No announcement yet.

Hack Attacks

  • Time
  • Show
Clear All
new posts

  • Hack Attacks

    There appears to be a group targetting vBulletin users with hack attacks, particularly those using lower than 2.01 versions. Unfortunately vBulletin has been of little assistance in dealing with this security issue, particularly for those who paid for past installation upgrades.

    My board has been hacked three times. I've now temporarily closed it. Emails to vBulletin have resulted in "Pay $135 to us and we'll upgrade you from vBulletin beta to 2.0.1." They specifically stated to me in my support request, "I'm afraid that the initial
    installation service pays for a single installation only -
    the price does not include future updates."

    When there is a serious security issue with vBulletin software, those who paid for installation of the version that has the major security flaw should be automatically upgraded to the secure version.

    Hackers are now logging into forums that have these security issues then taking control of admin functions and printing messages from the administrator that contain elaborate details on how to hack the forums and destroy them completely.

    Up until now I have always been very impressed with the vBulletin product and customer service. But when I'm in the middle of a crisis brought on by a security hole with their software, I do not want to be told "pay $135 for the upgrade package and we'll fix the problem." That just creates a whole new set of problems.

    Joe Tracy

  • #2

    I sympathize with your plight. However it's not really that hard to upgrade from an earlier version to the latest. What trouble are you having?
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography

    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    • #3
      I can understand your point to a certain extent. Two things I disagree with you on:

      First, the screen where you purchase installation support clearly states that it is one-time-only and you are agreeing to this.

      Secondly, vBulletin 2.0 betas were just that - betas. They were not intended to be run by the masses, but by the more technically inclined given the understanding that beta software can and sometimes does bring your system to a screeching meltdown or subject you to certain other risks, such as being hacked. They were not officially supported because of this.

      All this said, it is really not hard to upgrade. Installing is one thing as it requires a bit more knowledge, but upgrading is a matter of uploading the files and clicking through the upgrade screens in your browser.


      • #4
        Thank you both for your messages. I would agree that if there wasn't a security issue then a person should be charged. But when there is a major security issue resulting in mass hacks and publicly posted details on how to hack into such sites then it is the job of the software maker to make good and that means that if a person purchased a vBulletin installation then they should upgrade the security issue (even if it doesn't upgrade the forum) at no cost.

        It doesn't help that I am currently in a six month in-depth use of vBulletin for a review I'm to write on the software product. Up until this point I had been extremely pleased with both the product and service. While I'm still impressed with the product (and believe it is the best out there), the service ("even though you paid to have us install it, we are going to make you pay to fix a major security problem") is leaving a lot to be desired and is being mishandled (IMHO) on vBulletin's side.

        Regarding Upgrading.

        I would agree that upgrading might be a simple process if the directions in the manual were more clear and step-by-step. They aren't. It simply says, in general, "Upload all files". I think if I uploaded all files of 2.0.1 I would erase some important elements and customization. There have been a post or two more clear on these boards, but the official guidelines are still lacking big time.

        Thank you for your excellent comments/suggestions. I will be attempting a self upgrade later this evening...

        Joe Tracy


        • #5
          Unless you edited the PHP files (in which case my next question is if you can edit the PHP files do you really need help upgrading) nothing will be overwritten. Everything is stored in the database. It really is just a matter of uploading the files and running the upgrade scripts.


          • #6
            I'm working on the install and I'm at the point where you run upgrade3.php, etc..

            When I first tried running the upgrade3.php, I received the following error message: "Security alert! install.php still remains in the admin directory. This poses a security risk, so please delete that file immediately. You cannot access the control panel until you do."

            No problem. I deleted install.php from the admin directory on my server. I then tried running the script again and received the exact same error message even though I clearly deleted install.php. I double checked the server admin directory and install.php is gone. Ideas?

            Joe Tracy


            • #7
              For those who had the same problem as me above, I resolved the problem by clearing my cache, history, then rerunning it.

              Joe Tracy


              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.