vBulletin.com Forums Hacked

Will_Watts

Habitué
Joined
Mar 1, 2013
Messages
1,080
I can't comment on vB5 as I've never used it, but overall we're pretty happy and confident in the security of our vB4 site. Sysnative is a very security conscious site - in fact, part of our "behind the scenes" work involves a lot of security related work across Windows software, and we've worked with Microsoft in the past to address potential security concerns. We've regularly looked over the code for vB4 for our own modifications, and generally security is handled extremely well.

There are elements of vB4 I wish were better, e.g. password encryption, but the software is very far from insecure. Any major software product is going to get hacked - it's impossible to make a fully "secure" script. Other "insecure" software: Apache, nginx, Lighttpd, WordPress, Joomla, Chrome, Firefox, Internet Explorer, Windows, OS X, Android, iOS, Linux, etc....

XenForo and others aren't more secure because they've had less security patches... this is PHP web software, none of it is secure. If you have enough knowledge and spend enough time trying then all of it is hackable. Surprise surprise, platforms with more market share get hacked more frequently... if you're going to spend time and money developing a hack, then you want ROI on it. Hacking software/creating malware is a major business in some parts of the world - generally done for money, not by some script kiddie in their bedroom.

-------------------------

Regarding this specific hack - **** happens. If the software is reasonably secure, which it is, then judge the company based on its response to a hack. They may or may not announce anything about this, but likely they'll take action on their end to work out the cause of the hack was and how to prevent similar hacks. Having your user data compromised isn't good, but vB5 at least has decent encryption. If it's compromised, they probably should do a full password reset, but it may not be necessary.
 

HWS

TAZ Member
Joined
Aug 21, 2012
Messages
206
Given the long time the site showed the hacked text line, Coldzer0 had enough time to explore the server. Since he could read the config file he most likely had access to the database.

If vB would be a serious business, they would inform their customers and forum members what may have been accessed and compromised. We will see...
 

Lisa

Chaotically Proportional
Joined
Jan 6, 2004
Messages
27,488
Vodafone's site was hacked over the weekend. Sites get hacked.

As for them making an announcement about it, I'm sure when they've had time to look into it (it is Sunday, after all), if they discover it's related to vB itself and not their server setup, I'm sure they'll either post a patch or make some kind of post about it.
 

Paul M

Limeade Addict
Joined
Jun 26, 2006
Messages
3,967
This is getting interesting...
Yes it is, especially the attitude of some members.

A site is apparently hacked, yet some members just use it for their own [anti IB] agenda, and TAZ allows the hackers to post screen shots ! WTF ??

Sites and servers can be hacked in many ways (and constantly are) - its not a joke, its not fun, its illegal and can cause serious damage and misery.
Those members here using it to take cheap shots, I wonder how would you feel if your own site was hacked.

As to allowing the hacker to post screenshots, I seriously hope thats a mistake, and not really how TAZ now operates.
 

Lisa

Chaotically Proportional
Joined
Jan 6, 2004
Messages
27,488
As to allowing the hacker to post screenshots, I seriously hope thats a mistake, and not really how low TAZ has sunk.
I've removed it, I agree it shouldn't be there.
 

Lisa

Chaotically Proportional
Joined
Jan 6, 2004
Messages
27,488
Actually, it should be there except for the fact that it shows a partially blocked dump of a number of vB member's user data.
That sentence makes no sense, as it does contain that data which is why it shouldn't be there.
 

The Sandman

Administrator
Joined
Jan 1, 2004
Messages
29,139
That sentence makes no sense, as it does contain that data which is why it shouldn't be there.
Made sense to me but I'm happy to explain - there should be evidence of the severity and scope of the breach so that there can be no spinning or denying what happened and so that people affected or potentially affected and take whatever measures they deem appropriate.
 

Paul M

Limeade Addict
Joined
Jun 26, 2006
Messages
3,967
Just so everyone is clear on this, TAZ policy is to allow obvious hackers to post details of their hacks here now, and even offer to do lookups ?

post your name and i'll search for it in my db :p

So you now encourage hackers to boast about there efforts here ?
I hope it never happens to you, maybe then you will see just how low this is.
 

The Sandman

Administrator
Joined
Jan 1, 2004
Messages
29,139
Clearly the hacker was looking to make a point. If vB had gotten in front of this from the beginning this entire thread would have been largely unnecessary. As it was, little or no information was forthcoming from vB and people instead discussed it here, basically calling out the hacker. I'm not surprised he showed up here with some proof of his hack. It's a bad situation for a lot of people, but to blame TAZ for any part of this is silly.
 

Paul M

Limeade Addict
Joined
Jun 26, 2006
Messages
3,967
Thats absolute nonsense, there is no situation [ever] in which this forum should be allowing hackers to openly post about there exploits.

I can and will entirely blame TAZ for allowing that.
 

The Sandman

Administrator
Joined
Jan 1, 2004
Messages
29,139
Thats absolute nonsense, there is no situation [ever] in which this forum should be allowing hackers to openly post about there exploits.

I can and will entirely blame TAZ for allowing that.
The hacker was banned as soon as his presence was noted - more than one account in fact. But immediately deleting his post would have deprived the community of some vital information that vB withheld.
 

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,591
Thats absolute nonsense, there is no situation [ever] in which this forum should be allowing hackers to openly post about there exploits.

I can and will entirely blame TAZ for allowing that.

TAZ should allow it even news outlets will give examples on their site when something is hacked, as long as the entries are anonymous and TAZ can trace the real image for verification.

The one million dollar question is why vBulletin has not yet posted a explanation that is more urgent, what was copied in the attack.
 

Digital Doctor

Tazmanian
Joined
May 16, 2012
Messages
4,693
If the screenshots are informative about the scope of the attack then I think they should be allowed.
Now I have to remember my vB.com password so I can change it on other sites !

Still can't believe how dead that forum is now, wow.
I can't believe anyone noticed vB.com was hacked !
I mean like, who really goes there anymore ?
Besides the dwindling number of employees ?

Phew. I got in on my fifth try. I forgot my vB.com login password. It's my lowest security one. The hackers can have it.
 

VICE

tool
Joined
Jun 8, 2013
Messages
2,735
A legitimate dilemma but Mr. V chose the correct option. Unless the screenshot pose an immediate threat to vBulletin customers, it should stay up for scrutiny.
 

Lisa

Chaotically Proportional
Joined
Jan 6, 2004
Messages
27,488
I don't agree that it's reasonable to allow a screenshot displaying usernames and email addresses to stay on a site. Discussing vBulletin being hacked is one thing, but I (and I'm speaking from a personal viewpoint here and not as an administrator on TAZ) allowing the said hacker to post screenshots of database tables is a step too far and I want no part of that.
 

Paul M

Limeade Addict
Joined
Jun 26, 2006
Messages
3,967
....deleting his post would have deprived the community of some vital information that vB withheld.
What exactly are they "withholding" ?
I can see that this was apparently done late on a Saturday afternoon / evening, when no one other than IB NOC is on duty.

I assume someone had to be contacted to get advice on restoring the site, other than that, I doubt much is known or will be known until the working week starts and people are available to investigate further. Hackers dont leave detailed explanations on what they have done.

Not only should they have been banned, but all traces of their posts removed.
I'm am quite sure that is exactly what would have happened had another members site been attacked.

I really hope you never get hacked, but you can be damn sure that if you are ever unfortunate enough, and they come boast about it on vb.org, they will be zapped with haste, its the right thing to do, and you know it.
 

The Sandman

Administrator
Joined
Jan 1, 2004
Messages
29,139
You've made it clear many times that you speak only for yourself Paul, not for the company you may work for and not for their customers. Anyway, if it seems perfectly reasonable to you that we all wait until the working week starts for your company to even start investigating the magnitude of this breach then any further discussion with you is clearly going to be nonproductive.
 
Top