Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Compromise - Possible 0-day SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free! Compromise - Possible 0-day

Earlier today, was compromised. The group conducting the attack claims to have a 0-day available that enabled the attacker to execute shell commands on the server. The attacker posted screen shots as proof and offered the exploit for sale for $7,000.

If you run vBulletin:

  • carefully watch your logs.
  • ensure that you apply all hardening steps possible (anybody got a good pointer to a hardening guide?)
  • keep backups of your database and other configuration information
  • if you can: log all port 80 traffic to your bulletin.

If you had an account on, make sure you are not reusing the password. The attackers claimed to have breached as well. According to macrumors, that exploit was due to a shared password. There is a chance that the 0-day exploit is fake and shared passwords are the root cause.

Any other ideas?


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Defending Web Applications Security Essentials - SANS Cyber Defense Initiative 2021


4307 Posts
ISC Handler
Nov 19th 2013
Yes you can log all IP, when we decided to sanitize a user we would do it by IP address, but there are issues there too. VBull does not give a lot of features for blocking in versions but then again a lot of the Admins are not aware of security protocols or stay up on patches. We had a version that allowed users to become Supers, Admins or Mods by hitting the root server and logging in with a key sequence. SOP, never have a VBULL account to anything but a public addy and its own unique PW. This is the message I received yesterday, first thought it was a phish but later found out not to be, if they hit my data.. it goes into the vacuum of space...

Sign Up for Free or Log In to start participating in the conversation!