vBulletin.com Compromised

The vBulletin team recently announced that they suffered a compromise which allowed the attackers access to vbulletin.com servers and database. On their own words:

We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.

If you have an account on vbulletin.com, consider it as compromised and change it ASAP. If you are reusing passwords and had the vbulletin password used anywhere else, you have to change these as well, and please stop reusing your passwords.

Arstechnica is covering this incident and they have more details.

My site is on vBulletin, what should I do?

First, change all your passwords. I also recommend disabling admin access (admincp), or restricting it only to trusted IP addresses until we are sure there is no 0-day out there (read the arstechnica post for more details on it).

A simple .htaccess rule like this one should help:

order deny,allow
deny from all
allow from YOURIP

If you are using our CloudProxy Firewall, it will block access to the admin panel by default unless the IP is whitelisted, minimizing the risks, you wouldn’t need those .htaccess changes.

For the paranoid, you can be as extreme as the Defcon team, and shut down your forum until the vulnerabilities are confirmed and patched.

We also highly recommend putting your forum behind a Web Application Firewall (WAF) which will likely protect you against any new attack, especially if there is a SQL injection or RFI bug somewhere. We recommend our CloudProxy Firewall, but anything at this point will suffice. ModSecurity is a good one if you like open source.

Our team is tracking this issue very closely and we will provide more details if we learn anything new.

Scan your website for free:
About Daniel Cid

Sucuri CTO, OSSEC Founder, open source developer and information security professional - dcid.me

  • Adeel Sami

    Thanks, David! vBulletin is under radar of the hackers these days and like every single vBulletin-powered site owner needs to tighten up the security.
    I do wish if .htaccess could allow up the rule to deny whole country not with their IPs but with their country name to curb the illegal access.