Webhostingtalk Hacked

[marcgo15]

http://www.webhostingtalk.com/showthread.php?t=1584028

Just a heads up for anyone using the same password/email on any other forums.

So far none of the staff have confirmed anything or how access to the database was gained.

 

[LeadCrow]

Every big fish gets hacked eventually. Even if vbulletin was the most secure script in existence, something else definitely will be exploitable, like the server stack or the accounts of privileged users elsewhere (social engineering, identity theft).

It's kinda troubling though how we're at a stage these hackings are no longer seen as preventable but unavoidable.
And seriously, only 2000$ for a big useful database? This suggests it will be resold to as many buyers as possible and scattered, rather than a single exclusive buyer.

 

[Joeychgo]

Even if vbulletin was the most secure script in existence, something else definitely will be exploitable, like the server stack or the accounts of privileged users elsewhere

webhostingtalk is also heavily customized

 

[BirdOPrey5]

http://www.webhostingtalk.com/showthread.php?t=1584028

Just a heads up for anyone using the same password/email on any other forums.

So far none of the staff have confirmed anything or how access to the database was gained.

Someone did mention 4 or 5 sites of theirs were hacked, some of them not running vBulletin, all of them without outdated Wordpress, so could be anything.

 

[LeadCrow]

Customization is not an excuse. Conservatism and outdated scripts/servers make sense when average Joe operates from his garage, not a big corporation with a huge budget and whimsical spending, whose continued good fortune depends on securing its credibility in the niches it enters. Wordpress is a 1-click upgrade process. What could justify being on an outdated version, other than a crippling internal bureaucracy whose responsibility is exclusively Penton's, not the tech procedures themselves ?

Even if complexity was an issue, converting away to manageable processes is a 1-time expense, and shouldn't have costed anything obscene even with custom development.

 

[Joeychgo]

Customization is not an excuse

I didn't mean it as an excuse, just that the source should not automatically be considered as vbulletin. My guess, wordpress was the intrusion point.

 

[Robust]

And seriously, only 2000$ for a big useful database? This suggests it will be resold to as many buyers as possible and scattered, rather than a single exclusive buyer.

Yeah, of course.

Hacking is still preventable. If 3 databases of Penton's websites were taken, all on different platforms, it'd indicate a server breach more than anything. The one way to stay safe out of a server breach is not to make it publicly accessible - yup, internal access only. That's probably what corporations like Google do, and identity cards access you into the servers. I imagine Penton followed a small business setup being a larger corporation, and obviously they're a big target, so yeah...

 

[Deathstarr]

This is not the first time WHT has been hacked. Prob will not be the last.

 

[Paul M]

I didn't mean it as an excuse, just that the source should not automatically be considered as vbulletin. My guess, wordpress was the intrusion point.

According to a post on the site ;

All 3 of the (allegedly) hacked sites are running outdated WordPress installs that contain vulnerabilities.

They also stated that "WHT is running an outdated version of VBulletin 4".

From what I can see, thats not really true, they seem to be running 4.2.2, which assuming they have the latest Patch Level, is not outdated.

 

[marcgo15]

According to a post on the site ;


They also stated that "WHT is running an outdated version of VBulletin 4".

From what I can see, thats not really true, they seem to be running 4.2.2, which assuming they have the latest Patch Level, is not outdated.

Patch Level 4 is installed on there now, not sure if that was the case before the hacking though. I'm thinking someone gained access to the DB cluster and got the databases from the sites that way.

Paul M From what I'm reading MD5 isn't the greatest way of encrypting passwords now. I understand IB doesn't really have an interest in vB4 now but would it be possible to change to BCrypt or something like that in the core? I found this http://blog.technidev.com/changing-vbulletin-4-its-password-hashing-to-use-bcrypt/

With the amount of vB4 installs still running it might be worth it.?

 

[Joeychgo]

Two of these websites, Mac Forums and Web Hosting Talk, run on the vBulletin forum platform. The hacker claims that he's in possession of a vBulletin zero-day, which allowed him access to these two sites.

Read more: http://news.softpedia.com/news/databases-from-hot-scripts-mac-forums-web-hosting-talk-surface-on-the-dark-web-506129.shtml#ixzz4E5DPliaq

 

[WD]

Good old vBulletin with insecure software. Even found outdated software on the main site!



Nothing changes. Even the exploits I reported before have been left.

Even the vBulletin.org breach of 2014 still hasn't been reported/admitted to only a reset after the vBG hack this year.

vBulletin really is a joke.

UPDATES: (censored some swearing as these aren'y my posts.)

Yeah there is a vBulletin 0 day out there. All of you who speaks up about leakedsource. They're about a f***n' half of a month late to discover this.
Conclusion, owner is a real jack-head.

Hi,

Yesterday we detected a hack on Skyscrapercity. The attackers were apparently after the SSC user data and made no attempt to cover their tracks.

Due to the way SSC's back-end works, the damage was minimal. It is possible, however, that some of our user data was accessed. This user data includes:
username, e-mail addresses, and encrypted/salted passwords. The user data does include the "salt" for the password as well.

So there is a vBulletin exploit that works on vBulletin 3 and 4. I suggest any vBulletin users jump ship and move to another secure script or take their sites offline until a proper fix is out. From reading the HackForums post it seems the Skyscrapercity.com site used a renamed admincp along with htaccess yet the hackers still managed to download user data. This is very alarming as you would think this would stop them but I guess not. Quotes below.

thats ironic that site was relatively secure due to htaccessed admin panel.

 

[Paul M]

Good old vBulletin with insecure software. Even found outdated software on the main site!

Since the main site is running the latest version, it just shows what a complete load of bollocks that actually is.

 

[Klaatu]

Good old vBulletin with insecure software. Even found outdated software on the main site!

View attachment 42338

Nothing changes. Even the exploits I reported before have been left.

Even the vBulletin.org breach of 2014 still hasn't been reported/admitted to only a reset after the vBG hack this year.

vBulletin really is a joke.

UPDATES: (censored some swearing as these aren'y my posts.)





So there is a vBulletin exploit that works on vBulletin 3 and 4. I suggest any vBulletin users jump ship and move to another secure script or take their sites offline until a proper fix is out. From reading the HackForums post it seems the Skyscrapercity.com site used a renamed admincp along with htaccess yet the hackers still managed to download user data. This is very alarming as you would think this would stop them but I guess not. Quotes below.

If they managed to upload a shell exploiting a vulnerability; an htaccessed ACP wouldn't had made any difference.

 

[WD]

Since the main site is running the latest version, it just shows what a complete load of bollocks that actually is.

I hate to be an asshole but I have no choice but to shame vBulletin/InternetBrands now.

Please give me 20 minutes or so to compile some data including the vBulletin.org database which was hacked in 2014 yet the hack was denied. (Don't worry I've got the whole thing!)


EDIT 1: So vBulletin.com is running Magento and if any administrator with half a brain knew anything you don't bloody mix scripts and keep stuff on subdomains/seperate servers.

The clueless muppets have installed OUTDATED Magento with the vBulletin client base AND the damn forum also. Meaning if a hacker got into Magento then they can jump into vB.com's forum database and grab license info. Or vice versa. Clearly whoever is in charge has no brain and should be fired instantly.

vBulletin.com is running Magento 1.9.1.1 wheres the latest SECURE version is 2.0.2.

Patch SUPEE-7405 resolves several security fixes, but most importantly fixes a leak that allows hackers to take over your admin (backend) account and gain access to your Magento shop. Released Jan 21th, 2016

~Note not checked this possibly patched.

PROOF:




Along with this vBulletin.com also runs a JIRA for bug issues for all vBulletin stuff. This is running "Atlassian JIRA (v4.0.1#471)" The latest secure and stable version appears to be 7.2.0 clearly vBulletin are years behind as 4.0.1 came out around 2010!!!

Possible exploits in the JIRA:


vBulletin.org was hacked in September 2014, This was denied even when I reported it. Nothing was said vBulletin said NOTHING putting users at risk. Around 2 months ago I obtained a copy of this database and verified it as a legit data breach finding around 20 admins I know included in this dump.

The dump contains usernames, ip's, MD5+SALT, emails.

Nothing was said until the 2015 hack even though I had reported it privately.



Here's a screenshot of the vBulletin.org September 2014 data dump with ip's/hashes/emails censored minus vBulletin emails.



This is a breach of California data breach laws and vBulletin could be fined for this alone.

California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a))

But no. vBulletin was hacked in 2013, vBulletin.com/org/vBulletin-Germany were breached. The hack was denied and vBulletin blamed it on a dev server. Yet from my own finding's even vBulletin.net has run insecure demo's which again I've reported.

Again in 2014, vB.org was breached and hackers ran away with all vBulletin.org users info.

In 2015 vBulletin.com was breached yet even when the page read "Hacked by ColdZero" some idiot just restored the database and put the site back online meaning once again you got your asses handed to you.

Once again vBulletin clients got info stolen and that data is floating around the depths of the darknet along with older breaches.

And again in 2016 you got your asses handed to you when vBG got hacked which "possibly" allowed hackers to grab .org's database again. Like haven't you learnt anything yet? Do you have 12 year old's running the company?

Clearly vBulletin has no bloody clue how to run a website let alone how to make a script.

The security issues are beyond a joke.

Now onto InternetBrands.com

First thoughts. What the f**k? "<meta name="generator" content="WordPress 4.3.1" />"




Here's a small list of exploits affecting IB's main site.

WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post fixed in version 4.3.5
WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure fixed in version 4.3.5
WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS fixed in version 4.3.5
WordPress <= 4.5.1 - Pupload Same Origin Method Execution (SOME) fixed in version 4.3.4
WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS) fixed in version 4.5.2
WordPress <= 4.4.2 - Script Compression Option CSRF fixed in version 4.5
WordPress <= 4.4.2 - Reflected XSS in Network Settings fixed in version 4.5
WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses fixed in version 4.5
WordPress 3.7-4.4.1 - Open Redirect fixed in version 4.3.3
WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF) fixed in version 4.3.3
WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS) fixed in version 4.3.2

Why did I even mention WordPress?

TheWHIR, the HotScripts blog, and the Mac-user forums blog, are all running WordPress 4.3.1

Oh look the same as InternetBrands.

The security of vB/IB sites is worse then a bloody 12yo who's just made their first forum. I'm not even a security expert but I could do a better job then vB/IB.

Paul M next time think before you type a reply. I've just shown what a joke vBulletin and IB security is. I'm sure I could google exploits and takeover vBulletin.com as we speak but you see I'm not interested in a dead script. Even though thanks to your "late" password reset I lost access to 5 vBulletin licenses as the emails linked to them had long been closed.

Credit where it is due, You did inform the vB.org users of the vBG hack. But being honest it's too little too late. The only people using vB now are people with no clue about security. It's no wonder people are leaving vB for rival forum scripts.

I would highly suggest any vB clients to move to a better system. The hashing of vB3/4 is cracked and insecure. Never use the same login info for another site.

If you're insane enough to continue using vBulletin software this guide should help make things a little more secure.

https://blog.technidev.com/changing-vbulletin-4-its-password-hashing-to-use-bcrypt/ (I'm not liable if you screw up. Take backups before hand!)

This however won't protect you from this new 0day exploit.

Phew, Wipes sweat away. 3:34am I'm crawling to bed.

EDIT2 3:44 am: Still not asleep found something weird and more insecure crap on vBulletin.com
Magento also reports as version 1.9.2.2 and I found an open panel with no htaccess protection blocking me from bruteforcing my way into vBulletin.com.

 

[batpool52!]

I'm crawling to bed.

You never will.

 

[radu81]

vBulletin.com is running Magento 1.9.1.1 wheres the latest SECURE version is 2.0.2.

Magento 2 is a major release and Magento 1.9 it is supported for other 3 years.
http://magento.stackexchange.com/questions/54303/future-support-of-magento-1-9-coming-magento-2-0
Lot of developers are still using the 1.9.x version even for new installs. The migration to 2.0 is not a one click task

 

[Paul M]

I hate to be an asshole but I have no choice but to shame vBulletin/InternetBrands now.

Really ? I think you rather like it.

So much hatred and bile - did Internet Brands kill your cat or something ?

I have learned not to continue in pointless arguments with people so with such obviously warped views.
People who "own" copies of hacked sites are just a low/bad as the people who do the hacking (many of course are both).
What possible legitimate reason would anyone have for owning any hacked data (or doing the hacking) ?

Just one point for those reading, there are two versions of Magento (Community) - the 1.x series, and the 2.x series.
Both are current and fully supported (rather like Windows 8 v Windows 10). Just like the vast majority, we run the latest 1.9 series.

Anyway, enjoy your rants, as I said, I'm not going to continue with this.

 

[Paul M]

Oh, I almost forgot this ;

This however won't protect you from this new 0day exploit.

Of course, I assume you have details of this ?
So being a responsible forum admin, you have logged a ticket with vB support giving full details ?

Feel free to tell me the ticket number, so I/we can look at it.

 

[WD]

You never will.

How do you know me so well! You're correct I didn't get to bed till gone 5am as something came up with one of my forums.

Magento 2 is a major release and Magento 1.9 it is supported for other 3 years.
http://magento.stackexchange.com/questions/54303/future-support-of-magento-1-9-coming-magento-2-0
Lot of developers are still using the 1.9.x version even for new installs. The migration to 2.0 is not a one click task

Never used Magento but thank you for posting that.

Really ? I think you rather like it.

So much hatred and bile - did Internet Brands kill your cat or something ?

I have learned not to continue in pointless arguments with people so with such obviously warped views.
People who "own" copies of hacked sites are just a low/bad as the people who do the hacking (many of course are both).
What possible legitimate reason would anyone have for owning any hacked data (or doing the hacking) ?

Just one point for those reading, there are two versions of Magento (Community) - the 1.x series, and the 2.x series.
Both are current and fully supported (rather like Windows 8 v Windows 10). Just like the vast majority, we run the latest 1.9 series.

Anyway, enjoy your rants, as I said, I'm not going to continue with this.

Maybe because I am a vBulletin fan and sick and bloody tired of all the cockups vBulletin has made? If you read my original post I mentioned I lost 5 licenses which according to your site each license costs $249 so 5x $249 = $1245 meaning since vBulletin reset all logins you've cost me over $1000. Now I am a reasonable person so I ticked it off as another loss but vBulletin had to go one step further and get hacked 4 times in 4 years. Exposing my information once is bad but four times?!?!

Even when I reported the .org breach nothing was done it wasn't until vbulletin got hacked that something was done but that was WAYYY too late. Hackers have had the vB server infor for 2 years before this. If anybody reused logins they had their sites hacked.

vBulletin has had the worst hacking issues out of all over rival scripts. Yes, Don't get me wrong others have been hacked. phpBB.com lost it's userbase in 2010, 2015 but they instantly took servers offline they didn't do a stupid move of putting it online and claiming it was a caching issue. Since when does Varnish read "Hacked by ColdZero"? I don't think any script reads that unless compromised.

So this is why I act an asshole. vBulletin have had so many times to fix stuff yet they cannnot do simple security.

As for running older versions of Magento, That's fine long as it's patched but I clearly found an admin login page last night that if bruteforced would allow me to jump into the databases.

Oh, I almost forgot this ;


Of course, I assume you have details of this ?
So being a responsible forum admin, you have logged a ticket with vB support giving full details ?

Feel free to tell me the ticket number, so I/we can look at it.

I sadly do not. Hence a post on my forums warning any vBulletin user to take their site down to a patch is made or keep and on on logs or move to a new script with decent security.

While this isn't my place to warn users I had to because like normal vBulletin hasn't made any annoucement about a possible exploit. You posted about that other one the other week but how long has that been lurking? The last 0day had been there for over 2 years if I remember correctly.

Also, Before I leave for the day.



There's rumor's it might be an SQLi.