im a member of a small site about 1.9k people and we are constanly being hacked and vandalized by a larger site of about 2.5k memers, and i was hopin someone could help us keep our site safe? so my question is... how would we keep our site save from people using vBulletin 3.8's vulnerabilities to gain access to admin accounts and insert login/password gathering hacks, and changing default user group to Mod?? mainly for Digital point staff, but if you got a site and know what your talkin about then please speak Thank You...
Well keeping your software up to date is key. If you are using software that there are known exploits for there is nothing you can do simply because the software has a hole in it. Sometimes this also goes beyond the security of the 'website' and into the security of the server that the website is hosted on. When your site makes as much money as digital point its worth paying the money to ensure you don't get hacked.
so do you have any preferred software for us to purchase? i mean the site owner just bought IPB the other day, we'll see how that works, but.... how do we make the server more secure?/
As far as I know, there is no vulnerability in vBulletin v3.8. It's the latest one, and unless the hackers have an unreleased exploit for vBulletin (which I highly doubt), they're getting in some other way, whether it's through cPanel, FTP, something else, or the server itself. I don't really have much time now, but basically just upgrade to the newest software, make sure you aren't using any exploitable or little-known plugins, and change your passes to everything. Oh also would you mind giving out the address of your site or the hackers' site? It would help people determine how you're getting hacked.
well the site is TeamBinary.org and we've been trying new forum types, vB phpbb and such and if anyone can offer any help it would be greatly appreciated either leave me a message here on AIM or drop by TeamBinary and give us a holler
How is your site hosted? You could also think about putting your site behind a firewall. I suggest using either smoothwall or vyatta. I've used both to secure my servers and they work great!!
all of the suggestions above are good ones.. i would also suggest an 'application'-firewall like Mod_security which will help prevent scans for vulnerabilities and injection attempts combined with CSF firewall which integrates very well with mod_security.
thanks every one for your input, even u security cam guy, we will be looking into this shortly, but for now we are chillin over at invisionfree.com, they say they are un hackable but we will see how that goes...
maybe you should just ask from a hacker ( i'm not hacker but i love them ) anyone who has been working on security issues, knows that there is no 100% secured and un hackable server ! if anyone claimed so, don't belive and about hacking VB(imagine i'm a hacker and i have LOCAL access to your server), VB boards can't be hacked like " PHP nuke, Mambo, Joomla,... " ... in these CMS an attacker can easily read the config file and connect to the database and then try to crack the md5 hash password or make a new hash for Administrator BUT in vb, because hashes got salt, it's impossible to crack the hash or make a new one so for hacking VB boards and getting administrator access in VB, hackers have a new way we just go to the forum and register a new user, for example " hacker " then by reading config file(VB/includes/config.php) we'll connect to database and we try to find the user " hacker " in users table ! then we change the " user access " to " 5 " ( 5 is for administrators ) then we insert the user into admins table ! that's it ! we bypass the salt restriction in vb and made a new user with Administrator access as i said, i'm not hacker, but i just love them and trust me, securing servers is not that easy you think, you'll secure then we'll bypass i can help you if you want !
Perhaps using stronger and more complex password, captcha codes, directory blocking, blocking the IP's where hacks are being done from. Contact your web host and inform them of the attacks, log details and then contact the authorities and bust them.
Maybe they hire some hackers to test vulnerable holes and if there are any they hire vb professionals to seal it off