Admin account hacked & preventing password changes

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Kadence
    Member
    • Jun 2005
    • 63
    • 3.6.x

    Admin account hacked & preventing password changes

    Today I had an admin account hacked, causing major problems for the forum. The password for the account was unguessable, but in the passwordhistory table it was somehow changed today.

    The vB version was 3.6.7, I upgraded it to 3.6.8 PL2. Was there any security hole in 3.6.7 that could make a password change or email change possible, without having control over the actual email account?

    This hacker was able to erase their admin logs, but while they were active I remember seeing 'product kill' type entries in the log. The admin account that was hacked only had Style and Language permissions, no plugin permissions or any other permissions. Would 'product kill' type stuff show in the log if they tried it and failed?

    Also is there any way to prevent accounts from having password changed? I want to lock my other main admin account from being altered.
  • Steve Machol
    Former Customer Support Manager
    • Jul 2000
    • 154488

    #2
    Yes, there were security issues with 3.6.7 which is why 3.68 and the subsequent patch levels were released. I strongly recommend that you stay current with your vB version from now on.

    Please see this thread on how to make your vBulletin more secure:

    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment

    • Kadence
      Member
      • Jun 2005
      • 63
      • 3.6.x

      #3
      What specific security issue do you think it might have been? I want to make sure there is no malicious code or plugin anywhere, that that this was a 3.6.7 issue.

      Also is there any way I can lock my admin account's password?

      Comment

      • Steve Machol
        Former Customer Support Manager
        • Jul 2000
        • 154488

        #4
        We do not post specifics regarding security exploits for obvious reasons. You should upgrade immediately.

        To keep your Admin user info secure edit this section of includes/config.php:

        // ****** UNDELETABLE / UNALTERABLE USERS ******
        // The users specified here will not be deletable or alterable from the control panel by any users.
        // To specify more than one user, separate userids with commas.
        $config['SpecialUsers']['undeletableusers'] = 'x';

        ...with 'x' being your userid number, not user name.

        Note: This will not protect you if someone has access to the server or database.
        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
        Change CKEditor Colors to Match Style (for 4.1.4 and above)

        Steve Machol Photography


        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment

        • Kadence
          Member
          • Jun 2005
          • 63
          • 3.6.x

          #5
          I have already upgraded the vbulletin to 3.6.8 PL2, and the admin ID is already in the unalterable user array in config.php (though the admin account that was hacked was not). I can still edit my own password from my User CP though; I want to make it so that the password is simply unalterable, if possible.

          Since the hacked admin account was not specified in any config.php array, does that mean whatever exploit this was should not work on my main admin account?

          Also if I create a ticket asking for info on this exploit, would I receive it? I really want to know if it was this exploit that was used, or malicious code/plugin still on the server.

          Comment

          • Steve Machol
            Former Customer Support Manager
            • Jul 2000
            • 154488

            #6
            There are no known exploits in 3.6.8 PL2. If this happened with that verion and you have followed all of the instructions in the link I posted (including removing all add-ons) then they very likel had access to your server or database.
            Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
            Change CKEditor Colors to Match Style (for 4.1.4 and above)

            Steve Machol Photography


            Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


            Comment

            • Kadence
              Member
              • Jun 2005
              • 63
              • 3.6.x

              #7
              No, the hack was in 3.6.7 before the upgrade. I upgraded immediately after it.

              Is there any way to make my admin password unalterable, including from the User CP? Thanks.

              Comment

              • Steve Machol
                Former Customer Support Manager
                • Jul 2000
                • 154488

                #8
                Yes, please see post #4.
                Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                Change CKEditor Colors to Match Style (for 4.1.4 and above)

                Steve Machol Photography


                Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                Comment

                • Kadence
                  Member
                  • Jun 2005
                  • 63
                  • 3.6.x

                  #9
                  But I've done that, and as I said the password can still be changed from the User CP.

                  Which should hopefully be secure enough, but I want to make it unalterable completely just in case.

                  Comment

                  • netsultants
                    Senior Member
                    • Oct 2007
                    • 180

                    #10
                    Originally posted by Kadence
                    But I've done that, and as I said the password can still be changed from the User CP.

                    Which should hopefully be secure enough, but I want to make it unalterable completely just in case.
                    If you do what he says in #4 then I think you will not be able to alter the password at all unless you remove that id from the table. It should lock the password and all account features.

                    Comment

                    • WildEye
                      Senior Member
                      • Jan 2004
                      • 140
                      • 3.7.x

                      #11
                      Actually you can change passwords while being set as unalterable, at least I can on my forum...

                      $config['SpecialUsers']['undeletableusers'] = '1';

                      Everything in UserCP seems changeable, but not in admincp => users etc.

                      Edit: just tried to change passwords in admincp and couldn't with message:
                      Sorry, this user is protected from being altered in the config.php file by the $config['SpecialUsers']['undeletableusers'] variable.

                      Actually this seems like a rather big loophole / bug?
                      Last edited by WildEye; Thu 6 Dec '07, 1:01pm.

                      Comment

                      • Kadence
                        Member
                        • Jun 2005
                        • 63
                        • 3.6.x

                        #12
                        Originally posted by WildEye
                        Everything in UserCP seems changeable, but not in admincp => users etc.
                        Exactly. If you try change it in the admincp it says "Sorry, this user is protected from being altered in the config.php file by the $config['SpecialUsers']['undeletableusers'] variable.", but you can change it normally in the User CP.

                        This probably shouldn't lead to any exploits, but I just want to be sure and make the password completely locked, as some changing password exploit has already led to the forums being hacked and many hours of extra work for me.

                        Comment

                        • WildEye
                          Senior Member
                          • Jan 2004
                          • 140
                          • 3.7.x

                          #13
                          I agree, if you hardcode a user to be unalterable, you shouldn't be able to alter anything about that user. In my opinion of course

                          I added my question/query to the bugtracker just in case.

                          Comment

                          • netsultants
                            Senior Member
                            • Oct 2007
                            • 180

                            #14
                            Good find guys.........

                            I agree with you

                            Comment

                            • WildEye
                              Senior Member
                              • Jan 2004
                              • 140
                              • 3.7.x

                              #15
                              On a reply to my "bug" report on this subject, I got the following reply:
                              "It's working as a designed, you can't do any action from either the admincp or the modcp.

                              It's designed to stop a takeover by another admin if they gain an account."

                              I still feel it should be impossible to alter a password for a user that has been set as unalterable in config.php.

                              I suppose a suggestion in the suggestion forum is the next step from here.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...