be having to deal with that crap right now.

 

If we remember, emails about this vulnerability were sent out after the fact. And I doubt all 35,000 reported hacks were the responsibility of the customer. One case reported on vBull forum reports the install was done by paid vBull staff in this thread and then according to the customer he felt he was refused help.

Not everyone is skilled or knowledgeable in the intricacies of installing software that goes beyond "click to install". This one person paid to have his system installed by what he thought were professionals who knew what they were doing. How many of the 35,000 reported cases did the same? Hard to say but there were probably many who paid good money to have the software professionally installed.

I place the blame squarely on the shoulders of the devs, IB and vB who knew there was a hole and didn't provide adequate installation procedures such as not activating the installed program until those directories/files were removed. Less sophisticated and newer forum platforms require this so the failing is on them not the customer and there are many older platforms that have done so for years.

 

1. If we remember, there was a starkly displayed warning at the very top of the AdminCP the day it was disclosed. I cannot imagine an Admin/owner on top of things not logging into the AdminCP at least daily, if not several times faily.

2. Even given the delay of the email, that went out weeks ago. If you own a forum and don't keep on top of these things yourself, you deserve what you get.

No sympathy whatsoever from me.

 

No sympathy for people trusting a well established company with providing quality software? I'm sorry, the root of the problem is poorly written code, the install vulnerability shouldn't had existed in the first place. It reminds me of the exploit that would give you the site's database details just by typing something in the FAQ page, that's just amateur coding.

I keep on top of things and I don't have to (or can) log into ACP every day. Sites were getting hacked at least several days before vBulletin was aware of the problem at all, so even someone like you who does "keep on top of things" unlike irresponsible admins who don't, could've gotten screwed by it, you were lucky not to. It wasn't keeping on top of things what saved you, it was mere luck.