Mass Password Change?

[teamsupra]

I have a hacker who seems to have gotten a hold of my user database. And if logging in as all different users. I need to way to mass change all of the users Pws. So they would have to login and click Forgot password so that its emailed to them.

Anyway to do this.

Please help

[Adrian Schneider]

You could perform a query...

[sql]UPDATE user
SET password = md5(concat(md5('new_password'), salt))
WHERE userid NOT IN (1, 5, 7);[/sql]

1, 5, 7 being the IDs of users whose passwords you don't want to change. Just be very careful doing this - you should probably perform a backup first.

[teamsupra]

Where I enter new_password would it be plain text or md5?

[Marco van Herwaarden]

Sorry but this does not make much sense. Even with the database you can not get the passwords.

Most likely there is something else going on.

[Opserty]

Theres no point in resetting passwords as the "hacker" doesn't have the passwords in plain text, they are hashed. Therefore he can't use them to login, he might try and crack them but its unlikely he is going to waste time for a Internet Forum there wouldn't be much point to it. Just ask your users to reset the passwords themselves.

[teamsupra]

The hacker installed a VB phisher in /inc/functions_login.. What he did was add a line in the login field to email him the username and PW when they login..

I changed all the PWs so now all users have to click Forgot password.

Also there is a MD5 cracker out so once a hacker gets the USERDB they run it against the MD5 cracker.

[Marco van Herwaarden]

Are you talking about a "inc" directory (ie. non-vBulletin) or "includes"?

If they managed to change a file, then most likely your hosting account (or if on a shared server with bad security another account on the same server) is compromised. I striongly suggest that you ask your host to find the reason as they might be able to do it again any day.

Finally you can not crack a MD5 hash. For plain MD5 there are some rainbow tables around providing a way to lookup hashes and their possible plaintext value, but i have never seen it done for mutliple MD5's like vBulletin is using and i strongly doubt anyone will ever make such tables.

[Absolution]

this doesn't work in vb3.7.0 RC2, so I've modified the script provided above

i don't program in php, but it didn't seem hard to modify

Code:

<?php
require_once('./global.php');
require_once('./includes/functions.php');
$perpage = 100;
$start = intval($_REQUEST[start]);
echo "Resetting up to $perpage passwords starting at user id $start, please stand by!<br />";
$res = $vbulletin->db->query_first("SELECT userid FROM " . TABLE_PREFIX . "user ORDER BY userid DESC LIMIT 1");
$maxuid = $res[userid];
$users = $vbulletin->db->query("SELECT userid,username,salt,email FROM " . TABLE_PREFIX . "user WHERE userid > $start ORDER BY userid ASC LIMIT $perpage");
vbmail_start();
while ($userinfo = $vbulletin->db->fetch_array($users)) {
   $vbulletin->db->query("DELETE FROM " . TABLE_PREFIX . "useractivation WHERE userid = $userinfo[userid] AND type = 1");
   $newpassword = vbrand(0, 100000000);
   $vbulletin->db->query("UPDATE " . TABLE_PREFIX . "user SET password = '" . addslashes(md5(md5($newpassword) . $userinfo['salt'])) . "', passworddate = NOW() WHERE userid = $userinfo[userid]");
   eval(fetch_email_phrases('resetpw', $userinfo['languageid']));
   vbmail($userinfo['email'], $subject, $message, true);
   echo "Reset UserID:";
   echo $userinfo[userid];
   echo "<br />";
   flush();
   $lastuid = $userinfo[userid];
}
vbmail_end();
if ($lastuid < $maxuid) {
  $start=$lastuid;
  $vbulletin->url = "resetpw.php?" . $vbulletin->session->vars['sessionurl'] . "start=$start";
  eval(print_standard_redirect('Going for another $perpage Password-Resets', 0));  
} else {
  echo "Finished!";
}
?>