Today I had an admin account hacked, causing major problems for the forum. The password for the account was unguessable, but in the passwordhistory table it was somehow changed today.
The vB version was 3.6.7, I upgraded it to 3.6.8 PL2. Was there any security hole in 3.6.7 that could make a password change or email change possible, without having control over the actual email account?
This hacker was able to erase their admin logs, but while they were active I remember seeing 'product kill' type entries in the log. The admin account that was hacked only had Style and Language permissions, no plugin permissions or any other permissions. Would 'product kill' type stuff show in the log if they tried it and failed?
Also is there any way to prevent accounts from having password changed? I want to lock my other main admin account from being altered.
The vB version was 3.6.7, I upgraded it to 3.6.8 PL2. Was there any security hole in 3.6.7 that could make a password change or email change possible, without having control over the actual email account?
This hacker was able to erase their admin logs, but while they were active I remember seeing 'product kill' type entries in the log. The admin account that was hacked only had Style and Language permissions, no plugin permissions or any other permissions. Would 'product kill' type stuff show in the log if they tried it and failed?
Also is there any way to prevent accounts from having password changed? I want to lock my other main admin account from being altered.
Comment