Yes, we see enough of Nexia as it is.

Hopefully the Pentagon install vB as soon as possible!

http://www.cnn.com/2008/US/03/03/pen...ef=werecommend

My site was "hacked" this year. My super moderator used the forum on a lan house and they got his password and deleted the whole forum. If it wasn't for Paul's daily backup mod I was screwed, blessed be him. But there's not much I can do about that. It freaked me out though, as I had never been hacked before. And I'm not using lan houses anymore too.

--------------- Added [DATE]1204614885[/DATE] at [TIME]1204614885[/TIME] ---------------

Actually I think Paul should quote my message in his mod release, I think that would be a good idea.

3 simple rules:
1) dont give ANYONE permission to physically delete
2) keep your vbulletin patched/up-to-date
3)trust no one
-don't run brand new plugins without letting the community test it out and view the code first
-dont add moderators simply cause they ask to become one (if that wasn't obvious)
-if you don't want to pay the hired help.. change the passwords.

Bro,

What the OP is suggesting is 'how it's done', the good guys get together and share info. I belong to a couple such groups in other domains.

If you don't personally have the skills, then hang around such a group, and you could still pick up something valuable within your skill level.

As mentioned ... best coding practices, general safeguards, security mods. These protect your site like a locking bar on your steering wheel protects your car. It keeps the casual thief/defacer out, and steers the professional thief to an easier target.

There is not really a central place to discuss those on these forums. I think vB is seemingly not a full disclosure shop, and their sensitivity on that score may prevent them from fostering such a forum.

Wise as serpents, gentle as doves, yah?

See you there or in the air,

'snore

I say make this a sticky in the new forum!

:D

Let's be honest, would it really matter? I'd say a large majority of the vBulletin owners here are the "click-and-play" types, who understand as much about security as they do quantum mechanics. They indiscriminately install modifications with no regards as to server load, hook conflict or, yes, even security. Most people who get "hacked" are asking for it. They're generally the forum with the more modifications installed than members.

How can one really be secure without understanding the priciples behind why what they currently have is inherently insecure. At best, you would have a forum of security suggestions where people would simply peruse the thread looking for various step-by-step instructions on how to do something -- not even understanding why it is they're doing what they're doing. I just see the whole thing as a wasted effort, really. vBulletin.org does a decent enough job of trying to keep hacks with security risks under wraps and out from public consumption -- that's really all you can ask for.

You want to be truly secure? Don't run a site. You want to be relatively secure? Run a default vBulletin installation. I'm not trying to be a prick, I'm just being honest.

So you have never been hacked? honestly..?

To what degree? Have I suffered data loss due to an exploit? No, never.

Regardless, what does this have to do with the issue at hand? The current state of security of my own personal sites has nothing to do with a public discussion/repository for security related topics. If any of my sites are compromised, I can immediately reference my logs, find out what happened, and either patch the exploit or take it offline for further review.

Could you say the same?

My point being, a vBulletin-focused security discussion isn't inherently a bad thing -- but it's not going to accomplish what many think it will. If you want to keep up to date on security issues, subscribe to Bugtraq. Consider getting a basic grasp of PHP, so you can skim through the multitude of hacks before installing to look for basic security risks -- such as unsanitized inputs. Be proactive.

So it's better to have nothing that something, that is what you said?

p.s. Thanks for your time

I think you're missing the point of this whole debate. First, you as an experienced Admin could obviously take care of it if it happened to you. But there are those out there that have no clue what to look for or how to fix it if it does happen to them. Have you noticed how many "I've been hacked! Help!" threads have been popping up lately? And all from Admins that are either new to the being-hacked arena or inexperienced in the process of running a vb site. That doesn't make them any less deserving than you or I, and yes, even iogames (although, that is debatable). I get fed up hearing "then you shouldn't be running a site if you don't know who to fix it" statements. How many of us were born with the knowledge to run a site? I sure as hell wasn't. And neither was anyone else. It is a learning process and vbulletin.org is the school.

An area like we are discussing it a great idea for reference if nothing else. If gives a user a place to go to hear others stories about how they were hacked and what it took to fix it or stop it, or whatever. Something like this would be invaluable to a new Admin. I wish they had had something like this around when I was first starting out.

I'm glad to have you back! [sob,sob,sniff]

I guess I just snapped there for a second with all the "why don't the newbies know as much as I do" stuff. That is a very sore point with me. We all were newbies at one time or another and didn't know squat about vb. We can learn here but not pass on what we have learned along the way? Sounds like crap to me.

On the 1st page, some guy mentioned that the more you bring attention to it, the more it encourages hackers.

Maybe someone should make a Security Mod that will trace will mods are most likely to be hacked or what parts of the site have open ports, what files have recently been changed, etc. Sort of like a spysweeper/virus checker.

Then instead of talking about hacking, you focus on the security more.

I agree with the use of the word Security over hacking. Security can cover a lot of areas, including being hacked.

Just a side note in hope of getting this thread to "calm" a little bit I have posted an idea here: https://vborg.vbsupport.ru/showthread.php?t=172019

When you start mentioning paid hacks in the same breath as a free security area, looks like a bait-and-switch to me. I want no part of it.

Me either, and on a side note, i'm amazed this has made 4 pages, of well...really not much of anything. And this post isn't helping anything!

thanks to not mention my name... lol

actually, the goal to have a "Quarantine" place where to put the mods with inserts or security issues is one of the reasons why hacking mods may not be discussed here... when you announce that the hack XYZ have an exploit ABC, that is the way to break all the securities... you just need one moron to ask "hey, i have that hack and that version on my site, what can i do to secure my site"... 30 seconds after that post, someone would exploit his site...

that's why the guys on vb.org are NEVER discussing exploits of any hack here... neither would Jelsoft on vb.com ... so why start a place for the opposite means ?!

'Theorically' [sighs]

Is like NOT TEACHING Cops how to evaluate a crime, is like NOT TEACHING Doctors how to prevent diseases...

When an exploit is announced 95% of users will run to solve the problem, reducing the risk, just a few will commit the mistake that you mentioned above...

Yes and no. I agree we shouldn't discuss what the exploits are and give any script-kiddies any information on exploits, but I think it's OK to discuss how to fix things when they are exploited. That would be valuable information to new Admins that haven't experienced that and for when and if he ever does run into that. Knowledge is never a bad thing.

no need for a specific place to discuss how to fix these exploits... when an exploit is found on vb.org, you receive a notation on email to tell you how to deactivate or replace the hack when something have to be done...

each time we will have a new element to add to the reasons why starting such a service, we will have an existing solution here on vb.org... this was debated already... and i don't know why this thread and the other are running over ...

Not all exploits are found on the org. And security covers more than just exploits, too. Put yourself in the shoes of a new Admin who has just been hit by a hacker or an exploit and not knowing what to do or where to go for help. The com sends you to the org and the org sends you to the com. Where does it all end?

Wanna know what happened to the forum in the first post?
The TEMPLATE got modified... nothing more.

I mean, some idiot got access to the AdminCP and emptied a few templates and wrote "Hacked by n00b".

That's all.

That's is one of the problems that we can discuss on the new section, can you tell us how can be avoided?

Thanx for the mention here guys and yea, we got it again today wholly crap, what'd we do,
oh yea Blackhat.
We will definitely learn from this, and too many user mods can cause probs.

I'm all for a Security Section, I've gotten hacked once with vBulletin, and it defaced my forums a while ago... also a few of my users were hacked recently by the same team.

Well I think this goes well since I can see a change on Nexialys :)


Security Section

I don't think there's a need for a security section. (most problems with security are on the server end and not related to vbulletin software)

iogames, i would drop that page and all the things you copied from my username and avatar please... for your own sakes...

lol glad to hear that
but u have to be honest
the topic is nice to read :D

They could have done a lot worse with template access... so that's really a moot point.

Eaxctly! He was lucky they didn't do whole lot more damage.

Chinese hackers: No site is safe

http://www.cnn.com/2008/TECH/03/07/c...ef=mpstoryview

I say: THEY DON'T KNOW VBULLETIN :p

Ok this thread just 'beated' the sticky on this section...

Like in all Social Groups, the leaders tend to ignore the popular demands till the point were is sustainable, there's not new tricks on this old world :(

http://www.arcadia.progvisual.com/beated.gif

Nice thesis but ultimately incorrect. We've been discussing this in secret almighty staff lounge over coffee and cake for a while now. :)

I will LOVE to be wrong!

Wonderful.

Also, as always, just because the staff is discussing this doesn't mean that it will result in your expected proposal.

Why if vB.org decides to offer such a forum, it'll pretty much destroy all that hope you seemed to have to start a seperate forum for such things

that's what we call PARANOIA ... the more you post that kind of crap, the more people will think you are aside of your own track...

oh, btw, if there is a so high Views count on this thread... that is not because of the topic ... it's because of the jokes we post... people are willing to know the next line.