Slashdot Mirror

← Back to Stories (view on slashdot.org)

35,000 vBulletin Sites Have Already Been Exploited By Week Old Hole

Posted by Unknown on from the delete-stale-files dept.

realized writes "Last week Slashdot covered a new vBulletin exploit. Apparently hackers have been busy since then because according to security firm Imperva, more than 35,000 sites were recently hacked via this vulnerability. The sad part about this is that it could have all been avoided if the administrator of the websites just removed the /install and/or /core/install folders – something that you would think the installer should do on its own." Web applications that have write access to directories they then load code from have always seemed a bit iffy to me (wp-content anyone?)

7 of 91 comments (clear)

  1. Right-o by Anonymous Coward · · Score: 3, Interesting

    I just switched from using conventional passwords to 20+ character random strings and manage them with KeePassX. It took 3+ hours to go through all my 50+ different somewhat important accounts, but no way I'm using same passwords on different sites anymore.

    There have already been 5 serious leaks in services I use, including Adobe and my dedicated server provider.

    1. Re:Right-o by firex726 · · Score: 4, Interesting

      Yea, it seems like I am getting an email monthly from one site or another I use telling me they were compromised and to change my passwords.

    2. Re:Right-o by Archangel+Michael · · Score: 4, Interesting

      Personally, I start with the premise that the sites are already insecure. From there, I only provide information needed. I also create a unique email address for each site, so that if they are compromised, only my account on that site is compromised and nothing else is at risk. My private email address remains only for personal communication.

      To compromise my life would require the NSA, and I already figure that has happened, but that I am not interesting enough to act on it .... yet.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  2. Why Only Now? by terrab0t · · Score: 4, Interesting

    If you watch your server access logs, you will regularly see bots checking for common install URLs of popular website software. I'm blown away that vBulletin's hasn't been targeted for years.

    1. Re:Why Only Now? by moteyalpha · · Score: 4, Interesting

      If you watch your server access logs, you will regularly see bots checking for common install URLs of popular website software. I'm blown away that vBulletin's hasn't been targeted for years.

      You are absolutely right. I was shocked at how quickly the knocking began. Within a day of registering a new address it already had obvious attempts to find a hole. The logs also show many other things that would worry people IF they knew it was happening. Very few people have the experience and skills to deal with it. It seems obvious that the intruder has the advantage. In a system with more than 2 to the 64th directions to guard against, the attacker has the advantage of surprise.
      Analogy: Open field, everybody has a gun, some have food, others want it.
      It could be that the only way to win is not to play at all. The problem is that the game has already started and this is no longer a choice. There is a dominant strategy. It is a conflict of interests. It is thus "Bellum Omnium contra omnes". No way to tell how it will end, but everybod has a "shot". ;)

  3. Re:A bit iffy??? by Bigbutt · · Score: 4, Interesting

    First thing I did with my Wordpress site was check the 'net for suggestions on how to secure the site. I've blocked off the admin access areas through the httpd.conf file restricting it to my work and home IPs. I occasionally have to update the IP when my home dhcp address changes but it works fine for what I'm doing.

    [John]

    --
    Shit better not happen!
  4. Nothing about this surprises me. by thevirtualcat · · Score: 4, Interesting

    I've used vBulletin for years. While it's never had a particularly stellar security record, it has only gone down hill since Internet Brands bought Jelsoft.

    The only remotely secure way to run vBulletin these days is to stick it in its own php-fpm pool with its own user account and insure that all files are 440 and all directories are 550. The upload directories (customavatar, attachment, etc) need to be 770 and then be excluded from PHP execution in your httpd config. Deleting "install/" goes without saying. (And we have it behind a Basic Auth, just in case someone forgets.)

    Even today, with that fairly verbose nginx config and a fully patched and up to date vBulletin, I still find delightful files in my upload directories like "r00t.php" and "shell.php".

    Oh? You're on shared hosting? Good luck with that...