I am very upset. I run a forum with 7 thousand members and 240K posts. I am getting hacked every day now. Is this really how crappy vbulletin is? I mean You can not fix security holes in the software. Very unhappy. I may have to go to IPB. Terribly disappointing.

There are many ways of your board being 'hacked' that have nothing to do security holes. Which version are you running?

I'd be looking into server security if you're having that much of a problem.

Are you looking for assitance, or just making a comment?

Assuming that you are running 3.5.4 (which the site in your sig is) then you really need to look elsewhere on your server, there are no known 'holes' in that version, but there are lots of other ways to break into a server.

There are many ways of your board being 'hacked' that have nothing to do security holes. Which version are you running?


I am running 3.5.4. Someone keeps logging in under one of my Super Mods account, changing himself to admin and moving everysingle post to the trash section of my board. Noone is getting intot the server. there are using this how I do not know but they are:

17116 N/A 14:08, 19th Jun 2006 css.php edit style id = 1 206.149.148.27
17115 N/A 14:08, 19th Jun 2006 css.php update style id = 1 206.149.148.27
17114 N/A 14:08, 19th Jun 2006 css.php edit style id = 1 206.149.148.27
17113 N/A 14:08, 19th Jun 2006 css.php edit style id = 4 206.149.148.27
17112 N/A 14:08, 19th Jun 2006 css.php update style id = 4 206.149.148.27
17111 N/A 14:08, 19th Jun 2006 css.php edit style id = 4 206.149.148.27
17110 N/A 14:07, 19th Jun 2006 css.php edit style id = 3 206.149.148.27
17109 N/A 14:07, 19th Jun 2006 css.php update style id = 3 206.149.148.27
17108 N/A 14:06, 19th Jun 2006 css.php edit style id = 3 206.149.148.27
17107 N/A 14:06, 19th Jun 2006 template.php modify 206.149.148.27



If you see, this is from the control panel. There is no name given and this is what they do and then they have access to everything. Somehow they are taking that SuperMod and making it say admin under it and moving everything.

This is what they do after they login and change the password to the SuperMod and make him admin:

17106 13:28, 19th Jun 2006 thread.php dothreadsall 83.149.72.74
17105 13:28, 19th Jun 2006 thread.php dothreads 83.149.72.74
17104 13:27, 19th Jun 2006 thread.php move 83.149.72.74
17103 13:27, 19th Jun 2006 moderate.php posts 83.149.72.74

you got to be joking right???? your blaming vBulletin software for being hacked,I have been running vBulletin for 2 years and have not had an ounce of trouble,I'm the only one that has access to my server and am super admin
1. who else has access to your server???
2.how many admins do you have???

could be a admin logging in using a proxy and playing games

I am running 3.5.4. Someone keeps logging in under one of my Super Mods account, changing himself to admin and moving everysingle post to the trash section of my board. Noone is getting intot the server. there are using this how I do not know but they are:

17116 N/A 14:08, 19th Jun 2006 css.php edit style id = 1 206.149.148.27
17115 N/A 14:08, 19th Jun 2006 css.php update style id = 1 206.149.148.27
17114 N/A 14:08, 19th Jun 2006 css.php edit style id = 1 206.149.148.27
17113 N/A 14:08, 19th Jun 2006 css.php edit style id = 4 206.149.148.27
17112 N/A 14:08, 19th Jun 2006 css.php update style id = 4 206.149.148.27
17111 N/A 14:08, 19th Jun 2006 css.php edit style id = 4 206.149.148.27
17110 N/A 14:07, 19th Jun 2006 css.php edit style id = 3 206.149.148.27
17109 N/A 14:07, 19th Jun 2006 css.php update style id = 3 206.149.148.27
17108 N/A 14:06, 19th Jun 2006 css.php edit style id = 3 206.149.148.27
17107 N/A 14:06, 19th Jun 2006 template.php modify 206.149.148.27



If you see, this is from the control panel. There is no name given and this is what they do and then they have access to everything. Somehow they are taking that SuperMod and making it say admin under it and moving everything.

This is what they do after they login and change the password to the SuperMod and make him admin:

17106 13:28, 19th Jun 2006 thread.php dothreadsall 83.149.72.74
17105 13:28, 19th Jun 2006 thread.php dothreads 83.149.72.74
17104 13:27, 19th Jun 2006 thread.php move 83.149.72.74
17103 13:27, 19th Jun 2006 moderate.php posts 83.149.72.74The css.php log entries aren't the same IP as the thread.php ones. Therefore it's not the same person.

I am very upset. I run a forum with 7 thousand members and 240K posts. I am getting hacked every day now. Is this really how crappy vbulletin is? I mean You can not fix security holes in the software. Very unhappy. I may have to go to IPB. Terribly disappointing.
Have you tried

1. Disabling all of your hacks and addons
2. Updating all of your passwords(ftp etc), and forcing all staff to update their passwords?
3. password or ip protecting your admincp and includes directories?
4. Scanned for foreing files?
5. Contacting your hosting provider?
6. Contacting vBulletin support for assistance?

Also, is it the same supermod's account that they keep getting into? Keep in mind that the biggest security holes are the people we have on our teams. If it's the same person, you may need to demote them.

Also, check the permissions that you have set for your supermods. Make sure you didn't give them rights to the control panel and the ability to change member status.

Another thought - do you have html or allow flash anywhere on your board? Both present security risks.

you got to be joking right???? your blaming vBulletin software for being hacked,I have been running vBulletin for 2 years and have not had an ounce of trouble,I'm the only one that has access to my server and am super admin
1. who else has access to your server???
2.how many admins do you have???

could be a admin logging in using a proxy and playing games

No no and no.

I am the onyl one with access to my server. I am telling you this is really what is going on. I really don't care that you have npt had issues. I have issues and it is with vb. Noone is in the server, there are exploiting vb.

In regards to someone saying there are two different ip addresses. THey come in with the one IP address the 83.149.72.74 and they change the Supermod to admin and then they login with that supermods information under the other ip address. What I do not understand is how people seem to think that vb is the god of forums software and OH MY GOD NOTHING CAN BE WRONG WITH OUR SOFTWARE. That is bull. It is an exploit and someone should look into it! They charge people money for a crappy software like this. INCREDIBLE!!!!

a) you need to calm down
b) what we've stated is that the current version of vb doesn't have any known exploits.
c) In order to better help you, Zachary asked you the following questions.

1. Disabling all of your hacks and addons
2. Updating all of your passwords(ftp etc), and forcing all staff to update their passwords?
3. password or ip protecting your admincp and includes directories?
4. Scanned for foreing files?
5. Contacting your hosting provider?
6. Contacting vBulletin support for assistance?

If you want help, people here are willing to assist you.
If you open a ticket with vbulletin I am sure they will throughly investigate your claims
If you want to keep acting as you are, then there is no further point to this thread.

Just a thought, the place for this problem if all hacks are off the forum is at vbulletin.com where Jelsoft can read it. If all hacks are not off, you COULD have a bad hack, and you need to follow the advice given and remove the hacks before you complain about vbulletin.

I do not believe vbulletin is perfect, but you need to isolate the problem in a methodical way.

No no and no.

I am the onyl one with access to my server. I am telling you this is really what is going on. I really don't care that you have npt had issues. I have issues and it is with vb. Noone is in the server, there are exploiting vb.

In regards to someone saying there are two different ip addresses. THey come in with the one IP address the 83.149.72.74 and they change the Supermod to admin and then they login with that supermods information under the other ip address. What I do not understand is how people seem to think that vb is the god of forums software and OH MY GOD NOTHING CAN BE WRONG WITH OUR SOFTWARE. That is bull. It is an exploit and someone should look into it! They charge people money for a crappy software like this. INCREDIBLE!!!!

you are running hacks. what hacks are you running? also, how many mods do you have?

I have 10 mods. I am running the shoutbox hack, the page compression hack, the google sitemap hack, the legend hack, and the who visited the forum in the last 24hrs hack.

Reeve of shinra, DO not tell me to calm down. I purchased this software and it turns out to be a POS. I am not getting any help here other than people blaming me or my server for it when It is a software exploit. NOT a server exploit!

Okay so what software? The rest of us a relatively sure that its not an exploit with vbulletin's core files and believe the flaw may reside with unsupported, third party coded modifications that you chose to install.

Of course. I am sure that is what is said whenever there is something that can not be figured out. It is vbulletin. PERIOD!

Then as I said, you really should post this at vbulletin.com where their devs can work with you :)

We didn't write Vbulletin. ;)

You can open a ticket with vbulletin by going to:
http://members.vbulletin.com/membersupport_contactform.php

Too Funny.

Please keep posting. :banana:

Of course. I am sure that is what is said whenever there is something that can not be figured out. It is vbulletin. PERIOD!

Sounds like you have it all figured out then, not much we can do to help.

If you change your mind about the cause of this problem, feel free to post here so we can help you identify it.

We still have yet to hear whether or not this keeps happening even when you turned off all hacks. Are you unwilling to do this because it will prove you wrong?

Have you run an IP check on your board to find a matching IP to that the person is using to log on? have you gone into config.php to put that particular mod's account number in the unalterable/undeletable users group in order to keep them from changing themself to an admin when they get on?

Beyond that, have you considered banning those IP's and the partials as well as changng every single mods password for them and not letting any of them on until it's resolved?

Start looking for the solution to the problem. You paid for the software, don't piss that money away before you do everything you can to fix it :)

Good luck!

There was a security hole with the shoutbox, maybe you check this.

What puzzles me is how you are so certain it's vBulletin and not just something else.

Why doesnt he just ban those IP's? Why turn something so simple into a drama?

There was a security hole with the shoutbox, maybe you check this.


The user is absolutely positively sure its not his server!!!!!

We still have yet to hear whether or not this keeps happening even when you turned off all hacks. Are you unwilling to do this because it will prove you wrong?


People do have lives you know. We do not sit in front of the computer all day watching posts and topics.

Why doesnt he just ban those IP's? Why turn something so simple into a drama?


I did that but when they are coming in with proxies it is kinda pointless right?

Have you run an IP check on your board to find a matching IP to that the person is using to log on? have you gone into config.php to put that particular mod's account number in the unalterable/undeletable users group in order to keep them from changing themself to an admin when they get on?

Beyond that, have you considered banning those IP's and the partials as well as changng every single mods password for them and not letting any of them on until it's resolved?

Start looking for the solution to the problem. You paid for the software, don't piss that money away before you do everything you can to fix it :)

Good luck!


Finally someone that has something to say woth reading that does not try and make someone else feel like an +++++++. Thank you for this. I forgot about adding them to the unalterable. Will try that next.

I did that but when they are coming in with proxies it is kinda pointless right?




Finally someone that has something to say woth reading that does not try and make someone else feel like an +++++++. Thank you for this. I forgot about adding them to the unalterable. Will try that next.
Not if you use this hack. Try it out. https://vborg.vbsupport.ru/showthread.php?t=95198&highlight=proxy

And adding them to unalterable is an excellent idea.

Not if you use this hack. Try it out. https://vborg.vbsupport.ru/showthread.php?t=95198&highlight=proxy

And adding them to unalterable is an excellent idea.


Thank you very much. Only one issue with adding them to unalterable I would have to add 7K member id's. If I where to change all member id numbers and a person had an old copy of the DB, would they still be able to gain access with their username and passes?

Im not trying to ask a stupid question but I have no choice. How would they have a copy of your DB? And if they did then do they have access to the phpmyadmin or some way to edit your database now. If so then that is how your getting hacked. Now that I think about it thats the only way it makes sense. If I were you I would change the access username and password to the DB and edit the config.php with the new info. Make sure your config.php isnt CHMOD to 777 or something. Make it 644. If I were you I would change the ftp account info also. If he can read the config.php by downloading it through ftp then he will know your DB info. And if you think this person has a copy of the DB then you should do a few things.
1. make all passwords expire.
2. Prune out any members who have been inactive for a long time. I usually do this on a 90 days basis but its purely up to you.
3. Ban those IP's you know are the person.
And change all access info. FTP, DB, and anything else Im forgeting.

adding users to unalterterable users would not stop the usergroup from being manually changed in the db.

adding users to unalterterable users would not stop the usergroup from being manually changed in the db.I think ashkarita meant just the mods, supermods, and admin.

You guys are missing the point. He KNOWS FOR SURE that it is VB. PERIOD. It is definately not his server, OS, userIDs, directory permissions, mysql, php, proxies, network, video card drivers, Starcraft Brood Wars, SCSI cable, LEDs, multicast Bidir PIM, IPv6, Duke Nukem Forever, iPod Shuffle....

All your suggestions are a waste of time, it is VB. PERIOD. He is POSITIVE. PERIOD.

You guys are missing the point. He KNOWS FOR SURE that it is VB. PERIOD. It is definately not his server, OS, userIDs, directory permissions, mysql, php, proxies, network, video card drivers, Starcraft Brood Wars, SCSI cable, LEDs, multicast Bidir PIM, IPv6, Duke Nukem Forever, iPod Shuffle....

All your suggestions are a waste of time, it is VB. PERIOD. He is POSITIVE. PERIOD.... which is why people telling him to seek support on vBulletin.com is the proper avenue.

I run vb 3.0.7 and i added this double login for my admin panel, its so they need to login with that login before they can login to real admin, i haven't been hacked once yet. Maybe you should try it.

... which is why people telling him to seek support on vBulletin.com is the proper avenue.
So we can tell him its not vB, and he can disagree with us? :)

So we can tell him its not vB, and he can disagree with us? :)Since he won't believe anybody here on .org that it's not a vB problem and he is absolutely, positively convinced it is.... then just think of the fun thread it will make for on .com! :D

:banana:

Try to be a bit more open minded and accept people's suggestions and input. If you are asking as a regular vbulletin user, learn from what the more advanced users tell you. Being set in your own ways and thinking that you know the problem will make it so that people can't help you. If you know it all, then you shouldn't be having this problem ;)

It can be a server issue because user's can give do whatever they'd like with any account (including there's) via phpmyadmin and such. Also, if it keeps happening to the same user, that is rather suspicious, is this the case? If so, it can be a problem with the user. Try giving every usergroup regular user permissions accept for you (temporarily), and see how things go.

People do have lives you know. We do not sit in front of the computer all day watching posts and topics.Yet you posted 10 posts in this topic already, all proving the point I made that you quoted.

Since he won't believe anybody here on .org that it's not a vB problem and he is absolutely, positively convinced it is.... then just think of the fun thread it will make for on .com! :D

:banana:

If there is an equivalent thread on .com, PLEASE post a link to it! That sounds like a lot of fun to read. PERIOD.

Guys, please don't be mean spirited. While I agree the original poster is not being logical about solving the problem, provoking somebody who has been hacked is neither kind nor constructive.

... please don't be mean spirited. ...Yes, because apparently based upon some of the recent threads around here the right to be mean spirited is reserved for staff only.

Amy, that sentiment is not pointed at anybody in particular but it's getting to be a pretty common sight lately that if a staff member makes a light-hearted comment then it's OK but if a mere mortal makes a similar comment or responds to the staff members comment then another staff member comes along to whack the mortal across the knuckles with a ruler.





{Kevin goes back to his cave, expecting to admonished yet again for daring to question the voice of authority.}

{Kevin goes back to his cave, expecting to admonished yet again for daring to question the voice of authority.}
You get those too? I got one for quoting Jim Carey. I thought it was funny but apparently it wasnt.

There are only a few people in here that are kind enough to try and explain something to someone. You are here to piss people off and try and make someone look stupid. As I told you before and I will tell you again. It is not my server, it is vbulletin. Believe it or not, there are tons of exploits for every forum software. I simply asked for some assistance.

There are only a few people in here that are kind enough to try and explain something to someone. You are here to piss people off and try and make someone look stupid. As I told you before and I will tell you again. It is not my server, it is vbulletin. Believe it or not, there are tons of exploits for every forum software. I simply asked for some assistance.

disable all your hacks. if that doesn't work, then it is a PICNIC problem. for sure.

lmao... vB is NOT by far the secureist(Spelling?) BB out there by far.

Any half wit cvan gain access to your admin/smod users with nothing less then a brute forcer.

Heres some suggestions for the OP

1) Make your mods+ have SECURE passwords. I can almost positively say yours don't. they most likely have silly dictionary words.

thats th eonly option I will give you. everyone else took the rest.

IE - Remove those permissions from your smods
- Demot the SMOD if it's the same account geting it.


This next one will sound silly. Are you SURE you paid for it? Me myself if I had an issue like this the FIRST thing I would do is talk to vb.com about it... not bring it here.. since they WOULD be the best avenue.

Also What web server do you run?

Apache?
lighttpd?

I forget any others that may be out there.. mainly because they suck. if it's apache then... get rid of it... There are a number of security hoels in apache, most have fixes out there but I doubt you would take the time to find them.

lighttpd is the most secure of them all.

I would also install things like "Base" they help you with server security.

Windows or *nix?

It is well known windows based servers have crap security in themselves. easy as pie to get into and gain control. This is why 80% of those with brains use *nix for web properties.

Any half wit cvan gain access to your admin/smod users with nothing less then a brute forcer. Can you tell me how you do this? As you cannot attempt a brute force on vB3/3.5/3.6 without having a sites strikes systems disabled, even if you get the md5 hash of a cookie you'd need to obtain the secondary salt used by the cookie hashing system to actually brute force the real password. So you tell me now how you brute force the password, and if you can do it, take a shot at mine, :)

I forget any others that may be out there.. mainly because they suck. if it's apache then... get rid of it... There are a number of security hoels in apache, most have fixes out there but I doubt you would take the time to find them.

lighttpd is the most secure of them all. Considering how well aged the apache base is, if there are still security exploits with the most recent versions, 1.3.36 2.0.58 and 2.2.2 please report them.

If you are going to spout FUD here, please take it else where, theres no mass difference between a windows and linux server preformance or security wise with a competant system administrator.

Edit: so if vB is not the most secure, what is?



Now to the original poster, if you _truely_ believe this is a fault of the core vBulletin software PLEASE! send in a support ticket with as much information you can give us and if possible be willing to provide us with access to your webservers logs and other access we may request.

There are _no_ known issues at this time with any of the vBulletin core packages, 2.3.9 3.0.14 3.5.4 and 3.6.0 beta 3, if you know of one please report it to vBulletin.com via the members area.

Um, people aren't saying it's your server. We're saying it's software you've installed on your server and we've told you repeatedly how to go about tracking down the problem. At this point, it seems you don't want help - you want to fight. If you wanted help, you would have gone to Jelsoft - the makers of the software you feel is flawed.

I'm closing this because you don't seem to want any actual advice and just want to call people names.

As I stated, it was vbulletin.

Do you have ANY evidence to prove it? Has Jelsoft commented on your issue? Is there a known bug that can be discussed here?

Based on what you've said in these forums, the answer is thus far NO.

There are thousands of sites running VB. To go into a public forum and claim that VB has a vulnerability that was actually exploited on your site several times in under one week is certainly ridiculous.

If you can't offer up a single shred of evidence that it was indeed VB and not any of the backdoors you have undoubtedly left open, don't expect much help from this community. We work with facts, not heresay.

As I stated, it was vbulletin.

seriously. sell me your vb license and move on.

As I stated, it was vbulletin.

That's a bit broad, don't you think? It'd be like my alternator going in my car, and saying that "It's the motor".

What part of vB do you think has/had the vulnerability? If I brute-force SSH to a box and scrap the database, I'm breaking vBulletin, but vBulletin is NOT the issue.

Without knowing what/where/how you were hacked, it's a bit short-sighted to point the finger at vB.

Do you have ANY evidence to prove it? Has Jelsoft commented on your issue? Is there a known bug that can be discussed here?

Based on what you've said in these forums, the answer is thus far NO.

There are thousands of sites running VB. To go into a public forum and claim that VB has a vulnerability that was actually exploited on your site several times in under one week is certainly ridiculous.

If you can't offer up a single shred of evidence that it was indeed VB and not any of the backdoors you have undoubtedly left open, don't expect much help from this community. We work with facts, not heresay.


Why do they not research it and stop blaming it on other people. As you can see, I am not the only one who has had a problem such as this. Vbulletin needs to investigate the hole. ANd stop jumping down my throat.

See how disrespectful you people are? You swear by something that you have not even invesitaged. There was no brute force on the server. I do have the logs to prove that smarty. If I knew what part of vb they came in through I would not have came here to ask for help. I had used other forum software for a long time before switching to vb, then the day I switch, I get hacked. To me that is a little too circumstantial.

Why do they not research it and stop blaming it on other people. As you can see, I am not the only one who has had a problem such as this. Vbulletin needs to investigate the hole. ANd stop jumping down my throat.

Again, you are making claims that you are backing up with ZERO information.

What do you want them to research? Should they just start looking through the hundreds of thousands of lines of code for a vulnerability that they had not previously found?

Post your WWW logs
Post your admincp logs
Post a screen shot of what they are actually doing to your site

Post SOMETHING or stop making baseless claims about the security of a good product!

Andromeda2875, I have already warned you once.