Is this problem due to a vBulletin zero-day exploit? Just curious.
No, this was related to spammers taking advantage of forward facing scripts. I have not detected any intrusion, nor seen any evidence that might suggest that one happened.
It's difficult to discuss technical things without going over the heads of non-technical people, but so everyone can hopefully understand what happened, I'll try. If I use terms you don't understand (not necessarily you PG, but others), just skip on past them and read the rest. You don't have to word clear everything I say below.
The first problem was due to a spammer who used a link on the blogs to "send email to a friend', which was a forward facing link set by a configuration option to allow guests to send email. I believe the setting to allow it was the default - which is bad design on the part of vBulletin, if true. (Although I have not confirmed that with a fresh new install and a virgin database.) I can't imagine Emma would have set it that way deliberately, and I know I didn't. So in other words, the software was operating as intended, but it was a poor choice on vB's part to make that setting the default, if they did. And admittedly, I bear some culpability in not having checked absolutely every setting possible, of which there are thousands, when I moved ESMB in December 2012.
Once I had changed that setting, and checked that all the other settings I could find that would allow anyone, guest or member, to send email to anyone were set to no (as well as a checking a number of other things, both forum and server), I put the forum back online. I left the "Contact Us" form active because according to vBulletin, it used a "hard coded" email address, which was entered into the admin control panel. This meant that it was only supposed to send email to the address in the control panel. We could get spammed, yes, but no one else should have been.
Occurring 3 days later, the second problem concerned the script used for the "Contact Us" form, and which possibly comes into play for other email sending, like notifications, although I don't know that for sure. The email address in the control panel which I had entered was still there and still the same as what I had entered. This
should have been the only email address that could be sent to using that particular script.
There is no place on the "Contact Us" form to enter another email address, but it's possible to submit HTTP POST data without using a form and spammers use this all the time. Good programming practices include checking for how the data has been submitted, whether the form has been used to submit or not, and removing any extraneous data or non-alphanumeric characters. In this case, that would include any added To: data. This script did not do that, apparently. In addition, since we did not receive any copies of the spam emails, it appears that it not only accepted the To: data submitted by the spammers but replaced the To: address that was set in the admin control panel with theirs!
Considering the bad programming practices in that particular script, I have lost any confidence in vBulletin that I may have had prior to this. I've set all configuration settings that vBulletin has to send email to not allow it. I'm not satisfied that that's enough, though, so I've also made settings to the server to disallow it, carefully monitor it, and alert me to anything amiss. It was the server alerts that notified me of the first problem to begin with.
There was also the shorter problem the Friday before the spam problem started. That involved another site on another server within Hivelocity's data center that had posted a World Wrestling Entertainment, Inc. copyrighted video. A complaint was made by WWE, Inc. Hivelocity mistakenly disconnected our IP address when they should have disconnected the other server. When I submitted a ticket about us being down, they sent me a copy of the complaint. I saw that in the complaint the domain referenced was not us, sent Hivelocity the proper IP address for the other site, and they apologized, put us back online, and notified the proper domain/server owners. I have no reason to believe that was anything other than a mistake on Hivelocity's part.
About 0-day exploits:
There was an exploit last fall that related to using the install directory and some other code to take over a forum. To my understanding, this depended on the install directory being present on the server. The vB readme instructions had recommended that the install directory be removed after installing or updating, so when I've updated ESMB, I've removed it. It's always a good practice anyway to remove install directories regardless of the software because they give access to the internals without any (or much) authentication. In the vBulletin install, the authentication was the vB customer number.
There was also an issue last fall related to high level accounts (admins, moderators, etc.) using the same password on multiple sites which allowed access to their accounts on any of those sites where the same passwords were used, once one of the sites had been compromised. Using the same password on multiple sites = BAD! This is not a vBulletin vulnerability, although this was said to have happened to many, many sites running vBulletin, some of which were very high profile sites. It also happens to other sites not running vBulletin. It's a user problem, not a software problem.
There was another exploit more recently related to a Yahoo User Interface (YUI) library file called uploader.swf. vBulletin recommended replacing this with a 0-byte file, which I did.
Despite the warnings of many knowledgeable people, vBulletin denied that there was an exploit for last fall's 0-day, even once their own support forum was hacked. Denial seems to be SOP for vBulletin, as other people have talked about the problem that hit us in the 2nd instance, but vBulletin has repeatedly told people that it's their mail server, it's their plugins, it's their configuration, etc. (everything besides vB's programming/product) and has scrubbed their support forums of any evidence related to it that people have posted there. I did, however, find a couple of other posts in other places that vB does not control, that discussed that problem. Incidentally, I have found that these particular spammers (or ones like them selling the same crap) have been abusing other people's vBulletin forums in this or similar ways since 2007 or before.
Just as an extra precaution, I've disabled the attachments feature so that no one can upload anything malicious, for instance, code masquerading as an image that may not be properly checked.
Emma and I are considering moving away from vBulletin to another forum software. This won't happen immediately unless it becomes urgent due to new and additional problems.
When you pay for software, especially something as well known and in such widespread use as vBulletin, you expect that there are proper precautions taken to give the software a sec check before releasing it. You expect that the default settings will be conservative and as secure as possible. You expect there is some level of quality control. Sure, there will always be imperfections, but when there are true and dangerous problems, they need to own up to and fix them - not just stick their heads in the sand and deny there's a problem.
P.S. Fuck spammers! Or as Lenny Bruce would have said, Unfuck them!