vBulletin.com / vBulletin.org Hacked

ah, I know this section requires a login, not sure if it's licensed members only or not.
http://www.vbulletin.org/forum/forumdisplay.php?f=30

 

My understanding is that some of the sections can only fully be seen by people who log in (members)

 

I think it's an unrelated issue, but that's just me.

 

There is no indication that they ever had server root access, all the stuff we saw was done as the apache user.

The enviromnent was not "littered" with php shells either. Since last week, at least one person claiming to be the hacker says they did not use any vbulletin exploit to gain access to the server. They also claim they supplied the screenshots to those who publicly claimed the hack. The point is people make claims about what was or wasnt done, but no one other than those truely responsible actually knows.

Right, you obviously dont know me very well, or you really are just full of it.

Not as far as I know, I have not seen any spam other than by the usual new registration spammers.

 

How was this determined? Logs do not count.

 

Wrong. I know you very well. Bad for me, good for you, my knowledge in English is limited to simple daily convertations, so almost impossible to express feelings and thoughts. But while in English I need sentences of sentences to explain it, in Greek there is just a single word which best fits for you and contains everything.

 

πουστιά - poystia? Hope I got it right.

 

...lol.... Not that this is far away, but the real one is that one with three "A"

 

Efharisto' poli' Sorry my Greek is a but rusty, but then my English is not too great either.

 

Apologies if it sounds like I'm beating a dead horse, but I saw this post written by Paul earlier this afternoon, and it left my stomach unsettled.

Translation: They have no idea how they were attacked.

 

HOW did hackers obtain the password?
Hardly surprising really, when unethical staff members are protected who have already been compromised.
How far has the compromising now gone?

It is clear that the staff there have no concept of the methods used by the high end hackers these days.
Sorry guys, but the old security methods are no longer of much use.

If you were ethical and doing your job properly instead of denigrating customers, they would be assisting you but alas you just do not get it. And probably never will.

 

I know it is easy to paint a big giant bullseye on the vBulletin staff members, and call them unethical, but in reality, security breaches apply to all organizations including the most ethical and unethical organizations. "Bad" does not discriminate.

Most organizations have no idea they have been compromised until it's too late. Many do not have the proper detection capabilities or the investigative capabilities on top of regular due diligence.

Cyber Defense is hard.

 

So... if they don't know how that got in, how do they know they're protected now?

 

Honestly, from my perspective, the biggest mistake was not asking an outside consulting firm that deals with incident response and investigation to look for indicators of compromise (IOC).

I'm guessing here, but I suspect the investigation was limited to a small subset of logs they retained.

Given the finite amount of information they were able to examine and review, we as customers need to assume that the Adversary is still in their networks, and that since they were unable to determine how they got in, we as customers are still at risk.

 

Not all VB staff members are unethical but they do tend to get lumped in with those that are unethical.

Words are cheap but I believe in this, "By their DEEDS ye shall know them"
(or in some cases by their LACK of necessary deeds)

Such deeds as lying to customers and posting propaganda about how great the load of crap known as VB5 is, is unethical.
Protecting liars and unethical staff members who support scammers and hackers is unethical, as is refusing to act fairly when an official complaint is received.
Deceiving customers and members by only allowing pro Vb comments to remain is unethical.
Banning customers whose only crime is to ask legitimate questions is unethical.
Altering customers and members posts to alter their intent is unethical.
Calling customers stupid for actually trusting Vb and purchasing VB on their recommendation is unethical.

Do I need to go on? It is true that SOME vb staff are helpful and kudos to them, but when the others act like dictators and do unethical things then they will be considered unethical.

The unethical ones have had plenty of opportunity to set the record straight and do the right thing by their customers, but alas they have made no visible attempt to do the right thing and continue to play the big mister trick just to feed their egos.

When they do the right and correct things then I will be happy to praise them but I have not seen any of this so far.

 

Extremely valid points.
If the Vb staff were acting in a respectful and responsible manner, then I am sure that some people involved in high end security would offer assistance but why would anyone offer help when they are acting in the manner they have adopted?

As has been stated by many admins on here, IF the VB staff acted properly then many of their customers would be willing to help them get Vb back up again. But as things are now.......

 

Our firm extended an invitation to help, but we never heard back.

 

This was very good of you and you are to be applauded. Well done!

 

Thanks, but it was entirely selfish . I wanted to know how much of my personal information was at risk, including credit card info, usernames, passwords, etc..