vBulletin very easy to hacked ?
 

What's going on here...?

In last few days hackers party a lot with vBulletin forum :

***link removed***

I don't care with their reason, but the fact he can hacked few vBulletin forum easily made me think....how weak security in vBulletin. The situation is the fact.

Any opinion...? or providing security patch...?

As weak as the owner/installer/admin makes it.

Oh really...? Are you sure...? I don't think so.

This hackers clearly using the bugs in sytem, don't always blame owner/installer/admin.

The story will be different if security patch always update..

How do you know how it's being done?

I've had vBulletin installations for many years, going back at least to 2004. Never been "hacked," cracked, defaced, anything.

There's not any web pages that don't have some kind of exploit in them, vBulletin's not alone there.Which, does depend on the owner/admin to apply in a timely manner.

It isnt. There are no known exploits at this time.

What facts ?
Do you have solid proof on how they were hacked ?

No ? then you have no "facts". ;)

Agreed with Paul.

My 2 cents. You are always at risk of something bad happening. That is the risk you take. You mitigate risk by backing up/testing backups and doing your utmost to secure your site AND your server.

Some of these hacks could have been done at the server level, not just software. You just don't know. Every major hosting provider has had successful attacks. You learn, adapt and move on.

In the case with IQ69, I found on their twitter feed, that group that hacked them is claiming to have all 50GB their data. To get that kind of access you need console access. No one can sqldump 50GB from the phpmyadmin interface. Plus the files etc are not just available because you have a admin password. They have ftp access too.

a. NONE of your logins and passwords should be the same. If your ftp, cpanel, root, forum and others admin logins are all the same then you are screwing yourself.

b. Use secure server software with a provider that has the latest updates. Cpanel etc.

c. BACKUP!!!!!

d. BACKUP off site!!!!

Hope this helps,

-Jason Edwards, CISSP

--------------- Added [DATE]1354978181[/DATE] at [TIME]1354978181[/TIME] ---------------

Secondly,

Use a Firewall or Proxy service. Some attacks can be foiled by a good proxy. I use cloudflare and have found it to be usefull. Does require some tooling to get some Vbulletin mods to work but it has blocked massive amounts of malicious ip traffic from ever reaching my site. IT can also cache and do other improvements as well that will speed up your site.

vbulletin has nothing to do with exploits. It's server side. I remember reading it somewhere.

Can we have some content-wise discussion about the subject? Because the thing would be interesting if there were some facts, code or something.

My humble guess also would be that you're posting a link to your own twitter profile Pablo to make it more popular since you have 0 posts here, otherwise I don't understand why someone suddenly came here, registered and posted this.

There can be some exploits installed via bad skins for example, and some after market mods leave security holes and cause risk. A "exploit" is any entry point for everything from script kiddies to hard core black hat hackers.

Just like you with 0 posts.

Yes. :) I've posted it intentionally in the incognito mode because I don't argue with hacker kiddos using my real profile, that would be just in case. My forums are secured very well but again ...just in case, because you never can be 100% sure.

Now that made me laugh as it is hard to believe you would just make an account to reply to this one thread

vBulletin has good protection. Don't worry

I actually did. :) It took me less than 1 minute. But I was thinking about making one to post in thread like this one since a while and now I just did.

Going back to the subject imho vbulletin especially old vb3 is very secure software. Assuming that one cares about basic system security like weak permissions or control panel and other unnecessary for end user files access then vb is really hard nut to crack. Saying: "vBulletin very easy to hacked " without any fact/proof is just silly babbling. But that's not the reason I did it, the reason I posted above was to induce the OP to post some proofs if he has any... but I really really doubt he has any or that he even knows anything about the web security at all.

Oh and I would like to point that there are some really controversial/unwanted/tempting (for some people) sites powered by vb and many would like to hack them but yet that sites stand still there like solid rocks. So ..yeah.

Sorry if my title too tendentious.

What i mean with fact on above post, during that times, those hackers hacked vBulletin forums....quite easily from the eyes of people like me...and honestly to most other members there.

I'm not have lot experienced with forum software or vBulletin, just a member that feel not happy because the place where he used spend his times and discuss with other members in that community got screwed up.

Perhaps as "amateur" that haven't deep knowledge will see this matter just like that. Am i wrong with that...?

You can delete this thread if you want. Maybe i'm just a member who love and enjoy that forum, so get very angry when see situation like that. Please accept my sincere apologies.

You don't understand that owners/admin can easily corrupt their own board security unknowingly, with skins, add-ons, plugins and Modifications. vBulletin isn't the problem - it's one of the most secure platforms out there until people mess with it.

Like I already said, in much simpler terms.

Actually, most other software out there, such as free CMS's aren't that "hackable" with all kinds of skins, mods installed. vBulletin is very hard to hack out of the box, but you are right that it gets easier outside of the stock environment.

Which is the highlight of vBulletin anyways...... ultimately making it one of the lease secured out of the bunch.

Think about all the spam bots running around --- Only vBulletin (as far as I know) and stock out of the box

Most of them have such a small percentage of installations it's not worth the "hackers'" time to mess with. vBulletin is targeted because it's very popular.

But I am well aware some free open source CMS such as wordpress, Joomla, Mambo, get "hacked" all the time.

Again, native vBulletin isn't the problem, it is very secure. It's when owners/admins corrupt it with add-ons, alternative skins and plugins is where the security holes start.

hate to burst your bubble but most boards nowadays get hacked because admins give out to many powers and have like 60 different admins, and they also give out their main ftp account which is stupid, but yeagh if you are on an old version like 3.8.* then there are exploits that can be bad. you also got to pay closer attention to the mods you install.

So, Joomla, Wordpress, Drupal and other "FREE" CMS's are not as popular as vBulletin and are hackable stock installations? Google will tell you otherwise

Google will also tell you that mods/plugins don't deprive or make it easier to hack, either. Thanks to how they're submitted to the user base on their websites and the review processes.

vBulletin, you're right -- Out of the box it's great. When you start adding all the applications, it's worse UNLIKE others

I mean, isnt' the obvious spam issues good enough proof that shows how bad it is at stopping spam registrations? "oh there is a plugin for that"

You keep zoning in on some text in my posts and aren't trying to understand what I'm saying.. let me rephrase -- vBulletin stock is a very secure product (outside of the spam fest......) when you add products, it's less secure -- like should be any other management system. HOWEVER, even the free CMS's out there like Joomla/Wordpress are more secure than vBulletin with mods installed and just as secure without them.

It's how all these plugins work and how they're submitted and how they're installed/mounted vs's how it's done in vBulletin -- It's simply less secure

The bolded IS what I was saying. We have no disagreement there.

I have years of experience with Joomla, Wordpress, Drupal, I don't need google to tell me about the security on those. I personally know several incidents where these were defaced or "hacked." Wordpress used to be one of the worst, still is.

The problem with vBulletin is the sheer VOLUME of add-ons, plugins, skins and etc, and alot of them are from less than trustworthy sources. Alot of them have purposeful exploits coded in them.

It's the HUMANS who screw up native vBulletin, we agree.

I hope your not a programmer :erm:

Adding products to vB does not necessarily make it less secure.
It some cases it could make it more secure, depending on the purpose of the product. Some products have security issues, to say all of them do is pure nonsense.

On the flip side, if you think every product / addon / whatever that you can add to other systems cannot make them less secure then you are living in cloud cookoo land. :cool:

Yes I am a programmer and you even rephrased exactly what I was saying and even more clarified it. I didn't say every product makes it less secure, if you re-read my posts, I said it depended on the product as well. Adding security products (like the spammer mods) obviously increase security and as you said, some products have security issues... did I say all of them did? I don't think so........:rolleyes:

The problem lies with users installing 3rd party mods that aren't even official and even more so they're using nulled boards or nulled products -- Hey, that's all fine, they deserve to lose their site in that case.

My argument was the potential for more security risks with adding the applications just as Max said

EDIT: I re-read what I wrote, made it sound like I was talking about every application, but I wasn't.

That being said -- Before you harp on someone about security issues and if they are a programmer -- Go fix your guy's spam issues with stock installations... the product isn't even semi spam proof out of the box *chuckles -- all fun and games* especially since you're a "Senior vBulletin Developer* and I really hope you just stay with vBulletin in that case..... :)

Can you name a platform with semi spam proof? :confused:

You can not stop human spammers, you need to tweak your registration. Even xen had a horrible spam issues.

Yes, I know you need to tweak your registration. I don't believe Xen is having that issue now, nor is IPB, nor is even PHPBB --- I'm simply giving him a hard time, I don't mind -- Just harping on him back :up:

Name a software that's semi-spam proof -- Everything but vBulletin right now... well, and Webspell --- a lot of spam there too. :rolleyes:

I also know you can't stop human spammers -- Sorry, but stock installations of vBulletin are not human spammers.

Since I've been working on my site some more after leaving vBulletin/web development for a while -- Came back set everything back up and in about oh.... 3 weeks. 6,000 members and 4000 posts, 1000 topics -- all spam.

Yes, I could easily install a spam mod or tweak the registration -- I'm simply just working on the site and with all these posts, it's helping test stuff on the backend :erm: but none the less, it needs fixed -- all the other forum software fixed that particular issue and many didn't have it

Just saying, not hating

edit: looked at the wrong info, about 12,000 posts, 6,600 members and 2,500 topics. Boy a human spammer must not have time on their hands lols

But are they spam proof in some way, or just not being targeted? If there's some feature that's a part of every other software that's stopping spam, what is it?

There is no such thing as 100% spam proof -- spammers target not just vBulletin, they just successfully cracked vBulletins reCAPTCHA registration security whereas a lot of other software either didn't have it, didn't use it, or already had an alternative method implemented

You think the spammers only tried to crack reCAPTCHA? No, they seen a flaw and took it

Sorry, to burst all the vBulletin lovers out there -- most other software out of the box don't have this spam as vBulletin does. Without all the additions like mods/plugins/hooks whatever the software uses.

Sure, once you add everything, they're about the same, still -- it exists.

Boy, I sound like a hater and I have vBulletin. Just speaking truth and non bias here. You can deny it all you want, but stock vBulletin is no more secure then wordpress or phpbb or kunena forum for joomla.

Edit: nvm, maybe I just misunderstood. I'm not really interested in arguing.

Ah, I see.

Alternative registration options outside of reCAPTCHA that work -- We all know what happened with reCAPTCHA. Sadly, using "Human Verification" doesn't work like it's intended. I have it on my site as enabled and it didn't stop anything. Granted, I think when I initially set it up it was simple "What is 3+4" -- Still, didn't work

Basically, it just needs improvements

OK.

Sorry, I guess I decided to edit my post above just as you were writing yours.

LOL, on what planet are you :erm:

All software is only semi-spam proof - the only way to be 100% spam proof is to stop all posting.

vBulletin is no different to Xen, IPB, MyBB or any other software.

........ Yes, all software is semi-spam proof.. Sorry buddy, but vBulletin 4.x out of the box is easily one of the most spammed until you set it all up -- And you should know why *cough reCAPTCHA cough*

IPB, Xen, joomla, wordpress, you name it -- It's not like that.

Might want to get back to earth

Unlike you I am on planet Earth, feel free to join us sometime ;)

None of this has anything to do with hacking, this is way off topic now, time to move on.