""Fixing your site after you have been hacked""

Discussion in 'vBulletin Discussions' started by oman, Jan 31, 2014.

  1. oman

    oman Regular Member

    Joined:
    Oct 4, 2012
    Messages:
    74
    Likes Received:
    27
    Location:
    Sydney, Australia
    Big al likes this.
  2. ManagerJosh

    ManagerJosh Regular Member

    Joined:
    Sep 27, 2012
    Messages:
    96
    Likes Received:
    87
    I think it's more like they don't want to fix the issue but more like they don't know how to fix the issue.
     
    Big al and oman like this.
  3. oman

    oman Regular Member

    Joined:
    Oct 4, 2012
    Messages:
    74
    Likes Received:
    27
    Location:
    Sydney, Australia
    Yeah, most likely that. Haha.
     
  4. AWS

    AWS Administrator

    Joined:
    Feb 1, 2010
    Messages:
    1,616
    Likes Received:
    692
    Location:
    Joliet, IL U.S.A.
    First Name:
    Bob
    IPB has one too, but, it is how to secure your server.
     
    oman likes this.
  5. Big al

    Big al Regular Member

    Joined:
    May 14, 2013
    Messages:
    1,093
    Likes Received:
    415
    Location:
    OZ
    Would it not be smarter for VB to post something that says " Securing your site BEFORE it is hacked"

    Or even: " Fixing your software BEFORE we sell it to you"
     
    Autopilot and oman like this.
  6. oman

    oman Regular Member

    Joined:
    Oct 4, 2012
    Messages:
    74
    Likes Received:
    27
    Location:
    Sydney, Australia
    image.jpg

    Thought I'd ask. ;)
     
    AWS likes this.
  7. AWS

    AWS Administrator

    Joined:
    Feb 1, 2010
    Messages:
    1,616
    Likes Received:
    692
    Location:
    Joliet, IL U.S.A.
    First Name:
    Bob
    I think the last part of that reply is wrong. It should say that if they become aware of an exploit they'll remove parts of the software to fix them.

    The last 2 fixes were to remove the install directory and the flash uploader. If enough exploits are found there might not be vbulletin.
     
    Big al likes this.
  8. BirdOPrey5

    BirdOPrey5 #Awesome

    Joined:
    Jul 16, 2011
    Messages:
    343
    Likes Received:
    105
    Location:
    New York
    First Name:
    Joe
    Pretty cheap blows all around in this thread.

    We do have a blog up on how to secure your site (before being hacked)- http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site

    There has also been a long standing post (created by Steve) with best ways to keep your site secure which has been available for those interested in further securing their site.

    The fact is if you have a forum, any forum, you run the risk of being hacked. VB was hit with a tough exploit last year and it seemed prudent to make securing your site before a hack a bigger issue. Had people followed the recommended security procedures the September Exploit wouldn't have been able to damage their site.

    The last two exploits were most easily dealt with by removing a directory and a file- for different reasons. There is (and never really has been) a good reason to keep your /install/ directory available- the hack just made it more obvious- it is better for everyone /install/ directory gets removed rather than to fix the issue in the file and leave the /install/ directory accessible.

    As for the flash uploader that wasn't a file vBulletin originally supplied, it was Yahoo who had the exploit and wasn't going to fix it. vBulletin doesn't have flash developers, but it didn't really matter, within a week or so as I predicted a community member patched the file and released it on vBulletin.org.
     
  9. AWS

    AWS Administrator

    Joined:
    Feb 1, 2010
    Messages:
    1,616
    Likes Received:
    692
    Location:
    Joliet, IL U.S.A.
    First Name:
    Bob
    You're right. I always removed the install directory. There was just no reason to have it.

    It's sad when a community member has to fix an exploit. Whether it was a Yahoo exploit of not it showed the total ineptitude of the developers. IPB used the same library and a patch was released shortly after Yahoo announced the exploit. This was at least a week before vbulletin acknowledged there was a problem. Not having a flash developer is no excuse.

    If you use a third party library in your scripts you are responsible for updating to the patched library when an exploit is found. Removing a function and waiting for a user to fix it is ridiculous.
     
    thewhatami, Autopilot and Big al like this.
  10. Big al

    Big al Regular Member

    Joined:
    May 14, 2013
    Messages:
    1,093
    Likes Received:
    415
    Location:
    OZ
    I agree. Could this be a result of many of the good skillful guys leaving VB?
     
    Autopilot likes this.
  11. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    @BirdOPrey5 After 10 years of being exploited by could be, possible, potential vB exploits, I have concluded the best possible measure one can take to protect against any possible, could be, potential vB exploit was not to install the software. Problem solved, exploit fixed.
     
    oman and Big al like this.
  12. Big al

    Big al Regular Member

    Joined:
    May 14, 2013
    Messages:
    1,093
    Likes Received:
    415
    Location:
    OZ
    A clear solution!
     
  13. BirdOPrey5

    BirdOPrey5 #Awesome

    Joined:
    Jul 16, 2011
    Messages:
    343
    Likes Received:
    105
    Location:
    New York
    First Name:
    Joe
    I get you are upset with the company but there has been one notable exploit (September last year) that had serious repercussions in the years since I've been there. It's not perfect but hardly a bad track record. IPB has its share of exploits found and XF has a fraction the history vBulletin has. There are a lot of reasons you could bring up to say you are unhappy with vBulletin that I would understand (maybe not agree with, but understand) however to claim a history of exploits isn't one of them.

    It's unlikely anyone would have gotten hacked with the flash uploader or any number of more minor exploits - the fact we even bring them up is our commitment to security- and you use it as negative against the software.
     
  14. Cerberus

    Cerberus Admin Talk Staff

    Joined:
    May 3, 2009
    Messages:
    1,031
    Likes Received:
    500
    This is simply not true. The number of Vbulletin exploits greatly exceed 100. And, for the record there have been over 15 in the last 6 months. All of which would greatly damage a site running the software.

    http://www.exploit-db.com/exploits/30212/ This is the most recent public one. December of 2013. And I would consider it pretty major being one could easily gain access to the admin account of the site. Also, it could be used to steal data such as usernames, passwords, so on etc. If done correctly the attacker could maintain said admin access forever realistically without the admin ever knowing.

    I went through some of the more private sites and I found 3 current exploits as of January 2014. I wont link to them for obvious reasons, but they are there. And yes the reason that they have so many is because vbulletin was so popular. It is simply the nature of the game, but to pretend like they are not there is rather silly in my opinion.

    And lastly, on one of the private sites, in the comments about said exploit there is a link to the following article claiming credit for the hack using said exploit. http://www.networkworld.com/news/2014/010914-opensuse-forums-hack-raises-vbulletin-277538.html

    OpenSuse was hacked using a still valid Vbulletin exploit. And this was last month. Only one notable huh? And I already know you are going to do the same thing you always do and demand proof. Well, I am no snitch. If I am capable of finding it, then I imagine those who vbulletin pays to find this sort of thing should be quite capable of doing so. I do not do other people's jobs for them. Specially when they are being paid and I am not.
     
    Big al and Autopilot like this.
  15. BirdOPrey5

    BirdOPrey5 #Awesome

    Joined:
    Jul 16, 2011
    Messages:
    343
    Likes Received:
    105
    Location:
    New York
    First Name:
    Joe
    The exploit you did link to was from a BETA version of 5.0 which was never supposed to be used on a live site and which was fixed long ago.

    The OpenSuse Exploit was from an old version of VBSEO, not vBulletin by the way. - http://web.archiveorange.com/archive/v/9nunmzVJPX8E3BLt9K7S - Kind of thing where the headline makes page one but the correction is buried in the back of the paper.
     
  16. BirdOPrey5

    BirdOPrey5 #Awesome

    Joined:
    Jul 16, 2011
    Messages:
    343
    Likes Received:
    105
    Location:
    New York
    First Name:
    Joe
    By the way- the alleged "secret" exploits- have you reported them?
     
  17. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    @BirdOPrey5
    The only reason vB brings them up is because others (not staff or vB coders) exposes them. If your (vB) commitment to security is so strong, why is it others are aware of the exploit weeks, months, years before vB says anything about it? I have read posts on vB by members who reported exploits only to be met with ridicule and denial.
    SO no I don't agree with your opinion they are committed to security (for a commercial product even beta's should not be released to the general public) if that were true, there would be more scrutiny for such problems before the product is sold. That being said, shit happens and it is what vB does with the reports and treats those who report them and the lengthy time it takes for a fix even when the know exactly where the exploit is.
    In the early days there was genuine commitment, today? not so much. It's just so much lip service.
    The vB ship has sunk and at this point in time is un salvageable. I don't believe they care enough to make sure all the rivets and sealant is in place before launching it into the water with customers aboard. In my opinion the coding sucks and the quality control that should be in place for a retail product is non existent. It is a sad state when the customers were (past tense) more committed than vB et all.
     
    Big al likes this.
  18. BirdOPrey5

    BirdOPrey5 #Awesome

    Joined:
    Jul 16, 2011
    Messages:
    343
    Likes Received:
    105
    Location:
    New York
    First Name:
    Joe
    There have been a number of patches released over the years for exploits found by VB staff themselves. They don't always make as much news as others. My feeling is you are exaggerating.
     
  19. Autopilot

    Autopilot Regular Member

    Joined:
    Jul 27, 2013
    Messages:
    514
    Likes Received:
    334
    oh well, yup they are my opinions and have saved me thousands of dollars by not re investing in them.
     
  20. Cerberus

    Cerberus Admin Talk Staff

    Joined:
    May 3, 2009
    Messages:
    1,031
    Likes Received:
    500
    Of course not. I being a coder/programmer I understand the amount of work one puts into coding something like that up. I respect their work and would not tarnish it by reporting it. It is not my job to do so.

    Also, you are completely wrong about how OpenSuse was attacked. Though, I do like how you blame VBSEO instead of Vbulletin. But, VBSEO was not the blame, it was Vbulletin. And the fact they are claiming it was VBSEO means it will only happen again.
     
    Big al likes this.

Share This Page