filstore hack just got serious? - vBulletin 4 too easy to attack?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • g00gl3r
    Senior Member
    • Sep 2004
    • 336
    • 3.5.x

    [Forum] filstore hack just got serious? - vBulletin 4 too easy to attack?

    I've had this issue for a while now. Seem to be able to fix it for a few months (others sometimes only seem to rid the problem for days) and it always seems to come back.

    Two good threads for it: http://www.vbseo.com/f255/filestore-...r-forum-55368/ and http://club.myce.com/f20/vbulletin-m...e-them-332219/

    Is vBulletin doing anything about this, or even monitoring those threads?
    Seems nobody can put their finger on how this starts off. And equally, once they get the issue, how to fully get rid of it 100%

    I've followed all the proposed fixes. And it works for a while. But just today found another forum had the issue again. 3rd time for this one. Luckily after months again.

    It takes 3 full days for me to carry out all the required changes to fix it for a while. And it's getting to the point I've lost more faith in vBulletin yet again. The core code has been worked on more by these hackers than vb themselves it seems. They really know how to exploit it.

    Is vB4 too old to use now? vB3 is being hacked too. Thankfully vB5 is different code and doesn't have the issue. But neither does Xen which is better and much cheaper.

    Looks like I'll fix the issue for a while, but in the meantime, I'll be porting over 1 by one my dozens of forums. A serious business decision I've had to make too as many forums are established and this is going to upset so many things, traffic, revenue, members, advertisers, and god only knows what else. But thankfully I'm hoping it'll also upset the hackers! They'll go pick on some other vb4 customers instead of me.

    Made my question bold now as I've waffled a bit and perhaps it's been lost in the thick of the moan.
  • Zachery
    Former vBulletin Support
    • Jul 2002
    • 59097

    #2
    Its not a vBulletin issue. If you can point us to an issue within the current vBulletin 4.2.1 code, we'll be happy to fix it. But to date, none of these exploits have used the code vBulletin code to break in. Its always been third party addons, weak security (passwords, etc), or very out of date versions of the software.

    Comment

    • g00gl3r
      Senior Member
      • Sep 2004
      • 336
      • 3.5.x

      #3
      Seems it's always vBulletin forums. And not always running vBSEO.
      Coders work with the code you've created to make plugins. So the underlying problem does seem to be related to vBulletin it seems?

      It's alright for VBSEO and VB to say "well ours isn't hacked" but the truth is, it's always a 3.x or 4.x vbulletin forum. And not always running vbseo but often, it must be said.

      a LOT of people are being left to fix the issues themselves. And nobody actually seems to know what's initially causing the issue so I'm a bit shocked you seem to know.

      Comment

      • g00gl3r
        Senior Member
        • Sep 2004
        • 336
        • 3.5.x

        #4
        ps - can you check a ticket for me?
        1198033

        Comment

        • Zachery
          Former vBulletin Support
          • Jul 2002
          • 59097

          #5
          Once a malicious user gets access to the AdminCP, all bets are off. The exploit takes advantage of the plugin system doing exactly what it is intended to do, run PHP code.

          So far, we found that if you take good security practices: block access to sensitive directories (AdminCP, modcp, install), don't use third party addons. Your site tends to stay unexploited.

          The simple truth is, every site that we run into that is being hacked is: running third party addons, has bad security as a whole, is on an out of date (and thus exploitable) version of the software.

          If you're running 4.1.12PL3 or 4.2.1 you're safe, there are no KNOWN exploits for these versions. We're not responsible for a site owners entire site, or server. We're responsible for vBulletin.


          You show me a highly secure forum, running stock code on a stable & supported version, getting exploited, and we can take a look at what the issue is

          Comment

          • g00gl3r
            Senior Member
            • Sep 2004
            • 336
            • 3.5.x

            #6
            Are you guys following those threads at the very least?
            Thanks for replying to the ticket by the way too. You're a star. I'm stuck!

            Comment

            • Wayne Luke
              vBulletin Technical Support Lead
              • Aug 2000
              • 73976

              #7
              Originally posted by g00gl3r
              Seems it's always vBulletin forums. And not always running vBSEO.
              Coders work with the code you've created to make plugins. So the underlying problem does seem to be related to vBulletin it seems?

              It's alright for VBSEO and VB to say "well ours isn't hacked" but the truth is, it's always a 3.x or 4.x vbulletin forum. And not always running vbseo but often, it must be said.

              a LOT of people are being left to fix the issues themselves. And nobody actually seems to know what's initially causing the issue so I'm a bit shocked you seem to know.
              There was a bug in 4.1.3 that allowed people to get access. We released a security patch and asked everyone to update.

              The fact is though, if you don't check your addons before you install them and read the code or you get addons from unofficial sources, they can embed PHP Plugins into the software. Disabling the Plugin system is how you counteract that. One major hack was done through vBSEO as well where their servers were compromised and every time you accessed vBSEO it would reinstall itself. It is a peril of allowing users to add custom PHP code.

              In vBulletin 5, we've changed the system so they actually need access to upload files to the server and PHP code is not stored in the database anymore. Overall this should be more secure but still not 100% foolproof unless you review the code before installing it.

              In the end, customers need to be vigilent and know what they are installing. They need to know what plugins should and should not be installed in their system and they need to make sure they are not running out of date software or files. However anyone who contacts us and has a valid license gets help to fix and restore their sites. The process is quite simple though and we've posted articles and blogs about how to do it.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API

              Comment

              Related Topics

              Collapse

              Working...