vBulletin.com Compromise - Possible 0-day

Published: 2013-11-19
Last Updated: 2013-11-19 02:05:30 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Earlier today, vBulletin.com was compromised. The group conducting the attack claims to have a 0-day available that enabled the attacker to execute shell commands on the server. The attacker posted screen shots as proof and offered the exploit for sale for $7,000.

If you run vBulletin:

  • carefully watch your logs.
  • ensure that you apply all hardening steps possible (anybody got a good pointer to a hardening guide?)
  • keep backups of your database and other configuration information
  • if you can: log all port 80 traffic to your bulletin.

If you had an account on vBulletin.com, make sure you are not reusing the password. The attackers claimed to have breached macrumors.com as well. According to macrumors, that exploit was due to a shared password. There is a chance that the 0-day exploit is fake and shared passwords are the root cause.

Any other ideas?


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: vbulletin
1 comment(s)


Yes you can log all IP, when we decided to sanitize a user we would do it by IP address, but there are issues there too. VBull does not give a lot of features for blocking in versions but then again a lot of the Admins are not aware of security protocols or stay up on patches. We had a version that allowed users to become Supers, Admins or Mods by hitting the root server and logging in with a key sequence. SOP, never have a VBULL account to anything but a public addy and its own unique PW. This is the message I received yesterday, first thought it was a phish but later found out not to be, if they hit my data.. it goes into the vacuum of space...


Diary Archives