Page 1 of 2 12 LastLast
Results 1 to 25 of 36

Thread: Keep Your Eyes Open ... We Were Hacked This Morning!

  1. #1
    Administrator John Pierce's Avatar
    Join Date
    May 2006
    Location
    Bristol, VA
    Posts
    1,735

    Keep Your Eyes Open ... We Were Hacked This Morning!

    This morning, a new user managed to somehow make themselves an administrator. Thanks to Grapeshot who called me immediately after it happened, I was able to delete the user before (hopefully) he was able to do anything. But I would like for you to keep your eyes open.

    I have opened a support ticket with vBulletin about the incident which is troubling for several reasons.

    1) We always stay up to date on the latest vBulletin updates.
    2) We always stay up to date on the latest server updates.
    3) I am the only administrator so theoretically, I am the only one who could add another administrator.
    4) My password was long, complex, and used nowhere else on the internet. (It has since been changed to something even more complex)
    5) The user did not have an IP address nor did they appear in the logs.

    I will let you know what I find out from vBulletin. I am also going to hire a security consultant to review the server as well.

    So ... If you see ANYTHING that looks strange. Let me know. I think we dodged a bullet on this one (pun intended) but only by the grace of God and the vigilance of Grapeshot.

    Thanks!

    PS. By strange I mean more than just spam. If Mike or I start proclaiming our undying love for Janet Reno then that would be a clue as well.


    John

  2. #2
    Regular Member SFCRetired's Avatar
    Join Date
    Oct 2008
    Location
    Montgomery, Alabama, USA
    Posts
    1,770
    You mean you don't love Janet Reno?

    Sorry, couldn't resist that one.

    I suspect we would all be very interested to know what the final answer is on this one as there now seem to be nations that are organizing hacking efforts against those whom they see as enemies.
    Last edited by SFCRetired; 09-03-2013 at 09:47 AM.
    "Happiness is a warm shotgun!!"
    "I am neither a pessimist nor a cynic. I am, rather, a realist."
    "The most dangerous things I've ever encountered were a Second Lieutenant with a map and a compass and a Private who was bored and had time on his hands."

  3. #3
    Administrator John Pierce's Avatar
    Join Date
    May 2006
    Location
    Bristol, VA
    Posts
    1,735
    Quote Originally Posted by SFCRetired View Post
    You mean you don't love Janet Reno?

    Sorry, couldn't resist that one.

    I suspect we would all be very interested to know what the final answer is on this one as there now seem to be nations that are organizing hacking efforts against those whom they see as enemies.
    I will keep you guys informed as I find more information.

    Thanks!


    John

  4. #4
    Banned
    Join Date
    Jan 2012
    Location
    earth's crust
    Posts
    17,838
    I figured out the password .... from here:

    https://www.youtube.com/watch?v=IPphyjkXnPc

    Last edited by davidmcbeth; 09-03-2013 at 09:49 AM.

  5. #5
    Campaign Veteran skidmark's Avatar
    Join Date
    Jan 2007
    Location
    North Chesterfield VA
    Posts
    10,682
    Quote Originally Posted by John Pierce View Post
    5) The user did not have an IP address nor did they appear in the logs.

    John
    Well, of course not. There was no such person from no such agency.

    Check your physical mailbox - there might or might not be a letter that you could not tell anyone (including yourself) about.

    The good thing is these days they give you a toothbrush, instead of making you buy one. The bad news is it one of those pieces of silicone that goes on the end of your finger.

    stay safe.
    "He'll regret it to his dying day....if ever he lives that long."----The Quiet Man

    Because stupidity isn't a race, and everybody can win.

    "No matter how much contempt you have for the media in all this, you don't have enough"
    ----Allahpundit

  6. #6
    Founder's Club Member
    Join Date
    Nov 2006
    Location
    Fairfax Co., VA
    Posts
    18,766
    Quote Originally Posted by John Pierce View Post
    SNIP I have opened a support ticket with vBulletin about the incident which is troubling for several reasons.

    Troubling indeed.

    Was members personal information--e-mails, names, etc--compromised?



    Rhetorical questions:

    Who would have the expertise to break John's password? And, have no IP address? And, not leave traces in the logs?

    Why would someone do it?

    Who would finance them?
    I'll make you an offer: I will argue and fight for all of your rights, if you will do the same for me. That is the only way freedom can work. We have to respect all rights, all the time--and strive to win the rights of the other guy as much as for ourselves.

    If I am equal to another, how can I legitimately govern him without his express individual consent?

    There is no human being on earth I hate so much I would actually vote to inflict government upon him.

  7. #7
    Regular Member OC for ME's Avatar
    Join Date
    Jan 2010
    Location
    White Oak Plantation
    Posts
    12,273
    NSA? IRS? Both?

  8. #8
    Regular Member
    Join Date
    Feb 2012
    Location
    Davis County, Utah
    Posts
    528

    Re: Keep Your Eyes Open ... We Were Hacked This Morning!

    Guys, obviously we will never be certain who they or where they were from, but I would like to point out a couple of things:

    1) If this is a first time happening on OCDO, then we are pretty darn secure here in that respect. I do hope nothing was copied or destroyed.

    2) Both Black Hat and DEFCON happened just over a month ago; the net goes crazy for a few months after, as the skiddies try out their new toys. It's the same thing year after year.

  9. #9
    Administrator John Pierce's Avatar
    Join Date
    May 2006
    Location
    Bristol, VA
    Posts
    1,735
    Lol. I do not believe that any agent of the government is going to make themselves an administrator account and use the username of H4ck3r and the email address of hack.er.

    I suspect this was a script kiddie who found a zero-day vBulletin exploit and wanted to show off to his friends that he cracked a vBulletin site. If you google for vBulletin exploits, the YouTube videos and sites are numerous.

    I do not believe that any information was compromised based upon the fact that, thanks to Grapeshot's quick response, the user was deleted and the server rebooted within minutes of the account being created. The logs showed no further activity by this user. It may have even been a script rather than an individual.

    The security consultant I hired is already sweeping the server but so far, it appears that there was no other damage. We have also installed a monitor to let us know of any access to the Admin tool on the forum. The real question is whether or not there is a vBulletin exploit they need to patch. I am waiting on them to respond.


    John

  10. #10
    Administrator John Pierce's Avatar
    Join Date
    May 2006
    Location
    Bristol, VA
    Posts
    1,735
    Quote Originally Posted by b0neZ View Post
    Guys, obviously we will never be certain who they or where they were from, but I would like to point out a couple of things:

    1) If this is a first time happening on OCDO, then we are pretty darn secure here in that respect. I do hope nothing was copied or destroyed.

    2) Both Black Hat and DEFCON happened just over a month ago; the net goes crazy for a few months after, as the skiddies try out their new toys. It's the same thing year after year.
    Thanks. Yes ... we keep the server locked down as tight as possible. I won't go into details here but suffice it to say that I take the advice and assistance of experts rather than take chances. The cost pays off in the long run. We see failed attempts on the server in the log file every day. It is a fact of life on the internet.

    This one seems to have succeeded by targeting vBulletin rather than the server itself. Hence the reason I suspect a zero-day exploit since we ALWAYS stay on the latest patch immediately upon their release.


    John

  11. #11
    Campaign Veteran marshaul's Avatar
    Join Date
    Aug 2007
    Location
    Fairfax County, Virginia
    Posts
    11,487
    Quote Originally Posted by Citizen View Post
    Who would have the expertise to break John's password?
    That isn't how it works. Good passwords don't get "broken". There's undoubtedly an exploit in vbullitin itself.

  12. #12
    Administrator John Pierce's Avatar
    Join Date
    May 2006
    Location
    Bristol, VA
    Posts
    1,735
    Quote Originally Posted by marshaul View Post
    That isn't how it works. Good passwords don't get "broken". There's undoubtedly an exploit in vbullitin itself.
    Exactly. The password was complex, long, and had no real meaning. Even my wife couldn't have guessed it (since it didn't have anything to do with food, sex, or guns).


    John

  13. #13
    Founder's Club Member
    Join Date
    Nov 2006
    Location
    Fairfax Co., VA
    Posts
    18,766
    Quote Originally Posted by marshaul View Post
    That isn't how it works. Good passwords don't get "broken". There's undoubtedly an exploit in vbullitin itself.
    Oh, I see.

    Thanks.
    I'll make you an offer: I will argue and fight for all of your rights, if you will do the same for me. That is the only way freedom can work. We have to respect all rights, all the time--and strive to win the rights of the other guy as much as for ourselves.

    If I am equal to another, how can I legitimately govern him without his express individual consent?

    There is no human being on earth I hate so much I would actually vote to inflict government upon him.

  14. #14
    Regular Member Maverick9's Avatar
    Join Date
    Apr 2013
    Location
    Mid-atlantic
    Posts
    1,506
    Wasn't me.

    Click image for larger version. 

Name:	ocdoadmin.png 
Views:	165 
Size:	12.5 KB 
ID:	10766

  15. #15
    Banned
    Join Date
    Jan 2012
    Location
    earth's crust
    Posts
    17,838
    Quote Originally Posted by John Pierce View Post
    Exactly. The password was complex, long, and had no real meaning. Even my wife couldn't have guessed it (since it didn't have anything to do with food, sex, or guns).


    John

    The combination is....
    1-2-3-4-5

    https://www.youtube.com/watch?v=a6iW-8xPw3k

  16. #16
    Banned
    Join Date
    Jan 2012
    Location
    earth's crust
    Posts
    17,838
    Quote Originally Posted by John Pierce View Post
    Exactly. The password was complex, long, and had no real meaning. Even my wife couldn't have guessed it (since it didn't have anything to do with food, sex, or guns).


    John
    You'll be eating cold oatmeal for the next 3 weeks !

    You know your wife is infinitely smarter than both of us combined. Right?

  17. #17
    Founder's Club Member protias's Avatar
    Join Date
    Dec 2008
    Location
    SE, WI
    Posts
    7,322
    Quote Originally Posted by John Pierce View Post
    Exactly. The password was complex, long, and had no real meaning. Even my wife couldn't have guessed it (since it didn't have anything to do with food, sex, or guns).


    John
    Really?

    No free man shall ever be debarred the use of arms. Thomas Jefferson (1776)

    If you go into a store, with a gun, and rob it, you have forfeited your right to not get shot - Joe Deters, Hamilton County (Cincinnati) Prosecutor

    I ask sir, what is the militia? It is the whole people except for a few politicians. - George Mason (father of the Bill of Rights and The Virginia Declaration of Rights)

  18. #18
    Administrator John Pierce's Avatar
    Join Date
    May 2006
    Location
    Bristol, VA
    Posts
    1,735

    Update

    This just in from the vBulletin support team.

    ***
    A potential exploit vector has been found in the vBulletin 4.1+ and 5+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, it is recommended that you delete the install directory for your installation. The directories that should be deleted are:

    4.X - /install/
    5.X - /core/install
    After deleting these directories your sites can not be affected by the issues we’re currently investigating.

    vBulletin 3.X and earlier versions of 4.X would not be affected by these issues. However if you want the best security precautions, you should delete your install directory as well.
    ***

    DONE. DONE. AND DONE!

  19. #19
    Regular Member Sorcice's Avatar
    Join Date
    Nov 2011
    Location
    Madison, WI
    Posts
    382

    Keep Your Eyes Open ... We Were Hacked This Morning!

    It's pretty much pointless to try brute force guessing against any online forum or windows server. The security policy in place usually only allows 3 attempts before blocking you from trying or completely locking the account for 10 minutes to forever at the admins discretion. Having a long confusing password really doesn't do much but cause the owner migraines.. You are better off with a password like theboomstickwentbang than )$;&'dnsnsndhan143245523.

    Also, don't ever give out your password to an admin. They don't need it. They can change your password whenever they want. Asking for your password is a red flag.

    Will be interesting to see what ticket shows as the cause.

    .02

  20. #20
    Regular Member
    Join Date
    Feb 2012
    Location
    Oregon
    Posts
    127
    I was going to say delete the install file...ive used it to re-create my admin account on ipb and vbulletin before...also sql injection if the server hosting company has been compromised(as in they hired an idiot, like if you use godaddy or some other company to physically manage the server hardware)...had that issue twice now...lovely email apologizing about those incidents...

  21. #21
    Banned
    Join Date
    Jan 2010
    Location
    Fairborn, Ohio, USA
    Posts
    13,063
    .lamron eb ot smees gnihtyrevE .smelborp yna deciton t'nevah I

  22. #22
    Regular Member
    Join Date
    Nov 2010
    Location
    texas
    Posts
    23
    Quote Originally Posted by John Pierce View Post
    ...
    5) The user did not have an IP address nor did they appear in the logs.
    ...
    Assuming it was just vbulletin that was compromised and they never had root.
    look in /var/log/httpd/access_log and maybe /var/log/messages depending on what all was tried.

    with vbulletin compromised its logs were most likely edited, but he still would not be able to change the access_log.
    Unfortunately these attacks are usually from zombies, so if you do go through the trouble of finding him he wont even know he was doing it.
    in any case he has an ip, and your machine knew it otherwise he couldn't have done anything.

  23. #23
    Regular Member
    Join Date
    Aug 2007
    Location
    Granite State of Mind
    Posts
    4,510
    The server seems bogged down tonight, too. I don't know if we're under attack, or if John bumped up some settings.

  24. #24
    Banned
    Join Date
    Jan 2012
    Location
    earth's crust
    Posts
    17,838
    Quote Originally Posted by eye95 View Post
    .lamron eb ot smees gnihtyrevE .smelborp yna deciton t'nevah I
    Finally a post I can understand ! (from eye)

  25. #25
    Moderator / Administrator Grapeshot's Avatar
    Join Date
    May 2006
    Location
    North Chesterfield, Va.
    Posts
    34,622
    Quote Originally Posted by KBCraig View Post
    The server seems bogged down tonight, too. I don't know if we're under attack, or if John bumped up some settings.
    Have had multiple reports of quite slow speed on OCDO including my computer and DoubleTaps too. The other sites that I visit are not so effected, so it isn't just an increase in traffic i.e. holiday and back-to-school.
    You will not rise to the occasion; you will fall back on your level of training.” Archilochus, 650 BC

    Old and treacherous will beat young and skilled every time. Yata hey.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •