I think this is a good place to mention something I have been seeing on my own web site's Currently Active Users page.

Apparently there are some data thieves out there using script programs to activate and run your own forum's Impex programs and the script will save your forum's data to any server they designate in the script itself, which allows these thieves to look through your data at their own leisure.

The first time I saw these people doing this, my first thought wasn't piracy; it was, "Hey, I don't have Impex installed. What's going on?"

The next time it happened, I reported the incident to the server provider where the script was trying to aim data to, and they closed that thief's server account permanently (they thanked me in an email for bringing it to their attention.)

The following times I have seen this, I have simply IP banned their ISPs. I know that is a bit extreme, but I got tired of seeing the attempts being made.

So if you have Impex installed on your web server where your forum is located, please keep in mind that you are inviting these people to hit your forum site to back up your web forum data to read through later. And yes, this will also mean that they can get your passwords, too.

Impex, while a good program, I am to understand, is a major security risk in this case. If you are not using the program, disable it and that will prevent these people from being able to use it on your own web site.

Thank you for your time. I just thought vbulletin should know what was happening with this situation. Please look into this!


(I posted this information on vbulletin.com, but I wanted to make sure everyone knew about this so they could take protective measures.)

Well it's your own fault if you left a security risk on your server. I believe it does say to remove impex files once you're done.

Apparently there are some data thieves out there using script programs to activate and run your own forum's Impex programs and the script will save your forum's data to any server they designate in the script itself, which allows these thieves to look through your data at their own leisure.

The first time I saw these people doing this, my first thought wasn't piracy; it was, "Hey, I don't have Impex installed. What's going on?"
You are contradicting yourself. ;)

Also the part where you say "will save your forum's data to any server they designate" does not make much sense as the target database (and MySQL server) for ImpEx is in the config file that resides on the same server as the ImpEx script, so without FTP access they can not change the target.

If they are hosting ImpEx on their own server, all of the following requirements would still need to be true in order to read your data:
- Your server must allow external connections to the database
- Your databasename must be known
- Your MySQL username & password must be known

Finally passwords are stored hashed in the database and can by no way be retrieved.

If you have any evidence that ImpEx (might) be insecure, please open a Support Ticket providing as much details as possible. At this time there are however no known security issues.

Actually, I never meant to imply that I ever had impex installed.

However.... in the currently active users list, what else could an Unknown Location with something like... "/index.php/impex/ with the script url here" ...mean?

But in the case where these other people have found their own posts and accounts duplicated on a forum they never joined... this IS how it could be done. As for password in the database, and I know this from experience from working on my own board... any Admin with the proper access can back up a database to their computer and view the file in notepad and see the so-called encrypted password. No offence. It's not encrypted.

At any rate, I am not going to say anything more about it, except...

Bottom Line: as Dean C said, "Well it's your own fault if you left a security risk on your server. I believe it does say to remove impex files once you're done."

Those people who leave that up are getting what they deserve and have no right to complain.

Thank you for listening. (PS: I don't type in British English, so typed words have different meanings. ;) And I am about zonked with needing sleep. And yes, WinXP can crash. It happened to me 2 weeks ago; that's why I'm on Linux now. ;) )

In order to run Impex you need the following informations :
1. Customer Number
2. Impex Config file variables such as database name & password
Without these information noone can run and gather your data.

And whats with the I dont type British English bla bla... That is the funniest sentence i've ever read on vbulletin.org for a long time.

You just think you find something important but hey you dont cause your posts mean nothing.

No offence. It's not encrypted.


Nonsense. I'll happily give you a dump of my user table from my dev forums, for you to try and get my password.

However.... in the currently active users list, what else could an Unknown Location with something like... "/index.php/impex/ with the script url here" ...mean?
when we do not know something, instead of attacking with presumptions, we have to ask...

the unknown location like you say is just something that is unknown... logically... and if in the WOL you see such location, it means that someone TRY to access that path.. .doesn't mean it does access it with success... most of the web crawlers have that url in their path because it is a known url,... most people trying to make you fear will also use that path... jut to see if you are fool enough to let it on your site.

anyway, you have to consider suggesting this problem to vbulletin.com if you really think it's a risk, because you're actually not on the official website now...

More then likely the reason they are looking for impex is because an older version used in conjunction with 3.5.1-3.5.4 I think it was had a few RFI exploits....this is why it is so important to keep updated.

Nonsense. I'll happily give you a dump of my user table from my dev forums, for you to try and get my password.
With the salt in hand a brute force is just as likely as a "pure" md5 hash (md5($password);). I'm not going to take you up on your offer but given enough time I could get your password if I had a copy of your user table.

With the salt in hand a brute force is just as likely as a "pure" md5 hash (md5($password);). I'm not going to take you up on your offer but given enough time I could get your password if I had a copy of your user table.

I still challenge you, or anyone to do it.

@Brad,

You forget that it is a double md5(). Bruteforcing a MD5-hash would take you decades, even on very fast computers. The only (reasonable) way to get a md5 is to use rainbow tables, and as far as i know there have never been any created for double md5's.

I still challenge you, or anyone to do it.


Me also....lol

It would simply be easier to use an exploit to gain access as I mentioned above....

I think this is a good place to mention something I have been seeing on my own web site's Currently Active Users page.

Apparently there are some data thieves out there using script programs to activate and run your own forum's Impex programs and the script will save your forum's data to any server they designate in the script itself, which allows these thieves to look through your data at their own leisure.

This isn't the case, you would need to have write access to the ImpExConfig.php file to do this (to redirect the target database), and someone has read/write access to your server and malicious intent, ImpEx is the last of your worries.

The first time I saw these people doing this, my first thought wasn't piracy; it was, "Hey, I don't have Impex installed. What's going on?"

They were most likely polling to find it to see if you have a very old version that did have the one exploit in it.

The next time it happened, I reported the incident to the server provider where the script was trying to aim data to, and they closed that thief's server account permanently (they thanked me in an email for bringing it to their attention.)

The following times I have seen this, I have simply IP banned their ISPs. I know that is a bit extreme, but I got tired of seeing the attempts being made.

With the latest ImpEx there is no known threat and removing it is the best protection, as it's a one time tool and by the time you do another import, I've most likely updated something and there will be a new version.

So if you have Impex installed on your web server where your forum is located, please keep in mind that you are inviting these people to hit your forum site to back up your web forum data to read through later. And yes, this will also mean that they can get your passwords, too.

No they can't get the data, and no they can't get the passwords. Even if the could with the salted md5 of the password it wouldn't help.

Impex, while a good program, I am to understand, is a major security risk in this case. If you are not using the program, disable it and that will prevent these people from being able to use it on your own web site.

It is not, it is however a powerfull tool that has read and write access depending on it's configuration, and the ability to delete data it has imported from an forum, though not from a forum where the import has been finalised (removing the import ids). Once installed it requires (as mentioned) admincp access and the customer number.

Thank you for your time. I just thought vbulletin should know what was happening with this situation. Please look into this!

I do constantly, it's my full time job :)

(I posted this information on vbulletin.com, but I wanted to make sure everyone knew about this so they could take protective measures.)

Well it's your own fault if you left a security risk on your server. I believe it does say to remove impex files once you're done.

Ditto, basically do the import, finalise the import, then remove the files, one time tool etc.

More then likely the reason they are looking for impex is because an older version used in conjunction with 3.5.1-3.5.4 I think it was had a few RFI exploits....this is why it is so important to keep updated.

There was one, on March 23rd ..... I remember that as it is my birthday ! I fixed that and it's the only one I'm aware of.

@Brad,

You forget that it is a double md5(). Bruteforcing a MD5-hash would take you decades, even on very fast computers. The only (reasonable) way to get a md5 is to use rainbow tables, and as far as i know there have never been any created for double md5's.
I never said I'd get it in a timely manner. It was stated that it was impossible to get the password, I'm saying it is possible in theory and that leads to begin possible in pratice. It may take years and years to do it but it is possible.

I understand that it's doubled md5ed and a salt is used to make it harder. But the fact remains that the routine for storing and generating that data is known to anyone that can read the source code. If I know the routine, and have the data from the user table, and have the computing power to throw at the problem I will end up with a working password at some point.

I will end up with a working password at some point.


I can just see you now, password in one hand, pension book in the other :D

I can just see you now, password in one hand, pension book in the other :D

Salt...Hash...Brad will be all over this one. :D

I can just see you now, password in one hand, pension book in the other :D
Well I'd go a quicker route if I really wanted to get in of course! ;) You'd be an idiot if you tried to get the password like that...it'd be far easier to break into the server through some hole. Of course you never know...md5 could be broken by the time I get old. >)

Freestyelz; I gave up on that stuff awhile ago. PM me if you'd like to know why. ;)

Freestyelz; I gave up on that stuff awhile ago. PM me if you'd like to know why. ;)

Hahaa...Well, we've spoken about this years ago too off and on so I'm glad to hear that. :up: Man, we gotta catch up. It's been a while so I'm looking forward to hearing your latest happenings. :)