Announcement

Collapse
No announcement yet.

KrebsOnSecurity Blog - Thousands of Sites Hacked Via vBulletin Hole

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • KrebsOnSecurity Blog - Thousands of Sites Hacked Via vBulletin Hole

    My friend Brian Krebs posted this blog entry this morning: http://krebsonsecurity.com/2013/10/t...bulletin-hole/

    Attackers appear to have compromised tens of thousands of Web sites using a security weakness in sites powered by the forum software vBulletin, security experts warn.

    In a blog post in late August, vBulletin maker Jelsoft warned users that failing to remove the “/install” and “/core/install” directories on sites running 4.x and 5.x versions of the forum software could render them easily hackable. But apparently many vBulletin-based sites didn’t get that memo: According to Web site security firm Imperva, more than 35,000 sites were recently hacked via this vulnerability.

    The security weakness lets attackers quickly discover which forums are vulnerable, and then use automated, open-source exploit tools to add administrator accounts to vulnerable sites.

    Imperva said the compromised sites appear to have been hacked by one of two sets of exploit tools that have been released publicly online.
    The first was apparently used in a mass Website defacement campaign. A Google search for forums with the the rather conspicuously-named administrator account added in that attack (“Th3H4ck”) shows that many of the hack sites also are hosting malware. Among the sites apparently compromised is a support forum for the National Runaway Safeline and a site selling vBulletin add-ons.
    All I can say is MY GOD. 35,000+ vBulletin sites compromised because

    a) No patch
    b) Poor Communication

    Le Sigh.
    ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
    Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

  • #2
    So, when we email, vbulletin announcements, AdminCP news, and social media releases, what more can we do to tell customers they need to fix the issue? I'm looking for an honest answer here.

    Comment


    • #3
      Originally posted by Zachery View Post
      So, when we email, vbulletin announcements, AdminCP news, and social media releases, what more can we do to tell customers they need to fix the issue? I'm looking for an honest answer here.
      Correct me if I'm wrong Zachery, but I recall that the licensing platform here documents and records what version vBulletin license is last downloaded. That can be attributed back directly to which users and customer sites are potentially are vulnerable. From there, I would think it's quite easy to open up appropriate support tickets if need be.

      vBulletin announcements - not everyone visits the forums daily. Even I don't visit here daily anymore. Moreover no one really subscribes anymore too.

      AdminCP News - again - not everyone logs in everyday to see the headlines/news.

      Social Media - this is a shot in the dark. There is so much happening on twitter/facebook/etc. that the chances of seeing it are slim to none.

      Email: I've seen only two email notices, one dated September 3. Part of the issue was that the language DOWNPLAYED the threat and made the threat non-existent.

      Subject: vBulletin Security eBulletin: Potential Exploit of vB4.1.x & 5.0.x

      A potential exploit vector has been found in the vBulletin 4.1+ and 5.0+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, you should delete the install directory for your installation. This folder is not required for normal operation of vBulletin.
      The threat was largely downplayed by Internet Brands here. The wording and language here portrayed the threat was being looked at and examined and was not confirmed, and that if the threat was found credible, patches may be released. Furthermore, the language is more precautionary to delete the install folder. Lastly, the language implied that the threat will be confirmed should it be deemed credible.

      Lastly, Internet Brands still shares some of the responsibility here. Not only are the customers responsible for their install, but Internet Brands is still very much responsible for securely coding vBulletin. That includes installation components.
      ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
      Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

      Comment

      Related Topics

      Collapse

      Working...
      X