Vbulletin.com hacked
 

For us VB5 owners.... I hope they fill us in when they have it figured out.

https://vborg.vbsupport.ru/external/2015/10/1.jpg

I just noticed as well, apparently Cold had Zero things to do on a Saturday, I'd hate to be so lonely myself! :p

Had a guy come onto my site yesterday. He claimed to be using a program that could create registered accounts, and used some 200 proxies. I believe he referred to it as xrumer profiles. Supposedly he creates hacks and sells them.

Of course the only thing I could do was to manually moderate new accounts. He created another account near instantaneous.

This is Very Bad , I think it will have a big effect on vbulletin

You can still access the members area via https://members.vbulletin.com

It appears to have only been the forums, the main home page and all subsequently related pages work along with the members area as well.

If your vB5 forum is hacked, close the board and await an announcement and new security patch because currently since we (the public) do not know the exploit used, overwriting with fresh files from a version with an apparent exploit won't be of much use.

*Although to be fair this could have been some other form of exploit... server possibly however I doubt that based on it only being the vB5 powered forums down currently - we honestly do not know yet :(. *This may also be something that affected the specific version on vbulletin.com, meaning that usually they run a slightly newer version than what is currently released so it's entirely possible only their version was compromised and no others are at risk however that's dependent on a number of factors.

Is it bad? Well sure no one likes being defaced that way but let's not start a panic and have chaos ensue in this thread, we'll know more soon :cool:.

Now the question is if it got hacked because of a vBulletin 5 exploit or something else. Looking at the amount of vBulletin 5 vulnerabilities in the past, it does not surprise me if it's a vBulletin 5 exploit.

The hacker in his Facebook page says he lost control , He claims he could control the site for 1 minute only .

How many times vbulletin.com hacked since 2001 and what version?

LOL I was editing my post rewording it with something along those lines before I saw your post :p.

More than likely due to all the security they have in place to prevent things like this from occurring. Why are you on his facebook page? Silly to even bother visiting it imo, trash all looks the same.

I only know of one other time, I barely recall another time before that but can't say for sure. I know the p0wetards... err I mean p0wersurge folks were able to pull it off a while back. I can only vouch for twice myself.

I laugh at XRumer. defeated long ago.

I have no idea what it is. Could you please elaborate, any suggestions?

I hope or accounts are all safe do we need to change or passwords on all sites of vb

They should be safe if all they got were 1 minute of access. Not nearly enough time to do a mysql dump. If you're super paranoid about it, it can't hurt to be safe & change the login details.

Well dumping just the username, password, salt and email column of the user table shouldn't take too long. You can gather a lot of information in just 1 minute.

Let's hope vBulletin makes an announcement regarding this because I'm really curious what happened and what damage the "hackers" managed to do.

A lot can be done in one min

I would wait to change, if it's still showing as hacked we don't know what level of extent the hack was i.e. shell script uploaded? Logging user logins? No clue other than the defaced forum currently but point being no need to change if being logged or if still hacked.

Who says they wanted anything from the database? The whole point could have been to gain access and deface or some other motive. It's not always about getting info, sometimes it's about injection and other methods.

Paul is on vacation so someone else we be fixing this, with it being Halloween if they have kids... well not sure if they'll be in sooner or later on a Saturday. I would guess that others are lined up to take care of issues like this, they have someone looking at it already if I had to guess ;).

Yes it can, then again depends on who is in there during that one minute.

It's back up everyone :D.

So someone took the time to fix this on a Saturday, for that I'm thankful ;).

Edit: I spoke too soon! I was on this page when refreshing:
http://www.vbulletin.com/forum/forum...google-adsense

^Which does come up now, so it seems only the forumhome page remains defaced. Soon as someone is working on it else the thread would not be coming up now :cool:.

Betcha you were sweating when you noticed the VB5 owners beginning to form a mob and grabbing pitch forks. :eek: Just curious will you be our VB spokesperson for damage control?

Nah not really, tons of sites are hacked daily... granted someone with big basketballs tries to hack an official site either that or a very intelligent idiot which contrary to popular belief and contrary to being a contradiction in themselves do exist!

I will not be the spokesperson for damage control, I just moderate here on the org and do not work for vBulletin any longer (have not for a while now but great people there I will say that!). I just wanted to make sure everyone was ok here with what was going on there and as you can see they're making progress already else that thread I linked to would still have the same message up instead of actual content.

We all need to wait for an official announcement before speculating too much. It's always over speculation and assumptions that lead to the naysayers and now-fanboys of other software to start bombing this thread with banter and one-sided comments about the software's flaws and other tidbits of utterly useless information when they don't know anything until vB discloses it.

So please don't assume or speculate in a negative way - opinions are just that but overextending your imagination only works well with toys ;).

Well, I think you're doing a wonderful job and have been extremely helpful.

Thanks,
William

Well thanks for that! I'm the comic relief around these'here'parts' for sure :D. Sometimes a few don't get my sense of humor but to each their own eh? After all being different is what makes us all unique in a great way :D.

Thanks for a good conversation as well!

- Mikeeeeeeyyyyyy :p

NOW it's back up including forumhome ;).

Standby for an announcement to be posted here:
http://www.vbulletin.com/forum/forum...nouncements_aa

I cannot guarantee that will be today, tomorrow etc as honestly if I were called in to fix it I'd of fixed it then immediately left to return to my wife and kiddos for Halloween but that's just me haha! The announcement will be made though we all know that, they will let us know what happened ;).

Curious, if you don't mind a general or basic explanation. How do they figure out what was done? I take it the hacker will leave behind some kind of foot print? Do most servers have the ability to find out through logs of some sort etc?

William

https://www.youtube.com/watch?v=Zq549n6fi6I
http://www.vbulletin.com/forum/forum...letin-software

--------------- Added [DATE]1446334377[/DATE] at [TIME]1446334377[/TIME] ---------------

I see the user removed the video of him hacking vb

You are so mature. You know if it wasn't for people like you making comments like that groups would be more willing to actually help and not do stuff like that. How you remain staff here amazes me.

Hacker claims he is still connected , he says he dumbed vbulletin.com database and now dumping vbulletin.org database and customer info.

--------------- Added [DATE]1446407370[/DATE] at [TIME]1446407370[/TIME] ---------------

He offers vb.com database for sell and showing evidience

I have my doubts that he's even still connected. Also, as long as everyone is using a different password on here and vB.com, you should be fine. Sure the attacker can try and crack your passwords but if you only use that password here, it's effectively useless.

Adding to this, it would be super helpful if there was a two factor authentication system cooked right in to vBulletin to allow customers to protect their accounts not only on here but on other vBulletin powered boards. I know several products exist that do this but it seems silly that it isn't included by default.

Can anyone fix this mistake at vBulletin.com's main page?

https://vborg.vbsupport.ru/external/2015/11/57.png

You're the primary admin of the team ps forums with sub-forums such as this: https://p0wersurge.com/forums/vulnerable-websites/ among others of nothing but a seemingly malicious intent and purpose with a legal disclaimer stating:
So let's list sites that are vulnerable and go on the wild assumption some lowlife won't use that info to hack said sites. That is one of the most helpful sub-forums to the members of this community based on your rebuttal of wanting to help or am I just completely off-base by saying that? We can break it down and examine your reply but let's spare everyone. Furthermore I highly doubt ANY site on those lists wants it's vulnerabilities tested and "verified" via being hacked. Using a loophole via a legal disclaimer regarding educational purposes speaks to us all more than your words ever will.

Also please note that I used a groups name not yours, you singled me out and took offense then called me out on the subject of maturity, that was your prerogative but facts will always remain facts.

I'm curious if vB is using a SSH whitelist and or key authentication.

I dont really see how thats relevant, ssh was not involved in this attack.

According to many sites, it was:

and

As such he had shell access. Hence my question still stands :).

You do realize that if due to the security issue he was able to execute arbitrary code on the server he could give himself shell access, so whether or not he ended up with shell access is irrelevant since it wasn't the shell access itself that was the access point for the breach, which is exactly what Paul was saying.

This would be like worrying about whether the door to your house is well enough protected when the thief came in from the window but was removing items from the door once they were inside.

That was issuing shell commands from a php program, not quite the same as direct ssh access.

I dont think it would make our IT guys very happy if I were to start discussing what IB uses, so Im not going to.

I'm only worried about how Santa has been coming in these past few years... we have no Chimney!


BAHAHAHAHAHAHA! Sorry, thought we could use some comic relief in here :cool:.

Is this only for vb 5 happened? Is vb 4 safe?

Use the latest patch and take precautions and I think it is very secure.

The hack that spawned this thread was only against VB5. VB3 and VB4 were not vulnerable.

That said it is always important to stay up date on the latest patch/version for whatever branch you are using (3.x branch, 4.x branch. or 5.x branch.)

Emails occasionally don't get delivered so it's also a good idea to check the Announcements forum on vBulletin.com or the portal here to keep up with major announcements.