Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Closed Thread
 
Thread Tools Display Modes
  #101  
Old 11-17-2013, 05:53 PM
findingpeace's Avatar
findingpeace findingpeace is offline
 
Join Date: Nov 2011
Posts: 268
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Max Taxable View Post
That's not known for sure. Read paul's posts, what he says is what they know. he never said the customer data is in 3rd party hands.
Doesn't this post from Paul mean customer data is in 3rd party hands?

Quote:
They then appear to have cracked a mysql user password for the Live DB server, and used it (via adminer) to read the vb.com and vb.org user tables.
Apologies if I'm misreading, but if they read the user tables, then it's also likely they now have the data, right? Even if it's encrypted, that's a little scary to me. I hate the idea of my email address with a bunch of hackers. Freaks me out.
Благодарность от:
Max Taxable
  #102  
Old 11-17-2013, 05:58 PM
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
Posts: 3,134
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by findingpeace View Post
Doesn't this post from Paul mean customer data is in 3rd party hands?



Apologies if I'm misreading, but if they read the user tables, then it's also likely they now have the data, right? Even if it's encrypted, that's a little scary to me. I hate the idea of my email address with a bunch of hackers. Freaks me out.
Yes thanks for pointing that out, that slipped by me. My apologies. It sure does sound like he is saying that.
Благодарность от:
findingpeace
  #103  
Old 11-17-2013, 06:00 PM
Digital Jedi's Avatar
Digital Jedi Digital Jedi is offline
 
Join Date: Oct 2006
Location: PopCulturalReferenceLand
Posts: 5,171
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by findingpeace View Post
Doesn't this post from Paul mean customer data is in 3rd party hands?



Apologies if I'm misreading, but if they read the user tables, then it's also likely they now have the data, right? Even if it's encrypted, that's a little scary to me. I hate the idea of my email address with a bunch of hackers. Freaks me out.
Nope, Paul said that they targeted the user tables. The forum. Not customer data. Not the same thing.
  #104  
Old 11-17-2013, 06:02 PM
findingpeace's Avatar
findingpeace findingpeace is offline
 
Join Date: Nov 2011
Posts: 268
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Digital Jedi View Post
Nope, Paul said that they targeted the user tables. The forum. Not customer data. Not the same thing.
Well I am a vBulletin customer, and it is my data I get what you are saying though, I'm just being a spaz - at least it's not our credit card or license info.
  #105  
Old 11-17-2013, 08:09 PM
Chris8's Avatar
Chris8 Chris8 is offline
 
Join Date: Nov 2009
Posts: 188
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

But the thing that is essentially concerning me now the most here in this whole mess actually is:
Supposedly if they had access to write/modify files on vb.com and vb.org servers (By the way, isn't it the same server? Or Vb.com is on separate server from Vb.org?) are all downloadable scripts, mods, templates safe? I mean, assuming they had that access they could for example change certain mods or themes code to put vulnerabilities into them so they can hack other websites powered by vbulletin later.

So, ideally if vb staff knows they had such access vb staff should do the diff of all downloadable content against the backups from the time before it happened to make sure people are safe when downloading and installing new content on their forums/servers.
Also I would be more calm if they (you - I guess people in charge/responsible for vb here read this) could make a statement assuring your customers that everything is safe and nothing was modified or if there was anything modified that you took care to fix it.
Благодарность от:
findingpeace
  #106  
Old 11-17-2013, 09:15 PM
Will Watts Will Watts is offline
 
Join Date: Nov 2012
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Paul M View Post
They then appear to have cracked a mysql user password for the Live DB server, and used it (via adminer) to read the vb.com and vb.org user tables.
How did they crack the MySQL password - how is the QA server linked to the live DB?

I'd rather you elaborated on that, with an explanation of "we made a mistake/a config file was left on the QA server/something else etc" rather than leaving the possibility of a vB exploit open. Even if it was only a QA server hacked, how did they then escalate that to the live DB?
  #107  
Old 11-17-2013, 09:43 PM
Digital Jedi's Avatar
Digital Jedi Digital Jedi is offline
 
Join Date: Oct 2006
Location: PopCulturalReferenceLand
Posts: 5,171
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Chris8 View Post
But the thing that is essentially concerning me now the most here in this whole mess actually is:
Supposedly if they had access to write/modify files on vb.com and vb.org servers (By the way, isn't it the same server? Or Vb.com is on separate server from Vb.org?) are all downloadable scripts, mods, templates safe? I mean, assuming they had that access they could for example change certain mods or themes code to put vulnerabilities into them so they can hack other websites powered by vbulletin later.

So, ideally if vb staff knows they had such access vb staff should do the diff of all downloadable content against the backups from the time before it happened to make sure people are safe when downloading and installing new content on their forums/servers.
Also I would be more calm if they (you - I guess people in charge/responsible for vb here read this) could make a statement assuring your customers that everything is safe and nothing was modified or if there was anything modified that you took care to fix it.
If you re-read Paul's explanation, you'll see nothing was modified. vB.org tables were read, not modified. And the only tables read were user tables.

Quote:
Originally Posted by Will Watts View Post
How did they crack the MySQL password - how is the QA server linked to the live DB?

I'd rather you elaborated on that, with an explanation of "we made a mistake/a config file was left on the QA server/something else etc" rather than leaving the possibility of a vB exploit open. Even if it was only a QA server hacked, how did they then escalate that to the live DB?
Adminer lets you manage database files from one file. I've not used it, but if they had a bunch of cloned databases to look at, it was probably simple reverse engineering.
  #108  
Old 11-18-2013, 12:53 AM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The databases are on a different server than the files (typical setup if you have more than one server).
  #109  
Old 11-18-2013, 09:18 AM
Will Watts Will Watts is offline
 
Join Date: Nov 2012
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Lynne View Post
The databases are on a different server than the files (typical setup if you have more than one server).
So how did they crack the the live DB MySQL? Was the password listed somewhere on the QA server or do you not know how it was done?
  #110  
Old 11-18-2013, 02:59 PM
Guest0321
Guest
 
Posts: n/a
Default

Paul said
"They broke into an old stage server, mainly used by QA for test installs of vB4 & vB5.".

If they broke into the server, the QA DB password could be gleaned by the vB config file. Hopefully it wasn't the same db user and password in use for vB.com or vB.org.

In the past, the QA team has copied the vb.com live database (or parts of it) to one of their servers, and tested installations.

Maybe that was done, and the db userid's/passwords were brought along with them. That would have given them access to the vb.com DB.

But I would think the vb.com DB has restricted access via the hosts table or something.
Closed Thread


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:26 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04601 seconds
  • Memory Usage 2,285KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (9)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (10)post_thanks_box
  • (3)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (3)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (9)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete