Earlier today, vBulletin.com was compromised. The group conducting the attack claims to have a 0-day available that enabled the attacker to execute shell commands on the server. The attacker posted screen shots as proof and offered the exploit for sale for $7,000.

If you run vBulletin:

• carefully watch your logs.
• ensure that you apply all hardening steps possible (anybody got a good pointer to a hardening guide?)
• keep backups of your database and other configuration information
• if you can: log all port 80 traffic to your bulletin.

If you had an account on vBulletin.com, make sure you are not reusing the password. The attackers claimed to have breached macrumors.com as well. According to macrumors, that exploit was due to a shared password. There is a chance that the 0-day exploit is fake and shared passwords are the root cause.

Any other ideas?

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter