eye95
Well-known member
.lamron eb ot smees gnihtyrevE .smelborp yna deciton t'nevah I
...
5) The user did not have an IP address nor did they appear in the logs.
...
.lamron eb ot smees gnihtyrevE .smelborp yna deciton t'nevah I
The server seems bogged down tonight, too. I don't know if we're under attack, or if John bumped up some settings.
Lol. I do not believe that any agent of the government is going to make themselves an administrator account and use the username of H4ck3r and the email address of hack.er.
I suspect this was a script kiddie who found a zero-day vBulletin exploit and wanted to show off to his friends that he cracked a vBulletin site. If you google for vBulletin exploits, the YouTube videos and sites are numerous.
I do not believe that any information was compromised based upon the fact that, thanks to Grapeshot's quick response, the user was deleted and the server rebooted within minutes of the account being created. The logs showed no further activity by this user. It may have even been a script rather than an individual.
The security consultant I hired is already sweeping the server but so far, it appears that there was no other damage. We have also installed a monitor to let us know of any access to the Admin tool on the forum. The real question is whether or not there is a vBulletin exploit they need to patch. I am waiting on them to respond.
John
Doesn't everybody?Sounds like an inside job to me, nobody's that fast. Just kidding. Nice catch. Seriously though, do you just sit on the member list page all day?
H4ck3r said:I'll be back...
.lamron eb ot smees gnihtyrevE .smelborp yna deciton t'nevah I
Troubling indeed.
Was members personal information--e-mails, names, etc--compromised?
Rhetorical questions:
Who would have the expertise to break John's password? And, have no IP address? And, not leave traces in the logs?
Why would someone do it?
Who would finance them?
This morning, a new user managed to somehow make themselves an administrator. Thanks to Grapeshot who called me immediately after it happened, I was able to delete the user before (hopefully) he was able to do anything. But I would like for you to keep your eyes open.
I have opened a support ticket with vBulletin about the incident which is troubling for several reasons.
1) We always stay up to date on the latest vBulletin updates.
2) We always stay up to date on the latest server updates.
3) I am the only administrator so theoretically, I am the only one who could add another administrator.
4) My password was long, complex, and used nowhere else on the internet. (It has since been changed to something even more complex)
5) The user did not have an IP address nor did they appear in the logs.
I will let you know what I find out from vBulletin. I am also going to hire a security consultant to review the server as well.
So ... If you see ANYTHING that looks strange. Let me know. I think we dodged a bullet on this one (pun intended) but only by the grace of God and the vigilance of Grapeshot.
Thanks!
PS. By strange I mean more than just spam. If Mike or I start proclaiming our undying love for Janet Reno then that would be a clue as well.
John