35,000 vBulletin Sites Have Already Been Exploited By Week Old Hole

← Back to Stories (view on slashdot.org)

35,000 vBulletin Sites Have Already Been Exploited By Week Old Hole

Posted by Unknown on Wednesday October 16, 2013 @02:51AM from the delete-stale-files dept.

realized writes "Last week Slashdot covered a new vBulletin exploit. Apparently hackers have been busy since then because according to security firm Imperva, more than 35,000 sites were recently hacked via this vulnerability. The sad part about this is that it could have all been avoided if the administrator of the websites just removed the /install and/or /core/install folders – something that you would think the installer should do on its own." Web applications that have write access to directories they then load code from have always seemed a bit iffy to me (wp-content anyone?)

91 comments

Min score:

Reason:

Sort:

That's what you get for using vBulletin by Anonymous Coward · 2013-10-16 02:55 · Score: -1, Offtopic

Learn some languages and build your own forum. It's not hard and all the skills you'll acquire will look great on a resume.
1. Re:That's what you get for using vBulletin by smash · 2013-10-16 03:01 · Score: 5, Insightful
  
  not hard to do if you don't care about security you mean.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
2. Re:That's what you get for using vBulletin by Shoten · 2013-10-16 03:01 · Score: 5, Insightful
  
  Learn some languages and build your own forum. It's not hard and all the skills you'll acquire will look great on a resume.
  Right...because everyone who could ever want to use a forum is a web developer, right? And, of course, every one-off forum app will be TOTALLY free from vulnerabilities, of course. Oh, and let's not forget that there's no benefit whatsoever to different forums being somewhat similar in terms of user interaction...so let's just throw that out the door as well.
  Seriously?
  
  --
  
  For your security, this post has been encrypted with ROT-13, twice.
3. Re:That's what you get for using vBulletin by Krojack · 2013-10-16 03:08 · Score: 4, Insightful
  
  Plus writing your own message board from scratch isn't an easy task. There is a LOT within these systems. I've been coding in PHP for about 8 years and even I don't want to take on this task.
4. Re:That's what you get for using vBulletin by bill_mcgonigle · 2013-10-16 03:12 · Score: 1
  
  GP is a fool. But do contribute to Vanilla or similar open source projects.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
5. Re:That's what you get for using vBulletin by Anonymous Coward · 2013-10-16 03:14 · Score: -1
  
  Since a self-written forum likely will have far less features, it will be far easier to make secure.
  Provided you know what you're doing, of course.
6. Re:That's what you get for using vBulletin by TheSpoom · 2013-10-16 03:21 · Score: 2
  
  I've created my own forum software in the past. GP is vastly understating the complexity of modern forum software. That said, I encourage actual web developers to try it as an exercise.
  Also, I think GP isn't differentiating between "secure" on the surface when you look at code that you've written, and "secure" against multiple thousands of potential adversaries when a product is used everywhere. They will think of things that you haven't. That's why you get code audited.
  
  --
  It's better to vote for what you want and not get it than to vote for what you don't want and get it.
  - E. Debs
7. Re:That's what you get for using vBulletin by Anonymous Coward · 2013-10-16 03:22 · Score: 0
  
  GP is a fool. But do contribute to Vanilla or similar open source projects.
  He might be a fool for thinking it's easy to put together a secure, stable, bug-free forum, but he's certainly not a fool for thinking that such an attempt looks good on a resume to a bunch of HR drones...
8. Re:That's what you get for using vBulletin by Anonymous Coward · 2013-10-16 03:46 · Score: 0
  
  Since a self-written forum likely will have far less features, it will be far easier to make secure.
  Provided you know what you're doing, of course.
  Coughs, Unbelievably Not Thorough.
9. Re:That's what you get for using vBulletin by Anonymous Coward · 2013-10-16 03:50 · Score: 0, Redundant
  
  even I don't want to take on this task.
  And neither should you, if you're the kind of person who admits to "coding in PHP".
10. Re:That's what you get for using vBulletin by jones_supa · 2013-10-16 03:58 · Score: 1
  
  Since a self-written forum likely will have far less features, it will be far easier to make secure.
  Also, it is not directly vulnerable to specific exploits crafted against well-known bulletin board software.
11. Re:That's what you get for using vBulletin by smash · 2013-10-16 04:30 · Score: 2
  
  The "provided you know what you're doing" part is the big that is surprisingly difficult to get right for non-trivial software.
  It requires a fairly large investment in time and energy to know what you are doing. If you think it's "easy" you probably don't.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
12. Re:That's what you get for using vBulletin by smash · 2013-10-16 04:31 · Score: 1
  
  big = bit.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
13. Re:That's what you get for using vBulletin by Anonymous Coward · 2013-10-16 04:31 · Score: -1
  
  Smugness apart (yours), yes, it's possible to code in PHP. Without quotes even. Just because a language is bad (or your perception of it) doesn't mean you can't code in it.
14. Re:That's what you get for using vBulletin by smash · 2013-10-16 04:32 · Score: 2
  
  Probably not, but more likely vulnerable to schoolboy errors, unless the developer has already had experience in writing an internet exposed project of significant size.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
15. Re:That's what you get for using vBulletin by smash · 2013-10-16 04:36 · Score: 1
  
  Well yeah, as with any web app, you can't "just learn php and write your own forum!".
  You'll need to learn css, html, php, sql, javascript and how to properly secure against stuff like SQL injection and cross site scripting. Php (or perl) is just a tiny part of a project like this.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
16. Re:That's what you get for using vBulletin by Anonymous Coward · 2013-10-16 05:06 · Score: 0
  
  It was a direct quote.
17. Re:That's what you get for using vBulletin by TheSpoom · 2013-10-16 05:27 · Score: 3, Informative
  
  My entire day job is coding in PHP (and Javascript, and MySQL, and Mongo, and Node, and...). Seems to work well for my company, as well as the dozens of others with whom I've worked.
  But keep using whatever's hot right now, it won't affect me one iota.
  
  --
  It's better to vote for what you want and not get it than to vote for what you don't want and get it.
  - E. Debs
18. Re:That's what you get for using vBulletin by amicusNYCL · 2013-10-16 05:58 · Score: 1
  
  A forum is a great learning exercise for people. I answer a lot of PHP and Javascript questions on the w3schools forum, and having a beginner design and develop a forum gives them exposure to a lot of skills (user authentication and management, form processing, file uploading, database design and API integration, ajax if they want to add it, etc). Something like a forum or photo gallery is a great beginner project to expose them to the majority of web programming skills that they'll use most often in a job.
  But security is a completely separate topic. The OWASP site shows the breadth of application security as a topic. People often ask questions about what they need to do to make their site secure from hackers, and they ask about a function like mysqli::escape_string and think that that's all they need to know about security. It can be difficult to drill it into their head that security is an integral part about designing an application. Good programmers can make really obscure and really dangerous design decisions that could have a major impact on security, and unless you keep yourself aware of the breadth of vulnerabilities that you need to protect yourself from then it's certainly no surprise that exploits get found in major professional products from time to time. You don't need to be a poor programmer to make a design decision that has a very negative, if subtle, impact on security.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
19. Re:That's what you get for using vBulletin by Anonymous Coward · 2013-10-16 06:15 · Score: 0
  
  w3schools?
  Why?
20. Re:That's what you get for using vBulletin by Anonymous Coward · 2013-10-16 06:40 · Score: 1
  
  You have coded in PHP for 8 years?
  Dear god, you poor bastard.
21. Re:That's what you get for using vBulletin by Hatta · 2013-10-16 07:36 · Score: 1
  
  USENET never had this problem.
  
  --
  Give me Classic Slashdot or give me death!
22. Re:That's what you get for using vBulletin by Anonymous Coward · 2013-10-16 07:43 · Score: -1
  
  Are you suggesting forum software isn't trivial? This isn't some orchestration software suite or printer firmware, it's a damned place to post shitty comments.
  (in b4 snarky "like this one")
23. Re:That's what you get for using vBulletin by Anonymous Coward · 2013-10-16 10:40 · Score: 0
  
  thats the point. But its like Linux leaving /tmp open and not user per-user-tmp (/home/xx/tmp) folders when the server gets hit. Unless it reboots, anyone can write anything, ANY size to /tmp.
  Delete the install/setup script when done. Its common sence.
24. Re:That's what you get for using vBulletin by Kalriath · 2013-10-16 10:53 · Score: 1
  
  Actually? Most of them actually more closely resemble orchestration software suites or application server middleware.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
25. Re:That's what you get for using vBulletin by wmac1 · 2013-10-16 14:00 · Score: 1
  
  It is a proprietary software with open source. It means you will pay at least $ 599 /year and the source is open to hackers for them to find bugs and exploit.
  Could you tell us why in the hell I should contribute to such a thing?
26. Re:That's what you get for using vBulletin by bill_mcgonigle · 2013-10-16 15:07 · Score: 1
  
  It's GPLv2. What are you talking about?
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
27. Re:That's what you get for using vBulletin by smash · 2013-10-16 20:38 · Score: 1
  
  Yes, I am suggesting it is not trivial, or there would be a high quality, full-featured, secure open source version available that had a stellar security record. Unless you can point me to such a project? No? Thought not.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
28. Re:That's what you get for using vBulletin by RockDoctor · 2013-10-19 11:37 · Score: 1
  
  Learn some languages and build your own forum. It's not hard and all the skills you'll acquire will look great on a resume.
  How would having that on my resume help me to get work oil wells?
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Week old by Slashdot time by Anonymous Coward · 2013-10-16 02:58 · Score: 4, Funny

Months old by the rest of the internet...
Good by Anonymous Coward · 2013-10-16 03:00 · Score: -1

I love a parade. And slashdot, it's week-old hole. Or is that (wife's) weak, old hole?
1. Re:Good by Anonymous Coward · 2013-10-16 04:42 · Score: 1
  
  it's more than a month old actually.
  http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5
  August 13th.
Well by Anonymous Coward · 2013-10-16 03:03 · Score: 1

How many abandoned forums overran by spambots are there out there? Quite a lot I reckon, this isn't surprising at all.
1. Re:Well by Anonymous Coward · 2013-10-16 03:20 · Score: 1
  
  Not many vBulletin ones I'd wager, since it's paid software. Plenty of phpBB ones and the like, though.
2. Re:Well by gl4ss · 2013-10-16 05:56 · Score: 1
  
  Not many vBulletin ones I'd wager, since it's paid software. Plenty of phpBB ones and the like, though.
  yeah as if you couldn't warez it...
  http://thepiratebay.sx/search/vbulletin/0/99/0
  dunno why the hell anyone would but it's possible
  
  --
  world was created 5 seconds before this post as it is.
Right-o by Anonymous Coward · 2013-10-16 03:04 · Score: 3, Interesting

I just switched from using conventional passwords to 20+ character random strings and manage them with KeePassX. It took 3+ hours to go through all my 50+ different somewhat important accounts, but no way I'm using same passwords on different sites anymore.
There have already been 5 serious leaks in services I use, including Adobe and my dedicated server provider.
1. Re:Right-o by firex726 · 2013-10-16 03:12 · Score: 4, Interesting
  
  Yea, it seems like I am getting an email monthly from one site or another I use telling me they were compromised and to change my passwords.
2. Re:Right-o by Archangel+Michael · 2013-10-16 03:19 · Score: 4, Interesting
  
  Personally, I start with the premise that the sites are already insecure. From there, I only provide information needed. I also create a unique email address for each site, so that if they are compromised, only my account on that site is compromised and nothing else is at risk. My private email address remains only for personal communication.
  To compromise my life would require the NSA, and I already figure that has happened, but that I am not interesting enough to act on it .... yet.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
3. Re:Right-o by smash · 2013-10-16 04:37 · Score: 1
  
  I did this exact thing when the PSN hack happened.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
4. Re:Right-o by Anonymous Coward · 2013-10-16 04:40 · Score: 0
  
  nah, you just need a different password for every site, What's the use of a "password keeper" software when that narrows the attack surface to just your pc.
5. Re:Right-o by krovisser · 2013-10-16 04:42 · Score: 1
  
  I did this too. It's nice not having to remember passwords anymore. I just keep my database and key backed up, and have a lot less "what was this password again" troubles.
6. Re:Right-o by smash · 2013-10-16 04:46 · Score: 1
  
  They still need to break the password DB encryption. Its a trade-off. What is yout alternative to keeping a unique password for every site? Paper? Unencrypted plaintext file?
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
7. Re:Right-o by Stalks · 2013-10-16 05:18 · Score: 1
  
  SHA256(passphrase,domain) = password
8. Re:Right-o by Jakeula · 2013-10-16 06:49 · Score: 1
  
  This is exactly correct. I use SHA256(passphrase,domain) on every site. It is easy to recover my passwords where ever I am and all I have to remember is the passphrase and then look at the domain. I used to just type in a random password and use password resets every time I wanted to log in, that seemed to work pretty well and is about as fast as generating my SHA256 password.
9. Re:Right-o by behrooz0az · 2013-10-16 07:57 · Score: 0
  
  and what do you do for sites that require an upper case, a punctuation, a horn of a virgin pink unicorn not exeeding 7 charachters?
  
  --
  Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
10. Re:Right-o by Just+Some+Guy · 2013-10-16 08:55 · Score: 1
  
  Yea, it seems like I am getting an email monthly from one site or another I use telling me they were compromised and to change my passwords.
  ...usually phrased like "Hi 'YOUR_USERNAME'. Your password, 'FOOLMETWICE', might have been compromised. Click here to change it.".
  The password manager I use has a "security audit" tab that lists sites using the same password, and passwords that I haven't changed in more than a few months, a year, or several years. I fixed all the dupes by giving them each unique passwords, and I have a monthly reminder to myself to update all the old ones.
  
  --
  Dewey, what part of this looks like authorities should be involved?
11. Re:Right-o by Just+Some+Guy · 2013-10-16 08:57 · Score: 1
  
  I don't sweat that so much. My personal email is right there above this message, after all. Good luck guessing my random as-strong-as-allowed password on any given site, though.
  
  --
  Dewey, what part of this looks like authorities should be involved?
12. Re:Right-o by Anonymous Coward · 2013-10-16 10:04 · Score: 0
  
  The point *was* to use a different random password for every site *and* manage them with a password manager that stores them in a secure encrypted database.
  If anyone had access to your computer and was able to gain root privileges, you're pretty much fucked no matter how you handle your passwords. But that's a different story and is far more unlikely than someone gaining access to leaked hash tables and bruteforcing passwords.
13. Re:Right-o by Stalks · 2013-10-16 10:11 · Score: 1
  
  http://www.passwordmaker.org/ is what I actually use. It allows you to create per-site options if required.
A bit iffy??? by NoNonAlphaCharsHere · 2013-10-16 03:12 · Score: 5, Insightful

Web applications that have write access to directories they then load code from have always seemed a bit iffy to me

You misspelled "batshit-insane".
1. Re:A bit iffy??? by Spamhead · 2013-10-16 03:33 · Score: 1
  
  You misspelled "Cold Fusion".
  
  --
  Everybody Wang-Chung tonight!
2. Re:A bit iffy??? by buchner.johannes · 2013-10-16 03:38 · Score: 2
  
  Web applications that have write access to directories they then load code from have always seemed a bit iffy to me
  You misspelled "batshit-insane".
  By itself, that's not batshit-insane. Any web app that supports a user-friendly installation of plugins has to do that (Wordpress, Joomla!, ... ). If it only fetches plugins from its own, managed repository, it can be secure.
  But please, suggest a user-friendly alternative.
  
  --
  NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
3. Re:A bit iffy??? by Anonymous Coward · 2013-10-16 03:52 · Score: 0
  
  The problem isn't plugins. The problem is that any minor vulnerability in the scripts turns into a code execution vulnerability. If you can't execute things which you can write to, then you can only run code if you can inject it (via a developer making stupid use of eval-like functions).
  Basically, it's a really easy way to make every single bug in your program just that much worse.
4. Re:A bit iffy??? by Bigbutt · 2013-10-16 03:53 · Score: 4, Interesting
  
  First thing I did with my Wordpress site was check the 'net for suggestions on how to secure the site. I've blocked off the admin access areas through the httpd.conf file restricting it to my work and home IPs. I occasionally have to update the IP when my home dhcp address changes but it works fine for what I'm doing.
  [John]
  
  --
  Shit better not happen!
5. Re:A bit iffy??? by Dracos · 2013-10-16 03:57 · Score: 1
  
  Yes, it very much is batshit-insane. To allow such a thing is to put an inordinate amount of trust in your web application and your http server, both of which should be considered insecure no matter how secure you think they are. WP goes one step further and allows its plugins to be edited from the admin interface, which is batshit-donkeyfuck-insane.
  There is always a trade off between security and user friendliness... these anti-features cross the line so far that they've disappeared beyond the horizon.
6. Re:A bit iffy??? by amicusNYCL · 2013-10-16 06:06 · Score: 1
  
  What would be the alternative though? Is it possible to have the same functionality in a secure way? If my application needs to write to certain directories, and that is not an option or else the application would be useless, then how can those directories be protected? Any CMS that needs to upload images, for example, would be affected by that, right? It can be fairly trivial to protect in that case (put the upload directory outside of the web root and just return the file data), but what about an application where users need to upload arbitrary web-accessible content, which may contain PHP files? Other than trusting that your users aren't going to just upload a malicious PHP script through the interface (and they would have no reason to do so), what can be done in that situation?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
7. Re:A bit iffy??? by amicusNYCL · 2013-10-16 06:07 · Score: 1
  
  I should clarify in case this is the first reponse:
  we already route all requests for files in the upload directory to a PHP script via htaccess to authenticate users before they can access the file, and there is also an option in the application whether or not to allow PHP execution in that directory (if disabled, it returns the file contents instead of including and executing the file).
  Is that all that is necessary?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
8. Re:A bit iffy??? by Dracos · 2013-10-16 09:13 · Score: 2
  
  Uploading images or other files that will not be executed by the CMS is not the issue here. The ability to upload modules and plugins is a much greater risk. Being able to delete those things (as granted by write permission) can render the entire CMS inoperable. The further insanity of allowing code to be editable within the CMS is even more dangerous, as that can introduce simple breakage via a syntax error and be a good place for malicious code to hide, easily placed there by a compromised CMS account.
9. Re:A bit iffy??? by drinkypoo · 2013-10-16 12:34 · Score: 1
  
  What would be the alternative though? Is it possible to have the same functionality in a secure way?
  You'd have a separate site for maintenance. This does sort of mandate some duplication of effort. Right now if you want to update your CMS core you have to do this through a shell, file manager, or ftp in most cases as it is. It's not a big stretch to have an admin site with its own codebase sufficient for performing updates. Content management etc would continue to be performed through the CMS as normal. You might or might not want to use the same auth tables.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
10. Re:A bit iffy??? by Jason+Levine · 2013-10-16 14:18 · Score: 1
  
  I've found quite a few plugins to help secure WordPress. One of the ones I really like is Apocalypse Meow. This locks people out from even trying to log into your site after X attempts. (You define what X is but it defaults to 5.) If they go over the attempts, they get banned from trying to log in for a day (or however long you define). It also removes the WordPress version information from your site's HTML code which has no purpose except to tell hackers "try these methods to get into my website". It can stop direct execution of PHP scripts from inside wp-content and more.
  Having it on my site for awhile, I've found that hackers predominantly try one of three usernames. The first, of course, is "admin", the default WordPress administrator username. If you have your admin account named "admin", rename it at once. Even if you do nothing else, you've increased your security a ton. The next account they try is the name of the site. If you run "example.com", they'll try the username "example". If you run "SomeOtherSite.com", they'll use "SomeOtherSite". The last one they'll use is "administrator" (an obvious choice people might change "admin" to).
  
  --
  My sci-fi novel, Ghost Thief, is now available from Amazon.com.
11. Re:A bit iffy??? by Anonymous Coward · 2013-10-17 07:53 · Score: 0
  
  If it's just admin access, you could just as well limit that to localhost and use ssh port forwarding to gain access for the few occasions that you really need it.
Why Only Now? by terrab0t · 2013-10-16 03:16 · Score: 4, Interesting

If you watch your server access logs, you will regularly see bots checking for common install URLs of popular website software. I'm blown away that vBulletin's hasn't been targeted for years.
1. Re:Why Only Now? by moteyalpha · 2013-10-16 04:17 · Score: 4, Interesting
  
  If you watch your server access logs, you will regularly see bots checking for common install URLs of popular website software. I'm blown away that vBulletin's hasn't been targeted for years.
  You are absolutely right. I was shocked at how quickly the knocking began. Within a day of registering a new address it already had obvious attempts to find a hole. The logs also show many other things that would worry people IF they knew it was happening. Very few people have the experience and skills to deal with it. It seems obvious that the intruder has the advantage. In a system with more than 2 to the 64th directions to guard against, the attacker has the advantage of surprise.
  Analogy: Open field, everybody has a gun, some have food, others want it.
  It could be that the only way to win is not to play at all. The problem is that the game has already started and this is no longer a choice. There is a dominant strategy. It is a conflict of interests. It is thus "Bellum Omnium contra omnes". No way to tell how it will end, but everybod has a "shot". ;)
2. Re:Why Only Now? by krovisser · 2013-10-16 04:47 · Score: 1
  
  You make this sound like the Hunger Games.
3. Re:Why Only Now? by Cramer · 2013-10-16 07:50 · Score: 1
  
  I'm blown away that vBulletin's hasn't been targeted for years.
  IT HAS! This bullshit comes up every few years. All because people are too stupid and lazy to follow the instructions and remove the f'ing installer when done.
THIS FP FOR GNAA by Anonymous Coward · 2013-10-16 04:00 · Score: -1

Quarreled o8 In our Group
PHPhhhtt! by Anonymous Coward · 2013-10-16 04:04 · Score: 0

Web applications that have write access to directories they then load code from have always seemed a bit iffy to me (wp-content anyone?)

It seems to be a common problem with PHP apps in general. They also seem to have problems with SSL proxying.
I don't serve PHP-based apps, no matter how pretty or useful, unless they are guaranteed to never be used externally.
1. Re:PHPhhhtt! by Goaway · 2013-10-16 06:00 · Score: 1
  
  Wouldn't be a problem if PHP honoured Unix execute permissions.
  Too bad it doesn't.
2. Re:PHPhhhtt! by Anonymous Coward · 2013-10-16 06:27 · Score: 0
  
  It seems to be a common problem with PHP apps in general.
  Part PHP's mix-code-and-html design, part shitty developers and users who can't be bothered to install code inside DocumentRoot and data outside DocumentRoot
  They also seem to have problems with SSL proxying.
  I've never heard of such a problem. Googling, all I see are people who set up applications to redirect users to SSL and then get surprised when it tries to redirect incoming HTTP requests to the SSL site because the application sees a non-SSL request.
Story Doesn't Say by Anonymous Coward · 2013-10-16 04:26 · Score: 0

What's the point of the hack? Great, you created an admin account on a vBulletin site, now what are you gonna do? Will you post spam, delete other people's posts, post propaganda? The story doesn't say what they are or intend to do with the compromised sites.
Does vBulletin store unsalted passwords?
1. Re:Story Doesn't Say by smash · 2013-10-16 04:43 · Score: 2
  
  Download the usernames, email addresses and password hashes, duh! Salted passwords or unsalted, even a list of email addresses is worth something. Most of them ask for your date of birth as well. DOB, plus email address plus password hash and you're well on your way to identity theft.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
2. Re:Story Doesn't Say by Anonymous Coward · 2013-10-16 05:04 · Score: 1
  
  Easy, send fake messages from the admin saying that users need to reset passwords and send them to some attack site, harvest that and you might get a password they use for the email address, break into that etc etc etc.
3. Re:Story Doesn't Say by Anonymous Coward · 2013-10-16 05:39 · Score: 0
  
  You install your own PHP code on the server to do what you want.
4. Re:Story Doesn't Say by Cramer · 2013-10-16 08:00 · Score: 1
  
  As others point out... swipe the email addresses of all the users (99% useless, but people still do it), swipe the encrypted passwords (you'll have some success recovering some of them), swipe the "remember me" login cookie -- which automatically logs you in. But that's all script-kiddie piss.
  The pros are there to install malware into your site and/or redirect (read: out right, steal) your ad revenue. Some of them are very clever and redirect search engine hits, and search result clicks. (and they hide in parts of the database you cannot normally see)
vB's fault by Anonymous Coward · 2013-10-16 04:38 · Score: 0

Blame this on vB taking forever to come out with a patch once they knew about it. The actual software tells you when there is an update - AND - tells you to remove the /install/ now.
1. Re:vB's fault by Anonymous Coward · 2013-10-16 06:09 · Score: 0
  
  The instructions told you to remove /install/ before, but instructions are for little girls so nobody bothered to read them.
Hopefully a simple question by Anonymous Coward · 2013-10-16 05:38 · Score: 0

Why do database driven sites(forums) need to be able to write to the file system?
Why can't entire web sites like these be flagged read only to the file system?
Wouldn't that prevent 99.99% of these attacks?
1. Re:Hopefully a simple question by ogar572 · 2013-10-16 05:47 · Score: 1
  
  Because of the promise of 1. point and click install of everything 2. renders fast (because of caching) 3. thousand of plugins 4. Don't need a programmer to use it
2. Re:Hopefully a simple question by Anonymous Coward · 2013-10-16 05:56 · Score: 0
  
  I agree. We keep our databases completely in-memory and backup to redundant DIMMs.
3. Re:Hopefully a simple question by Cramer · 2013-10-16 08:11 · Score: 1
  
  For starters you don't want every damned thing to be in the database. SQL (mysql esp) is HORRIBLE at storing *files*... which means images, and various random attachments (pdf, exe, zip, etc., etc., etc.) Also, the more you have in the database, the harder it is to find (and fix) whatever the hell hackers tweak.
  Their very nature means they have to be able to write a lot of stuff. It doesn't matter where you put it, it's still writable, and hackers will be able to alter it. The forum software itself is not a static blob; there are plugins, and templates, and tweaks, and customizations, and thousands of configuration knobs -- and it all has to be writable, at least during installation and setup. Locking it down, just like deleting the f'ing installer, is something thousands of people can't be bothered to do.
4. Re:Hopefully a simple question by BrentNewland · 2013-10-16 11:24 · Score: 1
  
  If the software is properly written, it will take care of the permissions. It's trivial to make a PHP script that checks the permissions on each folder and file in the program, and change them if they aren't right. You can even have the script fall back to FTP if PHP doesn't have permission to change permissions.
And this is why by Anonymous Coward · 2013-10-16 06:24 · Score: 0

This is why people should use Invision - http://www.invisionpower.com/apps/board/ instead of vbulletin. As far as I can recall over the last few years when security exploits were discovered in Invision they at least were forthcoming and explained what the issue was and how it was to be fixed etc instead of just hiding it.
Slashdot by Anonymous Coward · 2013-10-16 06:37 · Score: 0

It's a good thing Slashdot's bulletin board is so ancient and convoluted that no one knows how to exploit it.
Nothing about this surprises me. by thevirtualcat · 2013-10-16 06:46 · Score: 4, Interesting

I've used vBulletin for years. While it's never had a particularly stellar security record, it has only gone down hill since Internet Brands bought Jelsoft.
The only remotely secure way to run vBulletin these days is to stick it in its own php-fpm pool with its own user account and insure that all files are 440 and all directories are 550. The upload directories (customavatar, attachment, etc) need to be 770 and then be excluded from PHP execution in your httpd config. Deleting "install/" goes without saying. (And we have it behind a Basic Auth, just in case someone forgets.)
Even today, with that fairly verbose nginx config and a fully patched and up to date vBulletin, I still find delightful files in my upload directories like "r00t.php" and "shell.php".
Oh? You're on shared hosting? Good luck with that...
1. Re:Nothing about this surprises me. by denmarkw00t · 2013-10-16 16:30 · Score: 1
  
  Oh? You're on shared hosting? Good luck with that...
  Well, I wasn't on shared hosting...but then I installed vBulletin - ZING!
Much more than 1 week old by pjrc · 2013-10-16 07:13 · Score: 4, Informative

My site uses vBulletin.
This vulnerability is MUCH older than the 1 week mentioned in Slashdot's summary.
Several weeks ago the vBulletin folks sent an email advisory to all registered users (eg, people who actually paid for the software) . In fact, they sent 2 messages. The first warned of this vulnerability and suggested immediately deleting the install folder, if it wasn't already deleted as recommeded. The 2nd message, only a couple days later announced a new version which fixed this bug, even if the install folder was not deleted.
vBulletin has a web-based admin control interface, separate from the main forum. Even in the old, vulnerable versions, the admin section will not work if the install folder still exists. It just displays a message saying you must deleted the install folder before you're allowed admin access to your own forum. Any sites that were vulnerable to this bot must have been set up by just unpacking the zip file and then running the wizard to set up the database. It specifically tells you to delete the install folder at the end of that process. So anyone who got hit not only ignored that instruction, but also never even used the admin section of their forum, because it's intentionally disabled to force people to properly delete the install folder.
Sure, there may be 30-some thousand forums out there with this problem, but every single one of them was set up so poorly that the forum owner never even accessed their admin interface.

--
PJRC: Electronic Projects, 8051 Microcontroller Tools
1. Re:Much more than 1 week old by DNS-and-BIND · 2013-10-16 15:07 · Score: 1
  
  How do you even DO that? How would you be able to name the forum, set up subforums, etc.?
  
  --
  Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Look and feel by mynamestolen · 2013-10-16 07:48 · Score: 1

Can someone please post a couple of links to show what the software looks like on a site. I have no idea what the typical layout and default look and feel is like.

--
work in progress
Lazy Vs. Uninformed by paysonwelch · 2013-10-16 09:03 · Score: 1

I always assume that it's pretty standard practice to delete any /install folder. I mean seriously.. Not only are you keeping your installation tidy but obviously it prevents anyone from re-running any install scripts. So it either comes down to people being lazy or just not knowing. I forget how many "webmasters" or "developers" are out there that don't even know the basics. As sort of an argument point spin-off, better software has led to less hands on deployment and made it easier for more people to deploy sites. In this vein people haven't learned how to RTFM since installs are so easy. /rant
Sadly by lapm · 2013-10-16 09:18 · Score: 1

Sadly most people that install forum software of any type, just don't follow security bulletins, or read install instructions properly anyways. Damn computer amateurs...
Oh dear by Anonymous Coward · 2013-10-16 14:37 · Score: 0

I thought you had this sorted.