35,000 vBulletin Sites Have Already Been Exploited By Week Old Hole

realized writes "Last week Slashdot covered a new vBulletin exploit. Apparently hackers have been busy since then because according to security firm Imperva, more than 35,000 sites were recently hacked via this vulnerability. The sad part about this is that it could have all been avoided if the administrator of the websites just removed the /install and/or /core/install folders – something that you would think the installer should do on its own." Web applications that have write access to directories they then load code from have always seemed a bit iffy to me (wp-content anyone?)

Re:That's what you get for using vBulletin

[smash]

not hard to do if you don't care about security you mean.

Re:

[jones_supa]

Since a self-written forum likely will have far less features, it will be far easier to make secure.

Also, it is not directly vulnerable to specific exploits crafted against well-known bulletin board software.

Re:

[smash]

Probably not, but more likely vulnerable to schoolboy errors, unless the developer has already had experience in writing an internet exposed project of significant size.

Re:

[smash]

The "provided you know what you're doing" part is the big that is surprisingly difficult to get right for non-trivial software.

It requires a fairly large investment in time and energy to know what you are doing. If you think it's "easy" you probably don't.

Re:

[smash]

big = bit.

Re:

[Kalriath]

Actually? Most of them actually more closely resemble orchestration software suites or application server middleware.

Re:

[smash]

Yes, I am suggesting it is not trivial, or there would be a high quality, full-featured, secure open source version available that had a stellar security record. Unless you can point me to such a project? No? Thought not.

Re:That's what you get for using vBulletin

[Shoten]

Learn some languages and build your own forum. It's not hard and all the skills you'll acquire will look great on a resume.

Right...because everyone who could ever want to use a forum is a web developer, right? And, of course, every one-off forum app will be TOTALLY free from vulnerabilities, of course. Oh, and let's not forget that there's no benefit whatsoever to different forums being somewhat similar in terms of user interaction...so let's just throw that out the door as well.

Seriously?

Re:That's what you get for using vBulletin

[Krojack]

Plus writing your own message board from scratch isn't an easy task. There is a LOT within these systems. I've been coding in PHP for about 8 years and even I don't want to take on this task.

Re:That's what you get for using vBulletin

[TheSpoom]

My entire day job is coding in PHP (and Javascript, and MySQL, and Mongo, and Node, and...). Seems to work well for my company, as well as the dozens of others with whom I've worked.

But keep using whatever's hot right now, it won't affect me one iota.

Re:

[smash]

Well yeah, as with any web app, you can't "just learn php and write your own forum!".

You'll need to learn css, html, php, sql, javascript and how to properly secure against stuff like SQL injection and cross site scripting. Php (or perl) is just a tiny part of a project like this.

Re:

[Anonymous Coward]

You have coded in PHP for 8 years?

Dear god, you poor bastard.

Re:

[Hatta]

USENET never had this problem.

Re:

[bill_mcgonigle]

GP is a fool. But do contribute to Vanilla [vanillaforums.org] or similar open source projects.

Re:

[wmac1]

It is a proprietary software with open source. It means you will pay at least $ 599 /year and the source is open to hackers for them to find bugs and exploit.

Could you tell us why in the hell I should contribute to such a thing?

Re:

[bill_mcgonigle]

It's GPLv2 [vanillaforums.org]. What are you talking about?

Re:

[TheSpoom]

I've created my own forum software in the past. GP is vastly understating the complexity of modern forum software. That said, I encourage actual web developers to try it as an exercise.

Also, I think GP isn't differentiating between "secure" on the surface when you look at code that you've written, and "secure" against multiple thousands of potential adversaries when a product is used everywhere. They will think of things that you haven't. That's why you get code audited.

Re:

[amicusNYCL]

A forum is a great learning exercise for people. I answer a lot of PHP and Javascript questions on the w3schools forum, and having a beginner design and develop a forum gives them exposure to a lot of skills (user authentication and management, form processing, file uploading, database design and API integration, ajax if they want to add it, etc). Something like a forum or photo gallery is a great beginner project to expose them to the majority of web programming skills that they'll use most often in a jo

Re:

[RockDoctor]

Learn some languages and build your own forum. It's not hard and all the skills you'll acquire will look great on a resume.

How would having that on my resume help me to get work oil wells?

Week old by Slashdot time

[Anonymous Coward]

Months old by the rest of the internet...

Re:

[Anonymous Coward]

it's more than a month old actually.

http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5
August 13th.

Well

[Anonymous Coward]

How many abandoned forums overran by spambots are there out there? Quite a lot I reckon, this isn't surprising at all.

Re:

[Anonymous Coward]

Not many vBulletin ones I'd wager, since it's paid software. Plenty of phpBB ones and the like, though.

Re:

[gl4ss]

Not many vBulletin ones I'd wager, since it's paid software. Plenty of phpBB ones and the like, though.

yeah as if you couldn't warez it...
http://thepiratebay.sx/search/vbulletin/0/99/0 [thepiratebay.sx]

dunno why the hell anyone would but it's possible

Right-o

[Anonymous Coward]

I just switched from using conventional passwords to 20+ character random strings and manage them with KeePassX. It took 3+ hours to go through all my 50+ different somewhat important accounts, but no way I'm using same passwords on different sites anymore.

There have already been 5 serious leaks in services I use, including Adobe and my dedicated server provider.

Re:Right-o

[firex726]

Yea, it seems like I am getting an email monthly from one site or another I use telling me they were compromised and to change my passwords.

Re:

[Just Some Guy]

Yea, it seems like I am getting an email monthly from one site or another I use telling me they were compromised and to change my passwords.

...usually phrased like "Hi 'YOUR_USERNAME'. Your password, 'FOOLMETWICE', might have been compromised. Click here to change it.".

The password manager I use has a "security audit" tab that lists sites using the same password, and passwords that I haven't changed in more than a few months, a year, or several years. I fixed all the dupes by giving them each unique passwords, and I have a monthly reminder to myself to update all the old ones.

Re:Right-o

[Archangel Michael]

Personally, I start with the premise that the sites are already insecure. From there, I only provide information needed. I also create a unique email address for each site, so that if they are compromised, only my account on that site is compromised and nothing else is at risk. My private email address remains only for personal communication.

To compromise my life would require the NSA, and I already figure that has happened, but that I am not interesting enough to act on it .... yet.

Re:

[Just Some Guy]

I don't sweat that so much. My personal email is right there above this message, after all. Good luck guessing my random as-strong-as-allowed password on any given site, though.

Re:

[smash]

I did this exact thing when the PSN hack happened.

Re:

[smash]

They still need to break the password DB encryption. Its a trade-off. What is yout alternative to keeping a unique password for every site? Paper? Unencrypted plaintext file?

Re:

[Stalks]

SHA256(passphrase,domain) = password

Re:

[Jakeula]

This is exactly correct. I use SHA256(passphrase,domain) on every site. It is easy to recover my passwords where ever I am and all I have to remember is the passphrase and then look at the domain. I used to just type in a random password and use password resets every time I wanted to log in, that seemed to work pretty well and is about as fast as generating my SHA256 password.

Re:

[Stalks]

http://www.passwordmaker.org/ [passwordmaker.org] is what I actually use. It allows you to create per-site options if required.

Re:

[krovisser]

I did this too. It's nice not having to remember passwords anymore. I just keep my database and key backed up, and have a lot less "what was this password again" troubles.

A bit iffy???

[NoNonAlphaCharsHere]

Web applications that have write access to directories they then load code from have always seemed a bit iffy to me

You misspelled "batshit-insane".

Re:

[Spamhead]

You misspelled "Cold Fusion".

Re:

[buchner.johannes]

Web applications that have write access to directories they then load code from have always seemed a bit iffy to me

You misspelled "batshit-insane".

By itself, that's not batshit-insane. Any web app that supports a user-friendly installation of plugins has to do that (Wordpress, Joomla!, ... ). If it only fetches plugins from its own, managed repository, it can be secure.

But please, suggest a user-friendly alternative.

Re:

[Dracos]

Yes, it very much is batshit-insane. To allow such a thing is to put an inordinate amount of trust in your web application and your http server, both of which should be considered insecure no matter how secure you think they are. WP goes one step further and allows its plugins to be edited from the admin interface, which is batshit-donkeyfuck-insane.

There is always a trade off between security and user friendliness... these anti-features cross the line so far that they've disappeared beyond the horizon.

Re:

[amicusNYCL]

What would be the alternative though? Is it possible to have the same functionality in a secure way? If my application needs to write to certain directories, and that is not an option or else the application would be useless, then how can those directories be protected? Any CMS that needs to upload images, for example, would be affected by that, right? It can be fairly trivial to protect in that case (put the upload directory outside of the web root and just return the file data), but what about an appl

Re:

[amicusNYCL]

I should clarify in case this is the first reponse:

we already route all requests for files in the upload directory to a PHP script via htaccess to authenticate users before they can access the file, and there is also an option in the application whether or not to allow PHP execution in that directory (if disabled, it returns the file contents instead of including and executing the file).

Is that all that is necessary?

Re:

[Dracos]

Uploading images or other files that will not be executed by the CMS is not the issue here. The ability to upload modules and plugins is a much greater risk. Being able to delete those things (as granted by write permission) can render the entire CMS inoperable. The further insanity of allowing code to be editable within the CMS is even more dangerous, as that can introduce simple breakage via a syntax error and be a good place for malicious code to hide, easily placed there by a compromised CMS account.

Re:

[drinkypoo]

What would be the alternative though? Is it possible to have the same functionality in a secure way?

You'd have a separate site for maintenance. This does sort of mandate some duplication of effort. Right now if you want to update your CMS core you have to do this through a shell, file manager, or ftp in most cases as it is. It's not a big stretch to have an admin site with its own codebase sufficient for performing updates. Content management etc would continue to be performed through the CMS as normal. You might or might not want to use the same auth tables.

Re:A bit iffy???

[Bigbutt]

First thing I did with my Wordpress site was check the 'net for suggestions on how to secure the site. I've blocked off the admin access areas through the httpd.conf file restricting it to my work and home IPs. I occasionally have to update the IP when my home dhcp address changes but it works fine for what I'm doing.

[John]

Re:

[Jason Levine]

I've found quite a few plugins to help secure WordPress. One of the ones I really like is Apocalypse Meow [wordpress.org]. This locks people out from even trying to log into your site after X attempts. (You define what X is but it defaults to 5.) If they go over the attempts, they get banned from trying to log in for a day (or however long you define). It also removes the WordPress version information from your site's HTML code which has no purpose except to tell hackers "try these methods to get into my website". It

Why Only Now?

[terrab0t]

If you watch your server access logs, you will regularly see bots checking for common install URLs of popular website software. I'm blown away that vBulletin's hasn't been targeted for years.

Re:Why Only Now?

[moteyalpha]

If you watch your server access logs, you will regularly see bots checking for common install URLs of popular website software. I'm blown away that vBulletin's hasn't been targeted for years.

You are absolutely right. I was shocked at how quickly the knocking began. Within a day of registering a new address it already had obvious attempts to find a hole. The logs also show many other things that would worry people IF they knew it was happening. Very few people have the experience and skills to deal with it. It seems obvious that the intruder has the advantage. In a system with more than 2 to the 64th directions to guard against, the attacker has the advantage of surprise.
Analogy: Open field, everybody has a gun, some have food, others want it.
It could be that the only way to win is not to play at all. The problem is that the game has already started and this is no longer a choice. There is a dominant strategy. It is a conflict of interests. It is thus "Bellum Omnium contra omnes". No way to tell how it will end, but everybod has a "shot". ;)

Re:

[krovisser]

You make this sound like the Hunger Games.

Re:

[Cramer]

I'm blown away that vBulletin's hasn't been targeted for years.

IT HAS! This bullshit comes up every few years. All because people are too stupid and lazy to follow the instructions and remove the f'ing installer when done.

Re:

[Goaway]

Wouldn't be a problem if PHP honoured Unix execute permissions.

Too bad it doesn't.

Re:

[smash]

Download the usernames, email addresses and password hashes, duh! Salted passwords or unsalted, even a list of email addresses is worth something. Most of them ask for your date of birth as well. DOB, plus email address plus password hash and you're well on your way to identity theft.

Re:

[Anonymous Coward]

Easy, send fake messages from the admin saying that users need to reset passwords and send them to some attack site, harvest that and you might get a password they use for the email address, break into that etc etc etc.

Re:

[Cramer]

As others point out... swipe the email addresses of all the users (99% useless, but people still do it), swipe the encrypted passwords (you'll have some success recovering some of them), swipe the "remember me" login cookie -- which automatically logs you in. But that's all script-kiddie piss.

The pros are there to install malware into your site and/or redirect (read: out right, steal) your ad revenue. Some of them are very clever and redirect search engine hits, and search result clicks. (and they hide in p

Re:

[ogar572]

Because of the promise of 1. point and click install of everything 2. renders fast (because of caching) 3. thousand of plugins 4. Don't need a programmer to use it

Re:

[Cramer]

For starters you don't want every damned thing to be in the database. SQL (mysql esp) is HORRIBLE at storing *files*... which means images, and various random attachments (pdf, exe, zip, etc., etc., etc.) Also, the more you have in the database, the harder it is to find (and fix) whatever the hell hackers tweak.

Their very nature means they have to be able to write a lot of stuff. It doesn't matter where you put it, it's still writable, and hackers will be able to alter it. The forum software itself is no

Re:

[BrentNewland]

If the software is properly written, it will take care of the permissions. It's trivial to make a PHP script that checks the permissions on each folder and file in the program, and change them if they aren't right. You can even have the script fall back to FTP if PHP doesn't have permission to change permissions.

Nothing about this surprises me.

[thevirtualcat]

I've used vBulletin for years. While it's never had a particularly stellar security record, it has only gone down hill since Internet Brands bought Jelsoft.

The only remotely secure way to run vBulletin these days is to stick it in its own php-fpm pool with its own user account and insure that all files are 440 and all directories are 550. The upload directories (customavatar, attachment, etc) need to be 770 and then be excluded from PHP execution in your httpd config. Deleting "install/" goes without saying. (And we have it behind a Basic Auth, just in case someone forgets.)

Even today, with that fairly verbose nginx config and a fully patched and up to date vBulletin, I still find delightful files in my upload directories like "r00t.php" and "shell.php".

Oh? You're on shared hosting? Good luck with that...

Re:

[denmarkw00t]

Oh? You're on shared hosting? Good luck with that...

Well, I wasn't on shared hosting...but then I installed vBulletin - ZING!

Much more than 1 week old

[pjrc]

My site uses vBulletin.

This vulnerability is MUCH older than the 1 week mentioned in Slashdot's summary.

Several weeks ago the vBulletin folks sent an email advisory to all registered users (eg, people who actually paid for the software) . In fact, they sent 2 messages. The first warned of this vulnerability and suggested immediately deleting the install folder, if it wasn't already deleted as recommeded. The 2nd message, only a couple days later announced a new version which fixed this bug, even if the install folder was not deleted.

vBulletin has a web-based admin control interface, separate from the main forum. Even in the old, vulnerable versions, the admin section will not work if the install folder still exists. It just displays a message saying you must deleted the install folder before you're allowed admin access to your own forum. Any sites that were vulnerable to this bot must have been set up by just unpacking the zip file and then running the wizard to set up the database. It specifically tells you to delete the install folder at the end of that process. So anyone who got hit not only ignored that instruction, but also never even used the admin section of their forum, because it's intentionally disabled to force people to properly delete the install folder.

Sure, there may be 30-some thousand forums out there with this problem, but every single one of them was set up so poorly that the forum owner never even accessed their admin interface.

Re:

[DNS-and-BIND]

How do you even DO that? How would you be able to name the forum, set up subforums, etc.?

Look and feel

[mynamestolen]

Can someone please post a couple of links to show what the software looks like on a site. I have no idea what the typical layout and default look and feel is like.

Lazy Vs. Uninformed

[paysonwelch]

I always assume that it's pretty standard practice to delete any /install folder. I mean seriously.. Not only are you keeping your installation tidy but obviously it prevents anyone from re-running any install scripts. So it either comes down to people being lazy or just not knowing. I forget how many "webmasters" or "developers" are out there that don't even know the basics. As sort of an argument point spin-off, better software has led to less hands on deployment and made it easier for more people to dep

Sadly

[lapm]

Sadly most people that install forum software of any type, just don't follow security bulletins, or read install instructions properly anyways. Damn computer amateurs...