Slashdot Mirror

← Back to Stories (view on slashdot.org)

35,000 vBulletin Sites Have Already Been Exploited By Week Old Hole

Posted by Unknown on from the delete-stale-files dept.

realized writes "Last week Slashdot covered a new vBulletin exploit. Apparently hackers have been busy since then because according to security firm Imperva, more than 35,000 sites were recently hacked via this vulnerability. The sad part about this is that it could have all been avoided if the administrator of the websites just removed the /install and/or /core/install folders – something that you would think the installer should do on its own." Web applications that have write access to directories they then load code from have always seemed a bit iffy to me (wp-content anyone?)

12 of 91 comments (clear)

  1. Week old by Slashdot time by Anonymous Coward · · Score: 4, Funny

    Months old by the rest of the internet...

  2. Re:That's what you get for using vBulletin by smash · · Score: 5, Insightful

    not hard to do if you don't care about security you mean.

    --
    I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  3. Re:That's what you get for using vBulletin by Shoten · · Score: 5, Insightful

    Learn some languages and build your own forum. It's not hard and all the skills you'll acquire will look great on a resume.

    Right...because everyone who could ever want to use a forum is a web developer, right? And, of course, every one-off forum app will be TOTALLY free from vulnerabilities, of course. Oh, and let's not forget that there's no benefit whatsoever to different forums being somewhat similar in terms of user interaction...so let's just throw that out the door as well.

    Seriously?

    --

    For your security, this post has been encrypted with ROT-13, twice.
  4. Re:That's what you get for using vBulletin by Krojack · · Score: 4, Insightful

    Plus writing your own message board from scratch isn't an easy task. There is a LOT within these systems. I've been coding in PHP for about 8 years and even I don't want to take on this task.

  5. A bit iffy??? by NoNonAlphaCharsHere · · Score: 5, Insightful

    Web applications that have write access to directories they then load code from have always seemed a bit iffy to me

    You misspelled "batshit-insane".

    1. Re:A bit iffy??? by Bigbutt · · Score: 4, Interesting

      First thing I did with my Wordpress site was check the 'net for suggestions on how to secure the site. I've blocked off the admin access areas through the httpd.conf file restricting it to my work and home IPs. I occasionally have to update the IP when my home dhcp address changes but it works fine for what I'm doing.

      [John]

      --
      Shit better not happen!
  6. Re:Right-o by firex726 · · Score: 4, Interesting

    Yea, it seems like I am getting an email monthly from one site or another I use telling me they were compromised and to change my passwords.

  7. Why Only Now? by terrab0t · · Score: 4, Interesting

    If you watch your server access logs, you will regularly see bots checking for common install URLs of popular website software. I'm blown away that vBulletin's hasn't been targeted for years.

    1. Re:Why Only Now? by moteyalpha · · Score: 4, Interesting

      If you watch your server access logs, you will regularly see bots checking for common install URLs of popular website software. I'm blown away that vBulletin's hasn't been targeted for years.

      You are absolutely right. I was shocked at how quickly the knocking began. Within a day of registering a new address it already had obvious attempts to find a hole. The logs also show many other things that would worry people IF they knew it was happening. Very few people have the experience and skills to deal with it. It seems obvious that the intruder has the advantage. In a system with more than 2 to the 64th directions to guard against, the attacker has the advantage of surprise.
      Analogy: Open field, everybody has a gun, some have food, others want it.
      It could be that the only way to win is not to play at all. The problem is that the game has already started and this is no longer a choice. There is a dominant strategy. It is a conflict of interests. It is thus "Bellum Omnium contra omnes". No way to tell how it will end, but everybod has a "shot". ;)

  8. Re:Right-o by Archangel+Michael · · Score: 4, Interesting

    Personally, I start with the premise that the sites are already insecure. From there, I only provide information needed. I also create a unique email address for each site, so that if they are compromised, only my account on that site is compromised and nothing else is at risk. My private email address remains only for personal communication.

    To compromise my life would require the NSA, and I already figure that has happened, but that I am not interesting enough to act on it .... yet.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  9. Nothing about this surprises me. by thevirtualcat · · Score: 4, Interesting

    I've used vBulletin for years. While it's never had a particularly stellar security record, it has only gone down hill since Internet Brands bought Jelsoft.

    The only remotely secure way to run vBulletin these days is to stick it in its own php-fpm pool with its own user account and insure that all files are 440 and all directories are 550. The upload directories (customavatar, attachment, etc) need to be 770 and then be excluded from PHP execution in your httpd config. Deleting "install/" goes without saying. (And we have it behind a Basic Auth, just in case someone forgets.)

    Even today, with that fairly verbose nginx config and a fully patched and up to date vBulletin, I still find delightful files in my upload directories like "r00t.php" and "shell.php".

    Oh? You're on shared hosting? Good luck with that...

  10. Much more than 1 week old by pjrc · · Score: 4, Informative

    My site uses vBulletin.

    This vulnerability is MUCH older than the 1 week mentioned in Slashdot's summary.

    Several weeks ago the vBulletin folks sent an email advisory to all registered users (eg, people who actually paid for the software) . In fact, they sent 2 messages. The first warned of this vulnerability and suggested immediately deleting the install folder, if it wasn't already deleted as recommeded. The 2nd message, only a couple days later announced a new version which fixed this bug, even if the install folder was not deleted.

    vBulletin has a web-based admin control interface, separate from the main forum. Even in the old, vulnerable versions, the admin section will not work if the install folder still exists. It just displays a message saying you must deleted the install folder before you're allowed admin access to your own forum. Any sites that were vulnerable to this bot must have been set up by just unpacking the zip file and then running the wizard to set up the database. It specifically tells you to delete the install folder at the end of that process. So anyone who got hit not only ignored that instruction, but also never even used the admin section of their forum, because it's intentionally disabled to force people to properly delete the install folder.

    Sure, there may be 30-some thousand forums out there with this problem, but every single one of them was set up so poorly that the forum owner never even accessed their admin interface.

    --
    PJRC: Electronic Projects, 8051 Microcontroller Tools