The Arcive of Official vBulletin Modifications Site.

WillyWonkaBar · #1 04-01-2016, 01:21 AM

We had about 30 users write in today that they received password reset email notifications, but didn't request them.

Is anybody aware of an exploit that might make use of this? We did block a connection that appears to have been either scraping the site, looking for a user list to possibly perform these password resets, or doing something else nefarious.

We did have an issue with the mail queue growing quite large, larger than what our mail queue batch setting could keep up with.

I'm betting the mail queue issue is related to these password reset email notifications going out. I've reviewed the notifications received, and they look correct. No bad URLs or missing usernames.

Has anybody experiencing something similar to this?

Thanks!

WWB

Dave · #2 04-01-2016, 05:26 AM

Anyone can request those emails to be sent from login.php?do=lostpw.
Or is that not what you're talking about?

WillyWonkaBar · #3 04-01-2016, 03:04 PM

No, you're correct. We have that page. But you need to specify an email address and complete recaptcha v2.

These users did not request the password reset. So somebody else did.

So that somebody would have to know the email addresses, correct? Maybe a bot guessing email addresses, or using their own list against our website?

Again, I'm more trying to determine that if it was somebody with malicious intent, what could they gain going this route. It only makes sense to me if they have access to the email account in question, and then even in that scenario, they'd have to figure out admin account email addresses. Again, if they're after access.

There's also the possibility that this was a DOS attack, or attack on VB's mail queue. Our mail queue, around the same time these support requests came in, swelled to 7000 msgs, which the mail queue process scheduled task couldn't keep up with based on our settings.

Or maybe this was just a site scraper.

Dave · #4 04-01-2016, 03:26 PM

I doubt it will do any harm besides filling up your mail queue. There's not a whole lot to do against it since it's just a public page.

Have you checked the access logs for GET/POST requests sent to login.php?do=lostpw? Maybe you can get some more information regarding who did it by looking at the access logs.

WillyWonkaBar · #5 04-01-2016, 03:47 PM

Thanks for the suggestion, Dave. I check the logs and report back.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.06389 seconds Memory Usage 2,191KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (5)post_thanks_box (5)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (5)post_thanks_postbit_info (5)postbit (5)postbit_onlinestatus (5)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!