• We are now running on a new, and hopefully much-improved, server. In addition we are also on new forum software. Any move entails a lot of technical details and I suspect we will encounter a few issues as the new server goes live. Please be patient with us. It will be worth it! :) Please help by posting all issues here.
  • The forum will be down for about an hour this weekend for maintenance. I apologize for the inconvenience.
  • If you are having trouble seeing the forum then you may need to clear your browser's DNS cache. Click here for instructions on how to do that
  • Please review the Forum Rules frequently as we are constantly trying to improve the forum for our members and visitors.

Keep Your Eyes Open ... We Were Hacked This Morning!

John Pierce

Administrator
Staff member
Joined
May 5, 2006
Messages
1,777
This morning, a new user managed to somehow make themselves an administrator. Thanks to Grapeshot who called me immediately after it happened, I was able to delete the user before (hopefully) he was able to do anything. But I would like for you to keep your eyes open.

I have opened a support ticket with vBulletin about the incident which is troubling for several reasons.

1) We always stay up to date on the latest vBulletin updates.
2) We always stay up to date on the latest server updates.
3) I am the only administrator so theoretically, I am the only one who could add another administrator.
4) My password was long, complex, and used nowhere else on the internet. (It has since been changed to something even more complex)
5) The user did not have an IP address nor did they appear in the logs.

I will let you know what I find out from vBulletin. I am also going to hire a security consultant to review the server as well.

So ... If you see ANYTHING that looks strange. Let me know. I think we dodged a bullet on this one (pun intended) but only by the grace of God and the vigilance of Grapeshot.

Thanks!

PS. By strange I mean more than just spam. If Mike or I start proclaiming our undying love for Janet Reno then that would be a clue as well. :)


John
 

SFCRetired

Regular Member
Joined
Oct 29, 2008
Messages
1,764
Location
Montgomery, Alabama, USA
You mean you don't love Janet Reno?:monkey

Sorry, couldn't resist that one.

I suspect we would all be very interested to know what the final answer is on this one as there now seem to be nations that are organizing hacking efforts against those whom they see as enemies.
 
Last edited:

John Pierce

Administrator
Staff member
Joined
May 5, 2006
Messages
1,777
You mean you don't love Janet Reno?:monkey

Sorry, couldn't resist that one.

I suspect we would all be very interested to know what the final answer is on this one as there now seem to be nations that are organizing hacking efforts against those whom they see as enemies.

I will keep you guys informed as I find more information.

Thanks!


John
 

skidmark

Campaign Veteran
Joined
Jan 15, 2007
Messages
10,444
Location
Valhalla
5) The user did not have an IP address nor did they appear in the logs.

John

Well, of course not. There was no such person from no such agency.

Check your physical mailbox - there might or might not be a letter that you could not tell anyone (including yourself) about.

The good thing is these days they give you a toothbrush, instead of making you buy one. The bad news is it one of those pieces of silicone that goes on the end of your finger.

stay safe.
 

Citizen

Founder's Club Member
Joined
Nov 15, 2006
Messages
18,269
Location
Fairfax Co., VA
SNIP I have opened a support ticket with vBulletin about the incident which is troubling for several reasons.


Troubling indeed.

Was members personal information--e-mails, names, etc--compromised?



Rhetorical questions:

Who would have the expertise to break John's password? And, have no IP address? And, not leave traces in the logs?

Why would someone do it?

Who would finance them?
 

b0neZ

Regular Member
Joined
Feb 15, 2012
Messages
505
Location
Davis County, Utah
Guys, obviously we will never be certain who they or where they were from, but I would like to point out a couple of things:

1) If this is a first time happening on OCDO, then we are pretty darn secure here in that respect. I do hope nothing was copied or destroyed.

2) Both Black Hat and DEFCON happened just over a month ago; the net goes crazy for a few months after, as the skiddies try out their new toys. It's the same thing year after year.
 

John Pierce

Administrator
Staff member
Joined
May 5, 2006
Messages
1,777
Lol. I do not believe that any agent of the government is going to make themselves an administrator account and use the username of H4ck3r and the email address of hack.er. :)

I suspect this was a script kiddie who found a zero-day vBulletin exploit and wanted to show off to his friends that he cracked a vBulletin site. If you google for vBulletin exploits, the YouTube videos and sites are numerous. :(

I do not believe that any information was compromised based upon the fact that, thanks to Grapeshot's quick response, the user was deleted and the server rebooted within minutes of the account being created. The logs showed no further activity by this user. It may have even been a script rather than an individual.

The security consultant I hired is already sweeping the server but so far, it appears that there was no other damage. We have also installed a monitor to let us know of any access to the Admin tool on the forum. The real question is whether or not there is a vBulletin exploit they need to patch. I am waiting on them to respond.


John
 

John Pierce

Administrator
Staff member
Joined
May 5, 2006
Messages
1,777
Guys, obviously we will never be certain who they or where they were from, but I would like to point out a couple of things:

1) If this is a first time happening on OCDO, then we are pretty darn secure here in that respect. I do hope nothing was copied or destroyed.

2) Both Black Hat and DEFCON happened just over a month ago; the net goes crazy for a few months after, as the skiddies try out their new toys. It's the same thing year after year.

Thanks. Yes ... we keep the server locked down as tight as possible. I won't go into details here but suffice it to say that I take the advice and assistance of experts rather than take chances. The cost pays off in the long run. We see failed attempts on the server in the log file every day. It is a fact of life on the internet. :(

This one seems to have succeeded by targeting vBulletin rather than the server itself. Hence the reason I suspect a zero-day exploit since we ALWAYS stay on the latest patch immediately upon their release.


John
 

John Pierce

Administrator
Staff member
Joined
May 5, 2006
Messages
1,777
That isn't how it works. Good passwords don't get "broken". There's undoubtedly an exploit in vbullitin itself.

Exactly. The password was complex, long, and had no real meaning. Even my wife couldn't have guessed it (since it didn't have anything to do with food, sex, or guns). :)


John
 

davidmcbeth

Banned
Joined
Jan 14, 2012
Messages
16,167
Location
earth's crust
Exactly. The password was complex, long, and had no real meaning. Even my wife couldn't have guessed it (since it didn't have anything to do with food, sex, or guns). :)


John

You'll be eating cold oatmeal for the next 3 weeks !

You know your wife is infinitely smarter than both of us combined. Right?
 

protias

Regular Member
Joined
Dec 18, 2008
Messages
7,308
Location
SE, WI
Exactly. The password was complex, long, and had no real meaning. Even my wife couldn't have guessed it (since it didn't have anything to do with food, sex, or guns). :)


John

Really?

[video=youtube;0Jx8Eay5fWQ]http://www.youtube.com/watch?v=0Jx8Eay5fWQ[/video]
 

John Pierce

Administrator
Staff member
Joined
May 5, 2006
Messages
1,777
Update

This just in from the vBulletin support team.

***
A potential exploit vector has been found in the vBulletin 4.1+ and 5+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, it is recommended that you delete the install directory for your installation. The directories that should be deleted are:

4.X - /install/
5.X - /core/install
After deleting these directories your sites can not be affected by the issues we’re currently investigating.

vBulletin 3.X and earlier versions of 4.X would not be affected by these issues. However if you want the best security precautions, you should delete your install directory as well.
***

DONE. DONE. AND DONE!
 

Sorcice

Regular Member
Joined
Nov 13, 2011
Messages
381
Location
Madison, WI
It's pretty much pointless to try brute force guessing against any online forum or windows server. The security policy in place usually only allows 3 attempts before blocking you from trying or completely locking the account for 10 minutes to forever at the admins discretion. Having a long confusing password really doesn't do much but cause the owner migraines.. You are better off with a password like theboomstickwentbang than )$;&'dnsnsndhan143245523.

Also, don't ever give out your password to an admin. They don't need it. They can change your password whenever they want. Asking for your password is a red flag.

Will be interesting to see what ticket shows as the cause.

.02
 

45 Fan

Regular Member
Joined
Feb 17, 2012
Messages
127
Location
Oregon
I was going to say delete the install file...ive used it to re-create my admin account on ipb and vbulletin before...also sql injection if the server hosting company has been compromised(as in they hired an idiot, like if you use godaddy or some other company to physically manage the server hardware)...had that issue twice now...lovely email apologizing about those incidents...
 
Top