Announcement

Collapse
No announcement yet.

vb 3.x exploit uncovered?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • vb 3.x exploit uncovered?

    Anyone else got the "Hi ya allll !! w000wwwooooo" spam flood recently on their 3.x forum?

    Looks like it's being suggested there may be a vulernability in the build and that there may be a flood to follow:

    http://www.techwatch.co.uk/2011/05/0...s-vbulletin-3/

    it suggests that spammers have found a way to crack the custom question feature that helps reduce automated registrations by spambots.

    The behaviour so far is similar to previous mass test runs by Xrumer, which uses unique user strings with the same spam message to test how effective new cracking features work.

    While so far the spam has been sent from just one IP address to date, the danger is that if this is a new crack, that forum admins, especially on older vbulletin installs, could shortly face a new wave of spam as typically follows a security breach test.
    Is this really an issue specific to 3.x though? Anyone seeing this in the 4.x version?


  • #2
    I just came here wondering the same thing.
    Then again, I just checked my stopforumspam logs and don't see anything variations of Robert.
    I get registration attempts every few minutes.
    Last edited by steven s; Mon 9 May '11, 1:20pm.
    ...steven
    www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
    bmwcca.org/forum | m135i.net
    "I tried to clean this up but this thread is beyond redemption." - Steve Machol

    Comment


    • #3
      We've had no information on this that I'm aware of.
      Vote for:

      - *Admin Settable Paid Subscription Reminder Timeframe*
      -
      *PM - Add ability to reply to originator only*
      - Add Admin ability to auto-subscribe users to specific channel(s)
      - "Quick Route" Interface...

      Comment


      • #4
        Well, you've just been pointed in the direction of 3000+ Google results that shows a bot has managed to post the same message across a wide range of vb 3 forums.

        Comment


        • #5
          Originally posted by I, Brian View Post
          Well, you've just been pointed in the direction of 3000+ Google results that shows a bot has managed to post the same message across a wide range of vb 3 forums.
          4,000
          http://www.google.co.uk/search?hl=en&biw=1600&bih=777&q="Hi+ya+allll+!!+w000wwwooooo"+"vbulletin"&btnG=Search&aq=f &aqi=&aql=&oq=
          ...steven
          www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
          bmwcca.org/forum | m135i.net
          "I tried to clean this up but this thread is beyond redemption." - Steve Machol

          Comment


          • #6
            vB4.1.3 has been attacked as well
            environment: Centos 6.9, Apache v2.4.25, PHP 5.6.30/xCache, MariaDB 10.22 -- vB5 Connect Licensed

            AusPhotography - Australia's Premier Photographic Forum vB4.2.3
            Rick (site owner) and Kym (site tech) sharing this account

            Comment


            • #7
              18,800 results last time I googled the link.
              Must be a coincidence.
              ...steven
              www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
              bmwcca.org/forum | m135i.net
              "I tried to clean this up but this thread is beyond redemption." - Steve Machol

              Comment


              • #8
                Originally posted by steven s View Post
                18,800 results last time I googled the link.
                Must be a coincidence.
                About 75,900 results (0.30 seconds)

                I do hope the vB team is taking this attack seriously...
                -- Web Developer for hire
                ---Online Marketing Tools and Articles

                Comment


                • #9
                  Originally posted by Loco.M View Post
                  About 75,900 results (0.30 seconds)

                  I do hope the vB team is taking this attack seriously...
                  It can easily be blamed on a 3rd party mod/hack. But for all of those sites to have the same mod/hack is doubtful.
                  No doubt the fix is to install vB4 since vB3 is EOL.
                  ...steven
                  www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
                  bmwcca.org/forum | m135i.net
                  "I tried to clean this up but this thread is beyond redemption." - Steve Machol

                  Comment


                  • #10
                    We do take these things very seriously, but in order to do anything about this we need information. If someone is hacked, they should fill out a support ticket so we can help. So far no one has provided anything that shows this is an exploit in the latest versions of vB and without some evidence of this, it is not something the Devs can look at.

                    FWIW, every ticket I've seen to date was from people either running older versions of vB with known security holes, and/or using add-ons that are outdated and have been compromised.
                    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                    Change CKEditor Colors to Match Style (for 4.1.4 and above)

                    Steve Machol Photography


                    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                    Comment


                    • #11
                      If (big if) what if someone setup accounts ages ago, and left it sitting dorment. Once a user gets past registration, it is possible that they never will be checked again to see if they're a spammer. (most people don't use akisment/typepad+).

                      If a user already had an account, it wouldn't be hard for a bot to hit thousands of sites with login information and add/edit posts.

                      Comment


                      • #12
                        Originally posted by Zachery View Post
                        If (big if) what if someone setup accounts ages ago, and left it sitting dorment. Once a user gets past registration, it is possible that they never will be checked again to see if they're a spammer. (most people don't use akisment/typepad+).

                        If a user already had an account, it wouldn't be hard for a bot to hit thousands of sites with login information and add/edit posts.
                        Nah. At the several forums I looked at the join date is May 2011.
                        I use vbstopforumspam and haven't seen the name attempt to log in in the logs. One forum is v3 and the other v4.
                        I get attempts every few minutes. It is odd.


                        Add: I noticed some other forums are phpBB and simplemachines.
                        Last edited by steven s; Fri 13 May '11, 11:47am.
                        ...steven
                        www.318ti.org (vB3.8) | www.nccbmwcca.org (vB4.2)
                        bmwcca.org/forum | m135i.net
                        "I tried to clean this up but this thread is beyond redemption." - Steve Machol

                        Comment


                        • #13
                          Originally posted by steven s View Post
                          It can easily be blamed on a 3rd party mod/hack. But for all of those sites to have the same mod/hack is doubtful.
                          No doubt the fix is to install vB4 since vB3 is EOL.
                          I wouldn't be surprised if it was from an add-on.
                          -- Web Developer for hire
                          ---Online Marketing Tools and Articles

                          Comment


                          • #14
                            There have been some reports of 'vanilla' vB4.1.3 sites being hacked. I hope those people log a ticket.

                            I've created a mod that limits registrations to a time window. Eg. I've stopped 1am - 10am our time for now.

                            See: http://www.vbulletin.org/forum/showthread.php?t=263617
                            Last edited by AusPhotography; Fri 13 May '11, 10:26pm.
                            environment: Centos 6.9, Apache v2.4.25, PHP 5.6.30/xCache, MariaDB 10.22 -- vB5 Connect Licensed

                            AusPhotography - Australia's Premier Photographic Forum vB4.2.3
                            Rick (site owner) and Kym (site tech) sharing this account

                            Comment

                            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                            Working...
                            X