Announcement

Announcement Module
Collapse
No announcement yet.

Admin account hacked & preventing password changes

Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Admin account hacked & preventing password changes

    Today I had an admin account hacked, causing major problems for the forum. The password for the account was unguessable, but in the passwordhistory table it was somehow changed today.

    The vB version was 3.6.7, I upgraded it to 3.6.8 PL2. Was there any security hole in 3.6.7 that could make a password change or email change possible, without having control over the actual email account?

    This hacker was able to erase their admin logs, but while they were active I remember seeing 'product kill' type entries in the log. The admin account that was hacked only had Style and Language permissions, no plugin permissions or any other permissions. Would 'product kill' type stuff show in the log if they tried it and failed?

    Also is there any way to prevent accounts from having password changed? I want to lock my other main admin account from being altered.

  • #2
    Yes, there were security issues with 3.6.7 which is why 3.68 and the subsequent patch levels were released. I strongly recommend that you stay current with your vB version from now on.

    Please see this thread on how to make your vBulletin more secure:

    http://www.vbulletin.com/forum/showthread.php?t=172234
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment


    • #3
      What specific security issue do you think it might have been? I want to make sure there is no malicious code or plugin anywhere, that that this was a 3.6.7 issue.

      Also is there any way I can lock my admin account's password?

      Comment


      • #4
        We do not post specifics regarding security exploits for obvious reasons. You should upgrade immediately.

        To keep your Admin user info secure edit this section of includes/config.php:

        // ****** UNDELETABLE / UNALTERABLE USERS ******
        // The users specified here will not be deletable or alterable from the control panel by any users.
        // To specify more than one user, separate userids with commas.
        $config['SpecialUsers']['undeletableusers'] = 'x';

        ...with 'x' being your userid number, not user name.

        Note: This will not protect you if someone has access to the server or database.
        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
        Change CKEditor Colors to Match Style (for 4.1.4 and above)

        Steve Machol Photography


        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment


        • #5
          I have already upgraded the vbulletin to 3.6.8 PL2, and the admin ID is already in the unalterable user array in config.php (though the admin account that was hacked was not). I can still edit my own password from my User CP though; I want to make it so that the password is simply unalterable, if possible.

          Since the hacked admin account was not specified in any config.php array, does that mean whatever exploit this was should not work on my main admin account?

          Also if I create a ticket asking for info on this exploit, would I receive it? I really want to know if it was this exploit that was used, or malicious code/plugin still on the server.

          Comment


          • #6
            There are no known exploits in 3.6.8 PL2. If this happened with that verion and you have followed all of the instructions in the link I posted (including removing all add-ons) then they very likel had access to your server or database.
            Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
            Change CKEditor Colors to Match Style (for 4.1.4 and above)

            Steve Machol Photography


            Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


            Comment


            • #7
              No, the hack was in 3.6.7 before the upgrade. I upgraded immediately after it.

              Is there any way to make my admin password unalterable, including from the User CP? Thanks.

              Comment


              • #8
                Yes, please see post #4.
                Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                Change CKEditor Colors to Match Style (for 4.1.4 and above)

                Steve Machol Photography


                Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                Comment


                • #9
                  But I've done that, and as I said the password can still be changed from the User CP.

                  Which should hopefully be secure enough, but I want to make it unalterable completely just in case.

                  Comment


                  • #10
                    Originally posted by Kadence View Post
                    But I've done that, and as I said the password can still be changed from the User CP.

                    Which should hopefully be secure enough, but I want to make it unalterable completely just in case.
                    If you do what he says in #4 then I think you will not be able to alter the password at all unless you remove that id from the table. It should lock the password and all account features.

                    Comment


                    • #11
                      Actually you can change passwords while being set as unalterable, at least I can on my forum...

                      $config['SpecialUsers']['undeletableusers'] = '1';

                      Everything in UserCP seems changeable, but not in admincp => users etc.

                      Edit: just tried to change passwords in admincp and couldn't with message:
                      Sorry, this user is protected from being altered in the config.php file by the $config['SpecialUsers']['undeletableusers'] variable.

                      Actually this seems like a rather big loophole / bug?
                      Last edited by WildEye; Thu 6th Dec '07, 1:01pm.

                      Comment


                      • #12
                        Originally posted by WildEye View Post
                        Everything in UserCP seems changeable, but not in admincp => users etc.
                        Exactly. If you try change it in the admincp it says "Sorry, this user is protected from being altered in the config.php file by the $config['SpecialUsers']['undeletableusers'] variable.", but you can change it normally in the User CP.

                        This probably shouldn't lead to any exploits, but I just want to be sure and make the password completely locked, as some changing password exploit has already led to the forums being hacked and many hours of extra work for me.

                        Comment


                        • #13
                          I agree, if you hardcode a user to be unalterable, you shouldn't be able to alter anything about that user. In my opinion of course

                          I added my question/query to the bugtracker just in case.

                          Comment


                          • #14
                            Good find guys.........

                            I agree with you

                            Comment


                            • #15
                              On a reply to my "bug" report on this subject, I got the following reply:
                              "It's working as a designed, you can't do any action from either the admincp or the modcp.

                              It's designed to stop a takeover by another admin if they gain an account."

                              I still feel it should be impossible to alter a password for a user that has been set as unalterable in config.php.

                              I suppose a suggestion in the suggestion forum is the next step from here.

                              Comment

                              Working...
                              X