The Arcive of Official vBulletin Modifications Site.

findingpeace · #**101** 11-17-2013, 05:53 PM

Quote:

Originally Posted by Max Taxable

That's not known for sure. Read paul's posts, what he says is what they know. he never said the customer data is in 3rd party hands.

Doesn't this post from Paul mean customer data is in 3rd party hands?

Quote:

They then appear to have cracked a mysql user password for the Live DB server, and used it (via adminer) to read the vb.com and vb.org user tables.

Apologies if I'm misreading, but if they read the user tables, then it's also likely they now have the data, right? Even if it's encrypted, that's a little scary to me. I hate the idea of my email address with a bunch of hackers. Freaks me out.

Max Taxable · #**102** 11-17-2013, 05:58 PM

Quote:

Originally Posted by findingpeace

Doesn't this post from Paul mean customer data is in 3rd party hands?

Apologies if I'm misreading, but if they read the user tables, then it's also likely they now have the data, right? Even if it's encrypted, that's a little scary to me. I hate the idea of my email address with a bunch of hackers. Freaks me out.

Yes thanks for pointing that out, that slipped by me. My apologies. It sure does sound like he is saying that.

Digital Jedi · #**103** 11-17-2013, 06:00 PM

Quote:

Originally Posted by findingpeace

Doesn't this post from Paul mean customer data is in 3rd party hands?

Apologies if I'm misreading, but if they read the user tables, then it's also likely they now have the data, right? Even if it's encrypted, that's a little scary to me. I hate the idea of my email address with a bunch of hackers. Freaks me out.

Nope, Paul said that they targeted the user tables. The forum. Not customer data. Not the same thing.

findingpeace · #**104** 11-17-2013, 06:02 PM

Quote:

Originally Posted by Digital Jedi

Nope, Paul said that they targeted the user tables. The forum. Not customer data. Not the same thing.

Well I am a vBulletin customer, and it is my data

I get what you are saying though, I'm just being a spaz - at least it's not our credit card or license info.

Chris8 · #**105** 11-17-2013, 08:09 PM

But the thing that is essentially concerning me now the most here in this whole mess actually is:
Supposedly if they had access to write/modify files on vb.com and vb.org servers (By the way, isn't it the same server? Or Vb.com is on separate server from Vb.org?) are all downloadable scripts, mods, templates safe? I mean, assuming they had that access they could for example change certain mods or themes code to put vulnerabilities into them so they can hack other websites powered by vbulletin later.

So, ideally if vb staff knows they had such access vb staff should do the diff of all downloadable content against the backups from the time before it happened to make sure people are safe when downloading and installing new content on their forums/servers.
Also I would be more calm if they (you - I guess people in charge/responsible for vb here read this) could make a statement assuring your customers that everything is safe and nothing was modified or if there was anything modified that you took care to fix it.

Will Watts · #**106** 11-17-2013, 09:15 PM

Quote:

Originally Posted by Paul M

They then appear to have cracked a mysql user password for the Live DB server, and used it (via adminer) to read the vb.com and vb.org user tables.

How did they crack the MySQL password - how is the QA server linked to the live DB?

I'd rather you elaborated on that, with an explanation of "we made a mistake/a config file was left on the QA server/something else etc" rather than leaving the possibility of a vB exploit open. Even if it was only a QA server hacked, how did they then escalate that to the live DB?

Digital Jedi · #**107** 11-17-2013, 09:43 PM

Quote:

Originally Posted by Chris8

But the thing that is essentially concerning me now the most here in this whole mess actually is:
Supposedly if they had access to write/modify files on vb.com and vb.org servers (By the way, isn't it the same server? Or Vb.com is on separate server from Vb.org?) are all downloadable scripts, mods, templates safe? I mean, assuming they had that access they could for example change certain mods or themes code to put vulnerabilities into them so they can hack other websites powered by vbulletin later.

So, ideally if vb staff knows they had such access vb staff should do the diff of all downloadable content against the backups from the time before it happened to make sure people are safe when downloading and installing new content on their forums/servers.
Also I would be more calm if they (you - I guess people in charge/responsible for vb here read this) could make a statement assuring your customers that everything is safe and nothing was modified or if there was anything modified that you took care to fix it.

If you re-read Paul's explanation, you'll see nothing was modified. vB.org tables were read, not modified. And the only tables read were user tables.

Quote:

Originally Posted by Will Watts

How did they crack the MySQL password - how is the QA server linked to the live DB?

I'd rather you elaborated on that, with an explanation of "we made a mistake/a config file was left on the QA server/something else etc" rather than leaving the possibility of a vB exploit open. Even if it was only a QA server hacked, how did they then escalate that to the live DB?

Adminer lets you manage database files from one file. I've not used it, but if they had a bunch of cloned databases to look at, it was probably simple reverse engineering.

Lynne · #**108** 11-18-2013, 12:53 AM

The databases are on a different server than the files (typical setup if you have more than one server).

Will Watts · #**109** 11-18-2013, 09:18 AM

Quote:

Originally Posted by Lynne

The databases are on a different server than the files (typical setup if you have more than one server).

So how did they crack the the live DB MySQL? Was the password listed somewhere on the QA server or do you not know how it was done?

#**110** 11-18-2013, 02:59 PM

Paul said
"They broke into an old stage server, mainly used by QA for test installs of vB4 & vB5.".

If they broke into the server, the QA DB password could be gleaned by the vB config file. Hopefully it wasn't the same db user and password in use for vB.com or vB.org.

In the past, the QA team has copied the vb.com live database (or parts of it) to one of their servers, and tested installations.

Maybe that was done, and the db userid's/passwords were brought along with them. That would have given them access to the vb.com DB.

But I would think the vb.com DB has restricted access via the hosts table or something.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.07707 seconds Memory Usage 2,288KB Queries Executed 14 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (9)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (4)pagenav_pagelink (10)post_thanks_box (3)post_thanks_box_bit (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (3)post_thanks_postbit (10)post_thanks_postbit_info (10)postbit (9)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start fetch_musername post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end post_thanks_function_fetch_thanks_bit_start post_thanks_function_show_thanks_date_start post_thanks_function_show_thanks_date_end post_thanks_function_fetch_thanks_bit_end post_thanks_function_fetch_post_thanks_template_start post_thanks_function_fetch_post_thanks_template_end postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

Благодарность от:
Max Taxable

Благодарность от:
findingpeace

Благодарность от:
findingpeace

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!