Are any of the vB3 versions safe?

[afmarko99]

I had been running vB for 4 or so years with 3.6.8 and it was hacked last week. I spent about 20 hours over the past two days redoing my site and I happen to have 3.7.2 still available for download from vbulletin.com.

I installed that and my admin username and pass was hacked today.

It looks like I will have to renew my license if I don't want to get hacked. However, I am really starting to question the security of vB. It's obvious that at some point people will find a way to hack any version they produce. So we are all taking the chance running this software correct?

I mean someone has to get hacked for vB to figure out the security issues and then work on a patch?

I am really pissed right now.

[Lynne]

Do you have modifications on your site? Are you keeping them up to date security wise? If you were running that old of a version and running modifications, then there could be any number of security issues.

[afmarko99]

I just upgraded to 3.8.7 Patch Level 2.

I currently have the following mods installed:

NoSpam!
Stop the Registration Bots
vBadvanced CMPS

These mods are all updated to the latest version.

How has the security been with 3.8.7 PL2?

[TheLastSuperman]

I have quite a few clients running 3.x sites, nearly all 3.8.7 PL2 however at some point the vBulleitn 3 series will reach EOL i.e. End of Life and that my friend is when security will become a issue... there won't be patches released and as new exploits/vulnerabilities are discovered they will not be patched. Is that soon or not? I'm not 100% sure when the exact date will be, none of us are but imo it will be sooner rather than later. So with that said... run 3.8.7 PL2 for now and prepare yourself for upgrading to vBulletin 4.x sometime soon and you should be good to go .

[afmarko99]

My site was hacked again. Like earlier today they changed my admin account to the username 'hac' and changed the password. Im not home to upload tools.php and recover my name. I have email my host to shut the whole site down.

Where do I go from here?

[nerbert]

Three things I would do if you haven't already:

1. Be sure your user id is in the list of Undeletable/Unalterable Users in includes/config.php

2. Change the filepath to your adminCP in includes/config.php (and change the name of the directory on the server). Once you do this you can create your own link in your bookmarks. Check what the link to your adminCP is in the page footer and if it has changed to your new filepath remove it completely and use only your bookmarked link for access.

3. Check your Control Panel Log in adminCP, there you may find info on the hacker. Then in IP Deny Manager on cPanel ban the IPs of the hacker

EDIT: you can read IP addresses for the adminCP directly out of your database in the adminlog table and ban foreign IPs before you restore your forum.

EDIT2: you can edit your footer template directly in the database to remove the Admin link. Use the search feature in phpMyAdmin to find "footer"

[Max Taxable]

Quote:

Originally Posted by EaglezEye

It's obvious that at some point people will find a way to hack any version they produce. So we are all taking the chance running this software correct?.

This is and always will be true of any software you run. And like any other software, vBulletin is about as "safe" as you make it.

It's silly to expect or demand otherwise, but as far as it goes, vBulletin is one of the hardest boards to "hack" there is. Most of the others, especially the free ones, are wet paper sacks, security wise.

There's all kinds of articles here and elsewhere about securing vBulletin. You might learn alot from them.

This is coming from a vBulletin owner who has had vBulletin up since 2005 and has never been "hacked" or defaced.

--------------- Added [DATE]1319248037[/DATE] at [TIME]1319248037[/TIME] ---------------

Quote:

Originally Posted by EaglezEye

My site was hacked again. Like earlier today they changed my admin account to the username 'hac' and changed the password. Im not home to upload tools.php and recover my name. I have email my host to shut the whole site down.

Where do I go from here?

This is why the unalterable/undeletable user option in the configuration file exists.

[souperman]

It's normally not vb that has security issues, it's actually badly coded plugins. Not all, but some. Some plugins are small enough so you can review their code.

Like everyone suggested, just upgrade to 3.8.7pl2

[Lynne]

Check your access_logs and see how they got in.

Also, when you did your upgrade earlier, did you do this on a database backup from before you were hacked? Or did you go through the hacked database and make sure it was clean? And, did you change your server password? And any htaccess passwords?

[Frosty]

As Lynne said, check access_logs, they (he) could have uploaded a php shell, which allows editing of all files that are writeable, and some shells have the ability of altering the MySQL database, which could explain why your password was changed.

If that isn't the case, scan your PC with Malware Bytes and/or Spybot, your PC might have been infected by a keylogger or a similar program that could give out your passwords to the attacker.