Quote:
Originally Posted by Knightmane
I think this is a good place to mention something I have been seeing on my own web site's Currently Active Users page.
Apparently there are some data thieves out there using script programs to activate and run your own forum's Impex programs and the script will save your forum's data to any server they designate in the script itself, which allows these thieves to look through your data at their own leisure.
|
This isn't the case, you would need to have write access to the ImpExConfig.php file to do this (to redirect the target database), and someone has read/write access to your server and malicious intent, ImpEx is the last of your worries.
Quote:
Originally Posted by Knightmane
The first time I saw these people doing this, my first thought wasn't piracy; it was, "Hey, I don't have Impex installed. What's going on?"
|
They were most likely polling to find it to see if you have a very old version that did have the one exploit in it.
Quote:
Originally Posted by Knightmane
The next time it happened, I reported the incident to the server provider where the script was trying to aim data to, and they closed that thief's server account permanently (they thanked me in an email for bringing it to their attention.)
The following times I have seen this, I have simply IP banned their ISPs. I know that is a bit extreme, but I got tired of seeing the attempts being made.
|
With the latest ImpEx there is no known threat and removing it is the best protection, as it's a one time tool and by the time you do another import, I've most likely updated something and there will be a new version.
Quote:
Originally Posted by Knightmane
So if you have Impex installed on your web server where your forum is located, please keep in mind that you are inviting these people to hit your forum site to back up your web forum data to read through later. And yes, this will also mean that they can get your passwords, too.
|
No they can't get the data, and no they can't get the passwords. Even if the could with the salted md5 of the password it wouldn't help.
Quote:
Originally Posted by Knightmane
Impex, while a good program, I am to understand, is a major security risk in this case. If you are not using the program, disable it and that will prevent these people from being able to use it on your own web site.
|
It is not, it is however a powerfull tool that has read and write access depending on it's configuration, and the ability to delete data it has imported from an forum, though not from a forum where the import has been finalised (removing the import ids). Once installed it requires (as mentioned) admincp access and the customer number.
Quote:
Originally Posted by Knightmane
Thank you for your time. I just thought vbulletin should know what was happening with this situation. Please look into this!
|
I do constantly, it's my full time job
Quote:
Originally Posted by Knightmane
(I posted this information on vbulletin.com, but I wanted to make sure everyone knew about this so they could take protective measures.)
|
Quote:
Originally Posted by Dean C
Well it's your own fault if you left a security risk on your server. I believe it does say to remove impex files once you're done.
|
Ditto, basically do the import, finalise the import, then remove the files, one time tool etc.
Quote:
Originally Posted by dyna88
More then likely the reason they are looking for impex is because an older version used in conjunction with 3.5.1-3.5.4 I think it was had a few RFI exploits....this is why it is so important to keep updated.
|
There was one, on March 23rd ..... I remember that as it is my birthday ! I fixed that and it's the only one I'm aware of.
09-25-2007, 01:13 PM
You'd be an idiot if you tried to get the password like that...it'd be far easier to break into the server through some hole. Of course you never know...md5 could be broken by the time I get old. >)
Linear Mode
