Spammers using Moderators/Administrator accounts to Edit Old Posts
 

Hi -

I was wondering if anyone else has ever had this problem. Today I logged onto my site to find that one of my moderator and one of administrators accounts had been hacked. Over 2,000 older posts on my site made by these 2 staff members had been edited to insert spam links that appear under their original post like this:

________
Body Science

Does anyone know where I can begin to correct this problem? I've told everyone on staff they should change their passwords immediately, but other than that, I've got no idea where to begin??? I'm running VB 3.7.4

In addition, it looks as though some of these edits do appear in the moderator logs, but only a very few of them. I've banned all the IP addresses that made the changes from the few mod log entries that I can see. All of the IP's look like proxies.

Any suggestions?

Contact your host to check their logs and see how they were able to hack into the admin accounts. Check your server space for any suspicious file/s. Then upgrade your forum to the latest version of your branch.

Likely its the security issue that was discovered in 3.8.5 and below. Upgrade to the latest version.
The issue allowed people to registered duplicate staff accounts.

I got this issue too. total suckage. Is there anyway to see all external links coming from your site ....... as its hard to clean this up properly ?

I got it as well...

What measures did you all take to fix?

I was told this ... To fix the exploit you go into "Vbulletin Options > Registration Options > Username Regular Expression > input "^[A-Z0-9 ]+$"

and then added this in illegal usernames

@ ~ ` # $ % ^ ( ) + = { [ ] } | \ / ? < > , ; : " '

I'm hoping that fixes the exploit.

Also add the usernames of all your staff members to the illegal usernames.