ESMB is back. Again.
- Thread starter ethercat
- Start date
Mick Wenlock
Admin Emeritus (retired)
thank you ethercat. You are a gem.
Enthetan
Master of Disaster
I'd say likewise, but my wife would get jealous.
Terril park
Sponsor
How does one add data to ones profile?
ethercat
Cat in flight
No, this was related to spammers taking advantage of forward facing scripts. I have not detected any intrusion, nor seen any evidence that might suggest that one happened.
It's difficult to discuss technical things without going over the heads of non-technical people, but so everyone can hopefully understand what happened, I'll try. If I use terms you don't understand (not necessarily you PG, but others), just skip on past them and read the rest. You don't have to word clear everything I say below.
The first problem was due to a spammer who used a link on the blogs to "send email to a friend', which was a forward facing link set by a configuration option to allow guests to send email. I believe the setting to allow it was the default - which is bad design on the part of vBulletin, if true. (Although I have not confirmed that with a fresh new install and a virgin database.) I can't imagine Emma would have set it that way deliberately, and I know I didn't. So in other words, the software was operating as intended, but it was a poor choice on vB's part to make that setting the default, if they did. And admittedly, I bear some culpability in not having checked absolutely every setting possible, of which there are thousands, when I moved ESMB in December 2012.
Once I had changed that setting, and checked that all the other settings I could find that would allow anyone, guest or member, to send email to anyone were set to no (as well as a checking a number of other things, both forum and server), I put the forum back online. I left the "Contact Us" form active because according to vBulletin, it used a "hard coded" email address, which was entered into the admin control panel. This meant that it was only supposed to send email to the address in the control panel. We could get spammed, yes, but no one else should have been.
Occurring 3 days later, the second problem concerned the script used for the "Contact Us" form, and which possibly comes into play for other email sending, like notifications, although I don't know that for sure. The email address in the control panel which I had entered was still there and still the same as what I had entered. This should have been the only email address that could be sent to using that particular script.
There is no place on the "Contact Us" form to enter another email address, but it's possible to submit HTTP POST data without using a form and spammers use this all the time. Good programming practices include checking for how the data has been submitted, whether the form has been used to submit or not, and removing any extraneous data or non-alphanumeric characters. In this case, that would include any added To: data. This script did not do that, apparently. In addition, since we did not receive any copies of the spam emails, it appears that it not only accepted the To: data submitted by the spammers but replaced the To: address that was set in the admin control panel with theirs!
Considering the bad programming practices in that particular script, I have lost any confidence in vBulletin that I may have had prior to this. I've set all configuration settings that vBulletin has to send email to not allow it. I'm not satisfied that that's enough, though, so I've also made settings to the server to disallow it, carefully monitor it, and alert me to anything amiss. It was the server alerts that notified me of the first problem to begin with.
There was also the shorter problem the Friday before the spam problem started. That involved another site on another server within Hivelocity's data center that had posted a World Wrestling Entertainment, Inc. copyrighted video. A complaint was made by WWE, Inc. Hivelocity mistakenly disconnected our IP address when they should have disconnected the other server. When I submitted a ticket about us being down, they sent me a copy of the complaint. I saw that in the complaint the domain referenced was not us, sent Hivelocity the proper IP address for the other site, and they apologized, put us back online, and notified the proper domain/server owners. I have no reason to believe that was anything other than a mistake on Hivelocity's part.
About 0-day exploits:
There was an exploit last fall that related to using the install directory and some other code to take over a forum. To my understanding, this depended on the install directory being present on the server. The vB readme instructions had recommended that the install directory be removed after installing or updating, so when I've updated ESMB, I've removed it. It's always a good practice anyway to remove install directories regardless of the software because they give access to the internals without any (or much) authentication. In the vBulletin install, the authentication was the vB customer number.
There was also an issue last fall related to high level accounts (admins, moderators, etc.) using the same password on multiple sites which allowed access to their accounts on any of those sites where the same passwords were used, once one of the sites had been compromised. Using the same password on multiple sites = BAD! This is not a vBulletin vulnerability, although this was said to have happened to many, many sites running vBulletin, some of which were very high profile sites. It also happens to other sites not running vBulletin. It's a user problem, not a software problem.
There was another exploit more recently related to a Yahoo User Interface (YUI) library file called uploader.swf. vBulletin recommended replacing this with a 0-byte file, which I did.
Despite the warnings of many knowledgeable people, vBulletin denied that there was an exploit for last fall's 0-day, even once their own support forum was hacked. Denial seems to be SOP for vBulletin, as other people have talked about the problem that hit us in the 2nd instance, but vBulletin has repeatedly told people that it's their mail server, it's their plugins, it's their configuration, etc. (everything besides vB's programming/product) and has scrubbed their support forums of any evidence related to it that people have posted there. I did, however, find a couple of other posts in other places that vB does not control, that discussed that problem. Incidentally, I have found that these particular spammers (or ones like them selling the same crap) have been abusing other people's vBulletin forums in this or similar ways since 2007 or before.
Just as an extra precaution, I've disabled the attachments feature so that no one can upload anything malicious, for instance, code masquerading as an image that may not be properly checked.
Emma and I are considering moving away from vBulletin to another forum software. This won't happen immediately unless it becomes urgent due to new and additional problems.
When you pay for software, especially something as well known and in such widespread use as vBulletin, you expect that there are proper precautions taken to give the software a sec check before releasing it. You expect that the default settings will be conservative and as secure as possible. You expect there is some level of quality control. Sure, there will always be imperfections, but when there are true and dangerous problems, they need to own up to and fix them - not just stick their heads in the sand and deny there's a problem.
P.S. Fuck spammers! Or as Lenny Bruce would have said, Unfuck them!
Dulloldfart
Squirrel Extraordinaire
Ethercat, there must be thousands and thousands of vBulletin installations. Has this specific spam exploit happened with others? If not, I don't suppose it could have been the cult paying bounties for anything that could take down ESMB?
Paul
Paul
Mimsey Borogrove
Crusader
In clearing your cache so that when you click "forum" it won't go back to the orange page, have you found it takes multiple times to make it go away? Last time I cleared it 3 times before the orange notice disappeared. Last night I cleared it once and it is still there so I'll go at it a couple more times. Weird. Mimsey
PS too bad the attack on ESMB wasn't a church sponsored hack - what a wonderful conspiracy thread that would have made
( just kidding, like we need them fucking with the board.)
Thanks for the explain - all I have to do now is screw up my confront and actually read your post. Did I hear someone say: Google the words you bonehead?
Mimsey
PS too bad the attack on ESMB wasn't a church sponsored hack - what a wonderful conspiracy thread that would have made
( just kidding, like we need them fucking with the board.) Thanks for the explain - all I have to do now is screw up my confront and actually read your post. Did I hear someone say: Google the words you bonehead?
Mimsey
ethercat
Cat in flight
Send to friend was disabled before the site went back online last week. This was another script to blame.
Thank you, HT. Yes, member thanks and support mean a lot. If it weren't for that and the value of the information posted here, I'd be off doing something that I actually enjoy.
I do have some info, but I'm not going to say much at this time.
Thanks EC once again. I know it was time consuming to have to deal with this situation all over again after last week.
It was time consuming, but fortunately not as much as it could have been because I had a head start from what I'd learned the first time around.
Do you have a "settings" link at the upper right? (I ask because I have additional menus as an admin, and don't know what you can see without logging out and into a test account.) If so, that will take you there.
Thanks for being so understanding everyone.
TrevAnon
Big List researcher
IIRC WWP used vBulletin in the past. (Or was it the Enturb days?) :confused2: They now use Xenforo. Again IIRC they were able to do a data-conversion that left most if not all theads and posts that were made on vBulletin intact. I also don't remember having to register again and that sort of stuff.
Just a suggestion though, I don't know anything about implementing and using forum software.
ethercat
Cat in flight
Yes, this spam exploit has happened with other forums. That doesn't mean it couldn't have been used by the cult also (they're not exactly original or creative these days), but unless or until I have evidence otherwise, I'm not going to assume it was.
Well, I do have an explanation for why it's so "sticky", but it's technical. You may need to close the window you have it open in before clearing the cache. Make sure your browser isn't just going directly to the suspended page, too, as a browser "suggestion" in the URL bar.
PS too bad the attack on ESMB wasn't a church sponsored hack - what a wonderful conspiracy thread that would have made
And like we need more conspiracies (real or not) or another conspiracy thread? LOL! Although there was some interesting timing going on with all of this... Hmmm...
mee-anti-cof$
Patron
Magoo
Gold Meritorious Patron
Did I miss you ALL EtherCat and Emma for your hard work!OSA?
LOL Happy "NEW WEEK" (their new week 'stats' begins Thursday AFTER 2:00....so once more they remain the "downstats" of these stats:
<<<<
__________________________________________________________________________
We remain :surprise1:
Tory/Magoo
PS: If you're lurking and "in", honestly which group would you rather be a part of?
Care for a
? 
? We believe in 
(Honest education) and 
ing!
MissWog
Silver Meritorious Patron
Thank you so much! I went it into near panic mode trying to find a venue for discussion during the day in court..and the days before where just as painful! Thank you for keeping this community going and bringing folks together! I'm so fortunate to have the opportunity to discuss in a comfortable setting and learn from all those here. You wonderful ADMINs make that happen..thank you!
dchoiceisalwaysrs
Gold Meritorious Patron
Send to friend was disabled before the site went back online last week. This was another script to blame.
Thank you, HT. Yes, member thanks and support mean a lot. If it weren't for that and the value of the information posted here, I'd be off doing something that I actually enjoy.
I do have some info, but I'm not going to say much at this time.
It was time consuming, but fortunately not as much as it could have been because I had a head start from what I'd learned the first time around.
Do you have a "settings" link at the upper right? (I ask because I have additional menus as an admin, and don't know what you can see without logging out and into a test account.) If so, that will take you there.
Thanks for being so understanding everyone.
I see Terril hasn't responded to you yet, but yes the SETTINGS is up there beside login - logout in our menu and it worked all the way through to adjusting what I needed to do.
Big Thanks EC
