homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Community Building and User Generated Content
Forum Library, Charter, Moderators: rogerd

Community Building and User Generated Content Forum

Zero Day Exploit Hits vBulletin Versions 4.x.x and 5.x.x

 2:57 pm on Nov 18, 2013 (gmt 0)

In a statement published on their forums a couple of days ago, vBulletin’s Wayne Luke revealed that their security team discovered a sophisticated cyberattack on their systems.

“Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems,” Luke noted.

User passwords have been reset. Zero Day Exploit Hits vBulletin Versions 4.x.x and 5.x.x [news.softpedia.com]
The hackers claim to have leveraged a “critical vulnerability” in vBulletin versions 4.x.x and 5.x.x. They say they’ve exploited the same zero-day vulnerability to breach MacRumors.com.

“We've got upload shell in vBulletin server, download database and got root,” the hackers said via email. “Macrumors.com was based on vBulletin CMS. We use 0day exploit on vBulletin, got password moderator. 860000 hacked too. The network security is a myth.”

vBulletin announcement

Earlier story

Hackers May Have Stolen 800,000 User Details From Mac Forum [webmasterworld.com]
Report: 35,000 vBulletin Sites Easily Hacked Through Failure To Follow Security Advice [webmasterworld.com]



 3:45 pm on Nov 18, 2013 (gmt 0)

Fortunately, I switched to Xenforo which I understand has some of the original programmers from vBulletin. I think it is important to recognize the vBulletin of today is owned by Internet Brands, and is a far different company today. I still do have an old 3.x.x that runs like a champ.


 3:56 pm on Nov 18, 2013 (gmt 0)

If you run a vBulletin forum, versions 4 - 5, you may want to consider downloading your DB if you haven't done it recently. Something to consider, DefCon took down their forum [forum.defcon.org] and left a note:

We have disabled the forums until there is resolution on a possible vulnerability.

-- TheCotman

For some details about we at DEF CON have decided to close the forums, you can check this story out:

Once we have a fix/patch installed, we'll re-open service.

Thanks! Sorry about the down-time.


 8:04 pm on Nov 18, 2013 (gmt 0)

Internet Brands if they own the source code I would say that since the purchase probably little if any security work has or could be done by the personal they staff.
I am very familiar with their work.


 1:08 am on Nov 19, 2013 (gmt 0)

A lot of us with vB boards got hit a month or so ago. I got hit twice - about a week apart between the attacks. I hadn't taken an action that they suggested in an e-mail (deleting the install folder). BUT they didn't make the issue sound very urgent. In hindsight that was a big error on my part.

After the attacks one of the things I did that seems to have helped a lot is locking all admin type directories with .htaccess - not just on my vB site but on all my sites - Wordpress blogs, tube sites, etc. I have to do two logins now to get to admin areas, but it makes it hard enough for hackers that they'd rather move on to other sites that are easier to hack.


 6:11 am on Nov 19, 2013 (gmt 0)

Staff have unofficially stated there is no new vulnerability. A qa server running old code was hacked and an export of the production database for the forum at vBulletin.com compromised. The macrumours.com hack is linked however in that a user who was targetted had reused their password accross the two sites. I speculate this may also have been the case in the ubuntu.com attack as the vBulletin.com hack may have happened as long ago as this summer. The hackers screenshots of the hack are fake according to the same staff. In the case of the macrumours and ubuntu attacks the hackers used a moderator account to post javascript in order to compromise the account of an administrator...

Regardless my advice to any forum owners who take security seriously:

- Reset all you staff passwords.
- Implement a policy of regular password changes.
- Review who has access to what.
- Install a second layer of authentication such as .htpasswd
- Disable HTML posts / announcements.
- Install fail2ban or similar.
- Consider using https.


 9:05 pm on Nov 19, 2013 (gmt 0)

I got hit twice - about a week apart between the attacks.

What was the symptoms? What happened to your website?


 9:22 pm on Nov 19, 2013 (gmt 0)

And what version are you running?


 2:00 pm on Nov 20, 2013 (gmt 0)

What was the symptoms? What happened to your website?

The first thing that was obvious was that certain pages were redirecting to other sites. If I remember correctly it was a "security software" type site. The hacker had gotten in and essentially overwritten certain pages.

What I missed in the first attack was that s/he had also created admin user accounts. When more pages were hacked a week later I took a much closer look at things and discovered three admin users that shouldn't have been there. Since the files (on disk) had been locked down after the first attack the next step was for the hacker to use those use admin users to change some of the page code that's stored in the database. That's actually a much harder thing to restore since restoring the database would have wiped out all the user discussion on the forum. That's when I put in the 2nd layer of password protection on the admin and moderation pages. So now even if they do manage to create an admin user in the future they can't hit an admin page.

During all of that I discovered that, while my host only keeps one day of log files, vB logs all page hits to admin areas. So there was a nice neat tidy record of exactly what pages the hacker had accessed.

The one good thing about forums is that you have an active community of people who are looking out for you. People were tweeting me, emailing me, etc. as soon as the problem happened. I don't think I would have gotten the same response if one of my blogs had been hacked.


 2:36 pm on Nov 20, 2013 (gmt 0)

And what version are you running?

I was on something like 4.0.2 patch 2 when the first attack happened. After the first attack I upgraded to 4.2.1.


 6:59 pm on Nov 20, 2013 (gmt 0)

You need 4.2.2 to be safe, you should upgrade immediately. Make sure you delete the installation directory after the upgrade too...

Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / Community Building and User Generated Content
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved