Announcement

**AdrianH** · Sat 8 Nov '08, 9:14am

I am afraid you were duped, vBulletin do not use any pop ups for this purpose,the system for password control is in your ACP,what happens on expiry is that you cannot login to your account till you go through the password renewal process.

NEVER ever respond to any popup till you check it out.

**pressurepros** · Sat 8 Nov '08, 9:50am

It wasn't popup. Bad term choice on my part. So the password renewal process is legit?

In looking at how the exploit could have happened, the one other administrator (president of the organization) loged into the ACP through a common area computer at an airport terminal.

**pressurepros** · Sat 8 Nov '08, 9:59am

Before we enter any more passwords is this legit? (see picture below)

Attached Files

**AdrianH** · Sat 8 Nov '08, 10:00am

You said "while surfing through"?

The password change request defaults to 180 days and comes up when you attempt to login, not while already logged in.

The standard vB login is replaced with the information and request to change passwords.

**AdrianH** · Sat 8 Nov '08, 10:01am

Originally posted by pressurepros View Post

Before we enter any more passwords is this legit? (see picture below)

That is the correct vbulletin screen for that situation ,yes.

**pressurepros** · Sat 8 Nov '08, 10:03am

Casey, I stay logged in permanently. I was actually in the middle of doing something on the forum when the message from the picture above appeared. Its quite possible this was at the turn of a day (midnight).

**pressurepros** · Sat 8 Nov '08, 10:05am

Thank you for your help!

**Floris** · Sat 8 Nov '08, 10:06am

Yes, that's a default feature if you have it turned on.

That said, have the host confirm how they exploited vBulletin.

**AdrianH** · Sat 8 Nov '08, 10:15am

Originally posted by Floris View Post

Yes, that's a default feature if you have it turned on.

That said, have the host confirm how they exploited vBulletin.

But would it popup in a session like that or only on next login as I have experienced?

**Floris** · Sat 8 Nov '08, 10:20am

I am not a developer, but to my knowledge it is per session.

**Floris** · Sat 8 Nov '08, 10:21am

I think it is coincidence - because the stuff they uploaded can't be done over vB which is a forum software and not ftp. Usually these 'hacks' are done via exploit in source code (which yes, could be vBulletin, and you are running an older version), or unofficial plugins or third party software (like wordpress, etc). Or wrong directory configurations, etc. The host has to trace back and narrow it down.

**AdrianH** · Sat 8 Nov '08, 10:26am

Originally posted by Floris View Post

I am not a developer, but to my knowledge it is per session.

That is what I thought, I have never seen the request in a session,always at next login.

-----------------------

Anyway, assuming you now have control of the forum and server this thread http://www.vbulletin.com/forum/showthread.php?t=194701 will help you protect against hacking.

In particular change the Admin and mod control panel folder names and password protect folders like Install and config on your server .

Always use long passwords for your logins on the server and forum.

Announcement

Is this how they hacked my VBulletin?

Is this how they hacked my VBulletin?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment