Announcement

**Videx** · Mon 20 Sep '10, 6:35pm

I'm unaware of any vb vulnerability right now. But you didn't say if you're using the latest version. Hosts blame software all the time to take the heat off themselves.

**kontagio.us** · Tue 21 Sep '10, 5:40am

Try changing your Admin CP, FTP and MYSQL passwords. (Don't forget to change the config file to match your new passwords)

**Ion Saliu** · Tue 21 Sep '10, 8:28am

Apparently, we are having problems with hacking. Perhaps you saw my thread:

http://www.vbulletin.com/forum/showt...topped-working

Let’s hope hacking won’t repeat…

Best of luck!

Ion Saliu

**Paul M** · Tue 21 Sep '10, 8:32am

Hosts lie, and blame anyone but themselves.

I suggest you ask him to detail these mysterious vb "issues" he refers to.

**Shamil.** · Tue 21 Sep '10, 8:39am

Are you on a GoDaddy hosting service?

**Wayne Luke** · Tue 21 Sep '10, 8:49am

http://www.vbulletin.com/docs/html/securing_vbulletin
http://www.vbulletin.com/forum/showt...ms-More-Secure

And here is the same thing I tell every customer...

Make sure that your email, FTP and database passwords are all separate and strong (12+ characters, letters, numbers, symbols).
Only use FTP and email through SSL so your passwords are encrypted. They are not with the standard protocols. Never use telnet or cp. Use SSH and scp.
.htaccess protect your Admincp, Modcp, includes, and install directories. Different usernames and passwords for each directory.
Inventory your vBulletin files against a default download and delete anything that doesn't have a match.

**Ion Saliu** · Tue 21 Sep '10, 3:30pm

htaccess protect your Admincp, Modcp, includes, and install directories. Different usernames and passwords for each directory.

Shouldn’t your vBulletin software have those security features built-in? Shouldn’t such security features be the default? I use another software package for paid-membership. It has far stronger security features built-in. Oh, no! I would NOT use vB for paid membership even you paid me to do that!

The vB manual gives an example of .htaccess for /includes:

<Files config.php>
order deny,allow
deny from all
</Files>

Why didn’t you include such a security file in the installation package??

Now, this is downright crazy!!

Inventory your vBulletin files against a default download and delete anything that doesn't have a match.

How many hundreds of files are there in the downloaded package? You never counted them. Who in the world would be able to compare hundreds of files on the local computer and the installation on the server — and compare them?? Hello? I said hundreds and hundreds of files…

But this one is really discouraging!

Never use telnet or cp.

You mean cp as in Control Panel? If so, why in the world did you include an admincp in vBulletin?!

Look, guys. You believe the word is made up of nice guys entirely. There are criminals out there. You kind of overlooked the importance of security in your software. As popular as it might be, it can fall deeply if serious problems (hacking especially) occur more and more often.

I do wish you the best. I hope you take my observations in stride.

Ion Saliu

**Zachery** · Tue 21 Sep '10, 4:53pm

Originally posted by Ion Saliu View Post

Shouldn’t your vBulletin software have those security features built-in? Shouldn’t such security features be the default? I use another software package for paid-membership. It has far stronger security features built-in. Oh, no! I would NOT use vB for paid membership even you paid me to do that!

htaccess files do not work at all, or are just not used in some web server configurations. Including it could break sites.

vBulletin is fairly sucure overall, most of its weakness would be shared with any other software like it, once system access has been obtained, everything we can do goes out the window.

**beishe8** · Tue 21 Sep '10, 5:19pm

Originally posted by Zachery View Post

htaccess files do not work at all, or are just not used in some web server configurations.

That was the case with my previous host.

**compwhizii** · Tue 21 Sep '10, 6:21pm

Originally posted by Ion Saliu View Post

Look, guys. You believe the word is made up of nice guys entirely. There are criminals out there. You kind of overlooked the importance of security in your software. As popular as it might be, it can fall deeply if serious problems (hacking especially) occur more and more often.

I do wish you the best. I hope you take my observations in stride.

Ion Saliu

I think you're really just paranoid.

I don't understand the reasoning behind protecting your admincp with another password. If someone got your vBulletin admin password the only person to blame would be yourself.

**Ion Saliu** · Wed 22 Sep '10, 8:12am

Listen, guys. Don’t you get mad at me! Paranoid may be you, compwhizii. In fact, vB itself does create a sense of paranoia! “Delete install.php immediately after installation!” “Delete tools.php immediately after usage!” “Do not upload cinfig.php.new!” (But why was it included in the upload folder?)

When you read such messages, you get immediately the “idea” that there is something wrong with the security in vB. If the folders are well protected, why should I worry about forgetting files in my vB domain? And there are quite a few files to remember. You got to hunt for them. Human error is easy, and good software tries very hard to avoid human error. vB goes the other way in this regard. Like that crazy advice to check all those hundreds and hundreds of pages in the downloaded package and the server installation!

Now, I agree that there are adequate built-in security features in vBulletin. Yet, the vB team always urges the administrators to take care of the security of their own vB installations — as if vB was insecure!

Like the piece of advice that triggered my previous reply:

htaccess protect your Admincp, Modcp, includes, and install directories. Different usernames and passwords for each directory.

Why should admin do that if vB is already secure?! Not to mention that vB asks admins to go to third-party websites, learn a lot about htaccess and htpassword and password encryption! Hey, we already paid you pretty good for those features! But, what’s worse, the advice can lead to more dangerous results! Indeed, as someone here pointed out, htaccess are plain text files, even more vulnerable than php files. Also, htpassword are plain text files that show passwords in plain light. The vB team advises you to go to some websites and use other people’s scripts to encrypt the passwords (most likely, pay extra for that!)

Repeat, the admin folders in vB come with security built-in features. I can see hundreds of attempts to run PHP in my admin folders. The malicious attempts are failing. Then, again, why does vB team advise the admins to secure their folders (especially with those dangerous htaccess files)?

Here is a good idea and easy to implement. vBulletin should have in the Administrator Control Panel an option like aMember has. The left pane should have a visible option: ‘Protect Folders’. aMember gives me peace of mind. I can protect folders by three, not just one protection method. Everything is encrypted. I don’t have to hunt on other websites for security tools.

That would solve plenty of problem reports like you see in these vB forums. Don’t blame GoDaddy. They gave me a very good response regarding security. I have had no hosting problems with them since I started in 2005. It only happened after I installed vB. No other portion of my site was affected — only vB. Moreover, the problem reports refer to other webhosts, not only GoDaddy.

I only talked in firm terms because the issue is a very serious one. I’ve had no intent to harm or hurt feelings. I’ve viewed my posting as constructive participation. After all, it’s in my best interest to have a very secure vBulletin at my Web site.

Best of luck to all!

Ion Saliu

**bszopi** · Wed 22 Sep '10, 9:27am

Originally posted by Ion Saliu View Post

I can see hundreds of attempts to run PHP in my admin folders.

Try renaming your admincp folder to something completely off the wall (update your config.php file to match), and see if these attempts continue to exist.

**Ion Saliu** · Wed 22 Sep '10, 9:53am

Forget about it! You didn’t pay attention to the thread (perhaps you soon after a mid-day nap!) I consider a very bad idea to change folder names. It can turn into a bigger headache, as you need to edit the conig.php … and who knows what else. Beside, those attempts to my admincp folder will keep coming regardless. They’ll show up as errors in my site stats.

The main thing is the folders to be well secured against intruders. That was the topic of this thread.

I’m gonna have my mid-day coffee now. Bye!

**Dirt Bike Addict** · Wed 22 Sep '10, 11:46am

Originally posted by Ion Saliu View Post

Shouldn’t your vBulletin software have those security features built-in? Shouldn’t such security features be the default?

Why didn’t you include such a security file in the installation package??

Now, this is downright crazy!!

What would the point be of vB including .htacccess files if the default user name and password would be the same for every forum? Not to mention with all the different server configurations out there it just wouldn't make sense.

Originally posted by compwhizii View Post

I don't understand the reasoning behind protecting your admincp with another password. If someone got your vBulletin admin password the only person to blame would be yourself.

It's just another password the hacker has to get before he can even get to your admincp login screen.

Originally posted by Ion Saliu View Post

In fact, vB itself does create a sense of paranoia! “Delete install.php immediately after installation!” “Delete tools.php immediately after usage!” “Do not upload cinfig.php.new!” (But why was it included in the upload folder?)

When you read such messages, you get immediately the “idea” that there is something wrong with the security in vB. If the folders are well protected, why should I worry about forgetting files in my vB domain?

Are you serious, why wouldn't you delete those files after you're done with them?

Why was the config.php.new in the upload folder? Well if it wasn't there you'd probably be asking where it is/goes. Also the config.php.new has no important info in it, it's just a blank config file.

Originally posted by Ion Saliu View Post

Repeat, the admin folders in vB come with security built-in features.

They come with what? Not sure what you mean by "security built-in-features"

Originally posted by Ion Saliu View Post

Like the piece of advice that triggered my previous reply:

htaccess protect your Admincp, Modcp, includes, and install directories. Different usernames and passwords for each directory.

Why should admin do that if vB is already secure?

vB can't protect those folders you have to. (See first comment) I protect my folders through my server cp (Plesk)

Originally posted by Ion Saliu View Post

I consider a very bad idea to change folder names. It can turn into a bigger headache, as you need to edit the conig.php … and who knows what else. Beside, those attempts to my admincp folder will keep coming regardless. They’ll show up as errors in my site stats.

The main thing is the folders to be well secured against intruders. That was the topic of this thread.

Why is it bad to change your admincp and modcp folder names? If the hackers don't know what they're called how can they get to them? Also the config.php file is one of the easiest things to change in vB.

vBulletin 4 End of Life

Announcement

Site hacked twice in a month. Any solutions to prevent this ??

[CMS] Site hacked twice in a month. Any solutions to prevent this ??

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment