1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

So, vB.com Got Hacked

Discussion in 'Off Topic' started by Alteran Ancient, Nov 17, 2013.

Thread Status:
Not open for further replies.
  1. Alteran Ancient

    Alteran Ancient Well-Known Member

    First Ubuntu Forums. Then MacRumors. Now vBulletin.com. I bring this up, because naturally, a good number of members here will have been members or customer of vBulletin at some point. If you are one of those people, go and get your passwords changed. You should be doing that anyway, regardless of whether sites are being hacked or not!

    So, it seems breaking into forums and other data-rich systems is becoming a thing - specifically to obtain user data such as email addresses and password hashes. In the case of Ubuntu and MacRumors, the weak point would have been a compromised Moderator account, or someone with the ability to post raw HTML.

    Now, XenForo was built from the ground-up with security in mind. That said, you cannot afford to be complacent. With a default set-up, your members and moderators have no ability to post any HTML - just BB Code. vBulletin had the HTML-enabled Announcements feature and in previous security breaches, was used as a method to obtain an Administrator's cookie and gain access. XenForo does not have this problem.

    Another plus for XenForo - plugins code is loaded from the library directory on the server's file system. Obtaining access to the Admin CP still limits how much access a hacker has to your system and by extension, its Databases.

    Seeing these kind of announcements is quite worrying. I'm going to assume that you don't want the same to happen to your own forum, which is why ensuring security is necessary. To save you the run-around and panic, I've given you a list of various things you can do to improve the security of your forum and infrastructure...

    Server Security
    • Disable external logins to your 'root' account. They can't break in if they don't know your username!
    • Install denyhosts or fail2ban on your server to prevent brute-force attempts.
    • Employ the use of two-factor authentication (Duo Security, or Google Authenticator).
    • Route your site through CloudFlare to make your server IP harder to find.
    • Ensure that Apache/Nginx/PHP and other web services run on a non-root user, so that any uploads may not compromise your entire server.
    • Make sure that MySQL can only be accessed by localhost - maintenance can be done via SSH tunnel or phpMyAdmin
    Forum Security
    • Give your administrators only what they absolutely need - nothing more. Limit the management of plugins and templates only to those who absolutely need it. The more administrative accounts you can make useless to a hacker, the better.
    • Give your moderators only what they need. There is far less opportunity for abuse here, but regardless, do check what your moderators can access.
    • Demote the accounts of any inactive staff. The more stray elevated accounts hanging around, the more opportunity for a hacker to get in if any of them were using a weak password or had their email compromised.
    • Put some kind of policy in place for your staff to change their passwords on a regular basis. It's annoying, but is a fairly common-sense security practice and means if an old password gets nabbed by a hacker, it won't be a problem.
    • If you want to get really technical, you could implement two-factor authentication for your forum accounts. Personally, I'd only want to implement this for moderators. Giving your users access to this would probably just complicate things!

    Maybe this is making a bit of a mountain out of a molehill, but at least by wasting your time with this thread, maybe I made you think or gave you some sensible ideas.
     
    D.O.A., =MGN=RedEagle and Adam Howard like this.
  2. Amaury

    Amaury Well-Known Member

    It didn't get hacked. @Paul M has stated that multiple times. An old QA server is what got hacked.

    But this will be my only post on the matter.
     
  3. oman

    oman Well-Known Member

    Not surprised. It's vBulletin.

    I'll leave you with this. Made my day:

    [​IMG]
     
  4. John007

    John007 Active Member

  5. The Forum Heroes

    The Forum Heroes Well-Known Member

    Because going to a site selling exploits is a good idea.. Amirite...
     
  6. Alteran Ancient

    Alteran Ancient Well-Known Member

    Whether the live vB.com itself was hacked, or if it was something else, the emails advising us to change our passwords is an embarrassing admission to playing loose with customer data. It shouldn't have happened. If you want to be pedantic, an asset of vBulletin Solutions "got hacked".

    Probably not a good idea to link to that on here.
     
    Adam Howard and Brandon Sheley like this.
  7. Brandon Sheley

    Brandon Sheley Well-Known Member

    It might as well have been vb.com.
    In a vbulletin newsletter IB stated that customer info could have been compromised.
    I had asked Paul M if it was on the same servers as vbulletin.com/org but I've yet to see confirmation.

    Also I'm sure this thread will be closed soon. I doubt xf really cares about what happens to vb, neither should we. ;)
     
    Adam Howard likes this.
  8. Brogan

    Brogan XenForo Moderator Staff Member

    Several threads related to this have already been closed/deleted.

    I will close this one so everyone is in no doubt that threads on this subject are better suited elsewhere.

    If it was a general discussion on security and exploits that would be fine, but the vB bashing has already started and on previous form that will just continue.
     
Thread Status:
Not open for further replies.

Share This Page