No security support for 3.8??

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • John Diver
    Senior Member
    • May 2003
    • 752

    No security support for 3.8??

    Hey,

    I have vb 3.8.6 on one of my sites and it has been hacked and my hosting is constantly closing it because spam is being sent from the account.

    I have a custom design which cost around $2k so upgrading isn't a viable option, aside from the spam, I'm very happy with the version.

    I don't understand why security updates aren't available free, it isn't my fault if there is a problem with the code / security on something I bought...

    I'm not looking for a free update for the script, simply to have a secure site, I don't think anyone should have to pay for an upgrade for a problem that was in the code..
    My site is down for about the 15th time now at least, I changed hosts a few times but this is obviously a security problem in vB.

    Can someone tell me what I can do please?

    The site designer ( Sheldon from vbSkinz ) doesn't work with vB anymore and I dont want to spend another few thousand to get a design done again.. I paid him for the vb design and another designer for a custom logo which I dont have the PSD etc. files for.

    Thanks

    John Diver
  • Wayne Luke
    vBulletin Technical Support Lead
    • Aug 2000
    • 73981

    #2
    3.8.6 is pretty old. It was released in almost 7 years ago in 2010. I don't recommend using it on a modern server. Since then we have made 5 releases and the current version is 3.8.11. We've also made several security patch releases for your version since its release and emailed everyone. My recommendation is to upgrade to 3.8.11 to keep your current style. Not sure how vBulletin is sending spam since All email sending is under your control and vBulletin cannot send emails to random email addresses. More information is needed about the specifics of the emails being sent.

    Upgrade to vBulletin 4 or vBulletin 5, if you want the Spam Management features that we've added over the last 8 years.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment

    • John Diver
      Senior Member
      • May 2003
      • 752

      #3
      Hey Wayne,

      Thanks for the reply.

      I got a report from my host and it is all coming from vBulletin.

      Hello,

      During our regular scans & reviews, We found out that an account northwes seems to be sending out bulk mails.
      In order to avoid further affect, I've suspended this account on the server. Kindly refer the below logs and take action on it to avoid suspension of your service.

      ===================================================================
      Headers and Body:


      ===========================================Mails logs=========================
      51h 1.3K 1bYjwf-0048BP-TE <[email protected]> (northwes)
      [email protected]

      51h 1.3K 1bYk86-004H5e-A4 <[email protected]> (northwes)
      [email protected]

      51h 1.3K 1bYk86-004H68-JW <[email protected]> (northwes)
      [email protected]

      51h 1.3K 1bYk89-004HBU-E6 <[email protected]> (northwes)
      [email protected]

      50h 1.3K 1bYkJt-0002HE-US <[email protected]> (northwes)
      [email protected]

      50h 1.3K 1bYkME-0004QQ-Kr <[email protected]> (northwes)
      [email protected]

      50h 1.3K 1bYkMF-0004Rj-FS <[email protected]> (northwes)
      [email protected]

      50h 1.2K 1bYkRX-0008YG-Ga <[email protected]> (northwes)
      [email protected]

      49h 2.1K 1bYl99-000iIe-SZ <[email protected]> (northwes)
      [email protected]

      49h 2.1K 1bYl9C-000iNQ-BE <[email protected]> (northwes)
      [email protected]

      49h 2.1K 1bYl9D-000iQR-Sa <[email protected]> (northwes)
      [email protected]

      49h 1.2K 1bYlDh-000mHp-Ss <[email protected]> (northwes)
      [email protected]

      49h 1.2K 1bYlDx-000mUQ-J3 <[email protected]> (northwes)
      [email protected]

      49h 2.1K 1bYm10-001r5n-R2 <[email protected]> (northwes)
      [email protected]

      49h 2.1K 1bYm13-001rEd-JD <[email protected]> (northwes)
      [email protected]

      48h 1.2K 1bYm6I-001x5f-Ma <[email protected]> (northwes)
      [email protected]

      48h 2.4K 1bYm7D-001xln-JM <[email protected]> (northwes)
      [email protected]

      48h 2.4K 1bYm7I-001xpN-50 <[email protected]> (northwes)
      [email protected]

      48h 1.7K 1bYmJM-002AuC-WE <[email protected]> (northwes)
      [email protected]

      48h 1.7K 1bYmJO-002Avc-Ua <[email protected]> (northwes)
      [email protected]

      48h 1.7K 1bYmJT-002B4W-Ft <[email protected]> (northwes)
      [email protected]

      48h 1.7K 1bYmJU-002B6z-Rd <[email protected]> (northwes)
      [email protected]
      48h 2.0K 1bYmht-002TmR-D6 <[email protected]> (northwes)
      [email protected]

      48h 2.0K 1bYmhx-002TtK-Dk <[email protected]> (northwes)
      [email protected]

      48h 2.5K 1bYn0f-002gSl-0q <[email protected]> (northwes)
      [email protected]


      47h 2.5K 1bYnPH-002wq5-0t <[email protected]> (northwes)
      [email protected]

      47h 2.5K 1bYnPR-002x0c-2E <[email protected]> (northwes)
      [email protected]

      47h 2.2K 1bYnVN-0030mm-7i <[email protected]> (northwes)
      [email protected]

      47h 2.3K 1bYnVP-0030rj-Bh <[email protected]> (northwes)
      [email protected]

      47h 2.3K 1bYnVW-0030xg-EM <[email protected]> (northwes)
      [email protected]
      This is from my current host.

      I can't download any security updates unless I purchase a new license.. I also don't want to upgrade, vBulletin.org seems to be running fine on 3.8.11

      Thanks again
      John Diver

      Comment

      • Wayne Luke
        vBulletin Technical Support Lead
        • Aug 2000
        • 73981

        #4
        You can purchase the upgrade to vBulletin 4 from the member's area. That will give you access to 3.8.11. Though, I can't find a license assigned to this URL to see what the exact nature of the license is. Since the site isn't currently online, we can't assess the installation either.

        You'll need to open a support ticket with the valid Customer ID for this license.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API

        Comment

        • Paul M
          Former Lead Developer
          vB.Com & vB.Org
          • Sep 2004
          • 9886

          #5
          Originally posted by John Diver
          I don't understand why security updates aren't available free
          Security updates are free, and always have been. Only one has ever been released for 3.8.6, that being PL 1.

          Originally posted by John Diver
          it isn't my fault if there is a problem with the code / security on something I bought...
          It is your fault if you are running a version thats at least 7.5 years old, the latest version is 3.8.11.


          Also note - that report from your host only shows that your account is sending e-mails, it does not prove that vbulletin is sending them.
          Baby, I was born this way

          Comment

          • John Diver
            Senior Member
            • May 2003
            • 752

            #6
            It is your fault if you are running a version thats at least 7.5 years old, the latest version is 3.8.11.
            Is is 100% vBulletin as I had it on another host and only had the vB site.

            Not the nicest reply Paul when I'm just asking for help.

            Thanks Wayne, I should have 2 licenses - I might not have changed the domain this was used on, that is my fault.

            I'm not being rude, but vb.org is still running on 3.8 - vb is at version 5 - Any reason they haven't upgraded as it is an official site for vB?
            John Diver

            Comment

            • Mark.B
              vBulletin Support
              • Feb 2004
              • 24286
              • 6.0.X

              #7
              Originally posted by John Diver

              Is is 100% vBulletin as I had it on another host and only had the vB site.

              Not the nicest reply Paul when I'm just asking for help.

              Thanks Wayne, I should have 2 licenses - I might not have changed the domain this was used on, that is my fault.

              I'm not being rude, but vb.org is still running on 3.8 - vb is at version 5 - Any reason they haven't upgraded as it is an official site for vB?
              vBulletin.org is there to showcase third party modifications, not showcase the latest version of vBulletin.
              The site is itself heavily modified. Rewriting all that for vB5 would use huge resources for no good reason.

              vbulletin.com (this site) showcases the latest version and always has done.
              MARK.B
              vBulletin Support
              ------------
              My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
              My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

              Comment

              • Paul M
                Former Lead Developer
                vB.Com & vB.Org
                • Sep 2004
                • 9886

                #8
                Originally posted by John Diver
                Not the nicest reply Paul when I'm just asking for help.
                The truth isnt always rosy.

                You did not "just" come asking for help.
                You went on a rant about the cost of security updates (which are free) and upgrades.
                Even the thread title you chose was "No security support for 3.8??" - which isnt actually true.


                Baby, I was born this way

                Comment

                • John Diver
                  Senior Member
                  • May 2003
                  • 752

                  #9
                  Hey,

                  I didn't mean to come across as rude, apologies if it seemed like that.

                  I don't see an option for the security update, this is what I have in the members area:


                  Latest Stable Version: 3.7.2 Patch Level 2

                  Download Options Download Latest Version 3.7.2 Patch Level 2

                  I don't normally do this type of work, I just run the site and I pay for designers / coders to take care of the site itself.

                  Thanks and sorry again if I came across like that.
                  John Diver

                  Comment

                  • BirdOPrey5
                    Senior Member
                    • Jul 2008
                    • 9613
                    • 5.6.3

                    #10
                    vBulletin.org is running VB 3.8.11 which is a an updated and safe version to run.

                    Comment

                    • Mark.B
                      vBulletin Support
                      • Feb 2004
                      • 24286
                      • 6.0.X

                      #11
                      Originally posted by John Diver
                      Hey,

                      I didn't mean to come across as rude, apologies if it seemed like that.

                      I don't see an option for the security update, this is what I have in the members area:


                      Latest Stable Version: 3.7.2 Patch Level 2

                      Download Options Download Latest Version 3.7.2 Patch Level 2

                      I don't normally do this type of work, I just run the site and I pay for designers / coders to take care of the site itself.

                      Thanks and sorry again if I came across like that.
                      We currently provide security updates for 3.8....though this may change in the future.
                      We don't provide security updates for 3.7 as this version is completely obsolete.

                      In order to be secure you should upgrade to 3.8.11, if you only have an old style vB3 license then this only came with a year of updates. This will have expired many years ago, and to gain access to 3.8.11 you will need to purchase a license upgrade. The best way to do this is to buy a vB4 upgrade, which would cost $149, this gives you access to later version of vB3.
                      MARK.B
                      vBulletin Support
                      ------------
                      My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
                      My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

                      Comment

                      • Wayne Luke
                        vBulletin Technical Support Lead
                        • Aug 2000
                        • 73981

                        #12
                        Originally posted by John Diver
                        Hey,

                        I didn't mean to come across as rude, apologies if it seemed like that.

                        I don't see an option for the security update, this is what I have in the members area:


                        Latest Stable Version: 3.7.2 Patch Level 2

                        Download Options Download Latest Version 3.7.2 Patch Level 2

                        I don't normally do this type of work, I just run the site and I pay for designers / coders to take care of the site itself.

                        Thanks and sorry again if I came across like that.
                        Not sure how you're using 3.8.6 since bother of your licenses expired and show the latest version available as 3.7.2. Unfortunately, vBulletin 3 licenses were sold with a 1 year access to updates and you needed to renew every year to download newer versions. Currently, you can pay $149.00 to upgrade each license to a vBulletin 4.X license. That will give you access to vBulletin 3.8.11.

                        I noticed that on one license, it was trying to load vBSEO. vBSEO has been insecure for quite some time and the company has gone out of business. vBSEO should not be installed on any website. It makes a perfect vector to hack a website.
                        Translations provided by Google.

                        Wayne Luke
                        The Rabid Badger - a vBulletin Cloud demonstration site.
                        vBulletin 5 API

                        Comment

                        • John Diver
                          Senior Member
                          • May 2003
                          • 752

                          #13
                          Thanks for the reply Wayne.

                          Honestly, I don't even know what vBSEO is :s

                          I don't do any coding on the sites myself.
                          I can't access my sites at all because my hosting company has suspended the account from spam going through it.

                          Well I know now that vBSEO shouldn't be installed, once I get the sites up I can remove that - Is it a plugin?

                          Thanks Wayne
                          John Diver

                          Comment

                          • Paul M
                            Former Lead Developer
                            vB.Com & vB.Org
                            • Sep 2004
                            • 9886

                            #14
                            It is a product (using plugins) and a whole bunch of files as well.
                            Baby, I was born this way

                            Comment

                            • BirdOPrey5
                              Senior Member
                              • Jul 2008
                              • 9613
                              • 5.6.3

                              #15
                              Since VBSEO shut down their uninstall instructions have been taken offline.

                              There is an old copy in an internet archive here- https://web.archive.org/web/20130122...all-vbseo-238/

                              It's a good start but not really update to date if you had the later versions of VBSEO. Basically after uninstalling VBSEO from product manager, renaming your .htaccess file (or removing all VBSEO lines from it if you can tell which are which) you would then delete all files and folders with vbseo in the filename from your forum folder. If your site hosts offer cPanel you can find vbseo files in File Manager, find files tool.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...