Thread: vBulletin very easy to hacked ?
View Single Post
  #7  
Old 12-08-2012, 01:40 PM
trackpads's Avatar
trackpads trackpads is offline
 
Join Date: Aug 2003
Location: Armyville
Posts: 1,074
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Agreed with Paul.

My 2 cents. You are always at risk of something bad happening. That is the risk you take. You mitigate risk by backing up/testing backups and doing your utmost to secure your site AND your server.

Some of these hacks could have been done at the server level, not just software. You just don't know. Every major hosting provider has had successful attacks. You learn, adapt and move on.

In the case with IQ69, I found on their twitter feed, that group that hacked them is claiming to have all 50GB their data. To get that kind of access you need console access. No one can sqldump 50GB from the phpmyadmin interface. Plus the files etc are not just available because you have a admin password. They have ftp access too.

a. NONE of your logins and passwords should be the same. If your ftp, cpanel, root, forum and others admin logins are all the same then you are screwing yourself.

b. Use secure server software with a provider that has the latest updates. Cpanel etc.

c. BACKUP!!!!!

d. BACKUP off site!!!!

Hope this helps,

-Jason Edwards, CISSP

--------------- Added [DATE]1354978181[/DATE] at [TIME]1354978181[/TIME] ---------------

Secondly,

Use a Firewall or Proxy service. Some attacks can be foiled by a good proxy. I use cloudflare and have found it to be usefull. Does require some tooling to get some Vbulletin mods to work but it has blocked massive amounts of malicious ip traffic from ever reaching my site. IT can also cache and do other improvements as well that will speed up your site.
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01222 seconds
  • Memory Usage 1,764KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete