Fortunately, I switched to Xenforo which I understand has some of the original programmers from vBulletin. I think it is important to recognize the vBulletin of today is owned by Internet Brands, and is a far different company today. I still do have an old 3.x.x that runs like a champ.

If you run a vBulletin forum, versions 4 - 5, you may want to consider downloading your DB if you haven't done it recently. Something to consider, DefCon took down their forum [forum.defcon.org] and left a note:

We have disabled the forums until there is resolution on a possible vulnerability.

-- TheCotman

For some details about we at DEF CON have decided to close the forums, you can check this story out:
[thehackernews.com...]

Once we have a fix/patch installed, we'll re-open service.

Thanks! Sorry about the down-time.

Internet Brands if they own the source code I would say that since the purchase probably little if any security work has or could be done by the personal they staff.
I am very familiar with their work.

A lot of us with vB boards got hit a month or so ago. I got hit twice - about a week apart between the attacks. I hadn't taken an action that they suggested in an e-mail (deleting the install folder). BUT they didn't make the issue sound very urgent. In hindsight that was a big error on my part.

After the attacks one of the things I did that seems to have helped a lot is locking all admin type directories with .htaccess - not just on my vB site but on all my sites - Wordpress blogs, tube sites, etc. I have to do two logins now to get to admin areas, but it makes it hard enough for hackers that they'd rather move on to other sites that are easier to hack.

Staff have unofficially stated there is no new vulnerability. A qa server running old code was hacked and an export of the production database for the forum at vBulletin.com compromised. The macrumours.com hack is linked however in that a user who was targetted had reused their password accross the two sites. I speculate this may also have been the case in the ubuntu.com attack as the vBulletin.com hack may have happened as long ago as this summer. The hackers screenshots of the hack are fake according to the same staff. In the case of the macrumours and ubuntu attacks the hackers used a moderator account to post javascript in order to compromise the account of an administrator...

Regardless my advice to any forum owners who take security seriously:

- Reset all you staff passwords.
- Implement a policy of regular password changes.
- Review who has access to what.
- Install a second layer of authentication such as .htpasswd
- Disable HTML posts / announcements.
- Install fail2ban or similar.
- Consider using https.

I got hit twice - about a week apart between the attacks.

What was the symptoms? What happened to your website?

And what version are you running?

What was the symptoms? What happened to your website?

The first thing that was obvious was that certain pages were redirecting to other sites. If I remember correctly it was a "security software" type site. The hacker had gotten in and essentially overwritten certain pages.

What I missed in the first attack was that s/he had also created admin user accounts. When more pages were hacked a week later I took a much closer look at things and discovered three admin users that shouldn't have been there. Since the files (on disk) had been locked down after the first attack the next step was for the hacker to use those use admin users to change some of the page code that's stored in the database. That's actually a much harder thing to restore since restoring the database would have wiped out all the user discussion on the forum. That's when I put in the 2nd layer of password protection on the admin and moderation pages. So now even if they do manage to create an admin user in the future they can't hit an admin page.

During all of that I discovered that, while my host only keeps one day of log files, vB logs all page hits to admin areas. So there was a nice neat tidy record of exactly what pages the hacker had accessed.

The one good thing about forums is that you have an active community of people who are looking out for you. People were tweeting me, emailing me, etc. as soon as the problem happened. I don't think I would have gotten the same response if one of my blogs had been hacked.

And what version are you running?

I was on something like 4.0.2 patch 2 when the first attack happened. After the first attack I upgraded to 4.2.1.

You need 4.2.2 to be safe, you should upgrade immediately. Make sure you delete the installation directory after the upgrade too...