Announcement

Collapse
No announcement yet.

Hackers!!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Hackers!!

    Yesterday our Version 2.0.0 Beta was hacked. We found out that the did a search on google for that version number.

    We immediately upgraded to the newest version.

    WELL the *sshole is back again RIGHT now trying to do it again.

    They are trying to access the user info by sending mysql queries directly through the webpage!

    I need to know that this security breech has been fixed in this newest version.

    Any suggestions??

    Thanks,
    Vickie

  • #2
    FWIW

    The got the password of Admin by hacking into the database and updating a visible user field like homepage or ICQ to the password in order to gain access.

    Man, don't these people have anything better to do with their time??!

    Comment


    • #3
      As stated many times this exploit was fixed several versions ago.

      Comment


      • #4
        To better answer your question:

        1) Go through the process of upgrading to version 2.0.1. This will fix the immediate problem and is the only way to prevent the continued attack.

        2) Double check all the information in your control panel to see what they changed - particularly email addresses.

        There is a group of people targetting vBulletin users and successfully getting into pre-2.0.1 versions of vBulletin. It is imperitive that you immediately upgrade to 2.0.1 for the security fix.

        Don't look to vBulletin Customer Service for installation assistance, even if you've paid them to install the version you're using that has the security issue. They will want $135 even though it is a security problem.

        There are some great threads that will assist you with the installation upgrade process. This includes:

        http://www.vbulletin.com/forum/showt...threadid=19300

        http://161.58.84.213/forum/showthrea...threadid=17464


        Also, read other threads on these forum hacks, like the following:

        http://www.vbulletin.com/forum/showt...threadid=22228

        http://www.vbulletin.com/forum/showt...threadid=22219


        Here is a security advisory on the problem:
        http://www.safermag.com/html/safer35/alerts/35.html


        These hackers have struck dozens of vBulletin sites. Many are still down. In 10 minutes I found 6-7 sites currently affected by these security problems via a simple search engine inquiry looking for beta versions of vBulletin. When you go to these sites you end up getting messages about "forums being down to fix security issues" like the following: http://forum.nwgaems.org/ (as of Sunday morning).

        Hopefully the information in this email will assist you in dealing with this unfortunate problem. Most important is to close your forums, double-check your control panel information, change your password and upgrade to 2.0.1 - immediately.

        Joe Tracy
        Last edited by jtracy; Sun 8 Jul '01, 10:54am.

        Comment


        • #5
          Joe, I understand you are upset about the situation. But the poster merely asked if it was fixed in the newest version. She stated she already upgraded. I answered her question.

          Comment


          • #6
            Originally posted by jtracy
            Don't look to vBulletin Customer Service for installation assistance, even if you've paid them to install the version you're using that has the security issue.
            This is just plain not true. The support team will assist with queries of any kind, not just non-installation. However yes there is a set charge for installation or upgrading an installation if the license holder wishes to have it done for them. If they want to follow this route they will have to pay like everyone else.

            They will want $135 even though it is a security problem.
            You were running beta software. You were warned ahead of time that it might crash your system or leave you vulnerable and that there was no official support. If it was a release version I might have a little more sympathy for you. You also knew when you purchased installation that it was one time only and future upgrades would incur additional charges.
            2.0.0 has been out since May 20 and 2.0.1 has been out since June 4. My question is if you are so concerned about this why didn't you upgrade then a month and a half ago?

            Comment


            • #7
              I concur with Kevin. I certainly understand Joe's frustration, but at the time he ordered the software, the official and stable release was v1.1.6. Although I wasn't privvy to the communications, I have to believe that Joe was informed of the potential problems installing beta software. Consequently I believe he made an informed decision to go with beta 4 in spite of this.

              In addition, Jelsoft did a good job of informing people through these forums of the security problems with the pre-final versions. I do think, though, they should have informed all license holders of this fact via email as well. Nonetheless, anyone who knowingly installs beta software accepts the risks inherent in doing so.
              Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
              Change CKEditor Colors to Match Style (for 4.1.4 and above)

              Steve Machol Photography


              Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


              Comment


              • #8
                I further agree with smachol that an email should have been sent to all appropriate users over this major security problem.
                There was an email from Jelsoft:

                JELSOFT E-BULLETIN
                http://www.vbulletin.com
                March 8th, 2001

                ~ vBulletin 1.1.6
                ~ vBulletin 2.0.0 BETA 3
                ~ Your License Information
                ~ Contact Us

                ------------- VBULLETIN 1.1.6 NOW AVAILABLE --------------

                vBulletin 1.1.6 is now available for download from the members
                area.

                This release corrects several fairly severe security issues,
                and therefore we recommend that all customers download and
                install this version as soon as possible.

                Note: This update affects all PHP scripts. If you have hacks
                installed and would like an overview of changed code, you can
                use "Beyond Compare" to merge your hacks into the new version.

                Download vBulletin 1.1.6 Now:
                http://www.vbulletin.com/members/

                Beyond Compare:
                http://www.scootersoftware.com/

                ---------- VBULLETIN 2.0.0 BETA 3 NOW AVAILABLE ----------

                The third BETA version of vBulletin 2.0.0 is now available for
                download from the members area. As well as a raft of new
                features and bug fixes, the development team has also found
                and fixed a couple of security issues. We recommend that all
                customers who are currenting running a previous beta of
                version 2.0.0 upgrade as soon as possible to this release.


                For complete information about this new release, please visit:
                http://www.vbulletin.com/forum/showt...threadid=10841

                Download vBulletin 2.0.0 BETA 3 Now:
                http://www.vbulletin.com/members/

                Note: Since vBulletin 2.0.0 is BETA grade software, we can't
                guarantee that it will be free of bugs. Also, we're unable to
                offer any official support for this version. If you encounter
                any bugs/problems, please post a note in the following forum:
                http://www.vbulletin.com/forum/forum...php?forumid=19
                Contentteller Community Forums

                Comment


                • #9
                  Regarding Email on Security Issue:

                  While I don't have a record of that email, if it was sent then I apologize for questioning such in my last statement. It's a good procedure to follow with such security issues and it looks like Jelsoft followed it. Good job.

                  I do think it would have been good if the issue was given more urgency. At first glance the email appears like a simple newsletter or "upgrade update" versus the announcement of an urgent security fix. Still, it's good that something went out. Thanks for posting that, Philipp.

                  Joe Tracy

                  Comment


                  • #10
                    Joe,

                    I still don't understand your position on this one.

                    You installed beta software.

                    You paid for the installation - apparently because you were not technically capable of installing it yourself.

                    Your beta software had a security hole.

                    You went back and asked for a free installation of the next version of the beta or possibly the release software - I'm not sure which.

                    Why do you think you are entitled to a free installation? What in your agreement with Jelsoft covered a free installation when you were running beta software?

                    I would not suggest trashing Jelsoft in your magazine article. You will certainly look like a fool in my opinion.

                    It's really very simple. Don't install beta software unless you are fully aware of the risks and costs associated with it. It's not complicated.

                    I've just decided to not bother subscribing to your magazine - I was going to go looking for it - as if this is the attitude that guides your reviews, I'm not going to waste time reading them.

                    It was beta software man. Give it a rest.

                    -t
                    Tim Hewitt
                    myOstrich Internet - Domain Management & Internet Services
                    myOstrich Golf - When it comes to golf, we don't have our heads in the sand.

                    Comment


                    • #11
                      thewitt,

                      You obviously don't understand the issue (the difference between an "upgrade" and a "security fix"), so I won't try to explain it again. However, I don't just go "trashing" anyone in any article. I state facts as they occurred based on my experience as a reviewer. vBulletin is, by far, one of the best forum programs out there. Even a bad support experience won't change that opinion in verbal or written form.

                      Joe Tracy

                      P.S. Sorry you felt the need to launch a personal attack in your post. Such only weakens a person's position when they result to personal attacks versus simple discussions of the issue at hand. The reason our magazines and books do so well is because we are always very open and honest with our readers (even if it means losing advertising) and we also allow (and publish) decending opinions. When people can engage in conversations free of personal attacks then you can have some great discussions and debate. Even though you appear hostile towards my position, I welcome your opinion and wish you the best.
                      Last edited by jtracy; Sun 8 Jul '01, 4:37pm.

                      Comment


                      • #12
                        Joe,

                        I respectfully submit it's you who is not understanding the issue. Beta software is inherently risky. You had the option of having Jelosoft install a released and stable version (1.1.6). However you made the decision to have them install the beta instead.

                        If we were talking about security problems in a stable version, then I'd be a lot more symathetic to your position. But that's simply not the case. Let's consider these questions:

                        1) Did you or did you not ask Jelsoft to install the beta version of the software?

                        2) Do you understand what beta software is?

                        3) Were you informed, or otherwise had knowledge of, the inherent risks in installing a beta version of vB?

                        4) Knowing that you were using a beta did you take the steps necessary to keep yourself informed of any bugs and security problems that might arise?

                        In any beta testing program I've been aware of - including the one for vB 2.0 - it's been made very clear that the software is not stable and the customer uses it at his or her own risk. This is a far cry from your characterization of Jelsoft as 'blaming the customer'.
                        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                        Change CKEditor Colors to Match Style (for 4.1.4 and above)

                        Steve Machol Photography


                        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                        Comment


                        • #13
                          Jelsoft did a great job of outlining its beta program. I have no quams there. A major security issue arose that allowed people to break into vBulletin forums. No problem. It's beta software. That is to be expected and I accept that. The problems arose in trying to get assistance in the issued security fix for the problem. It's a support issue, not a software issue. I have no quams about the excellent software, only about the way support handled the issue. If there is a security fix to a major security hole that is being massively exploited then it seems right that Jelsoft would want to immediately install the security fix onto boards that people paid them to install while allowing others to manually upload the fix accordingly.

                          BTW, smachol, I greatly appreciate the parameters in which you've discussed this issue here and elsewhere. I feel that your opinions have been balanced even when in disagreement.

                          Respectfully,


                          Joe Tracy

                          Comment


                          • #14
                            Originally posted by jtracy
                            BTW, smachol, I greatly appreciate the parameters in which you've discussed this issue here and elsewhere. I feel that your opinions have been balanced even when in disagreement.

                            Respectfully,

                            Joe Tracy
                            Great - now I feel like a jackass for being as harsh as I was!
                            Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                            Change CKEditor Colors to Match Style (for 4.1.4 and above)

                            Steve Machol Photography


                            Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                            Comment


                            • #15
                              Joe,

                              I am sorry that you felt wronged by the Customer Service that you received. Our service to the customer is something that we are constantly trying to improve and I will mention your complaints to the other staff at Jelsoft.

                              At the time of your attack which happened during a Beta Testing period we had 1 person in charge of installs and one person in charge of support. Since then we have increased the number of support staff to accomodate the demand.

                              We currently have over 100 issues that we are working on not counting the issues posted in this forum. I know this is no excuse for the service you received but the two different security exploits discovered in vBulletin couldn't be fixed with a simple patch. They were major exploits and required a lot of work by the developers to fix.

                              I know you had an unfortunate experience with our company and I can't change that now. What I can do is make sure that in the future we try harder to fulfill your needs as well as those of other customers. For many these forums are enough but some like yourself want or require extra support. Our new support team is here to make sure you get that. Please make sure to take advantage of our Support system located at http://vbulletin.com/support. The average response time is under 6 hours and we are working to lower that even more.

                              Please feel free to contact me directly at [email protected], but you will most likely get faster responses through the support system.

                              Sincerely,
                              Wayne A. Luke
                              vBulletin Support
                              Translations provided by Google.

                              Wayne Luke
                              The Rabid Badger - a vBulletin Cloud demonstration site.
                              vBulletin 5 API

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X