I have nuked the Affiliate sub forum and removed all permissions from the account they were using.
This is still happening. And it wasn't happening before the short "scheduled maintenance" message last night. Something tells me he may have penetrated deeper than you thought.If it's any help, I notice that at least viewing single posts (showpost.php) is returning status code 500 (Internal Server Error), though the HTML is as normal. I wouldn't have noticed except that I'm working on a Greasemonkey script with AJAX.
Disclaimer: IANAA(dmin)
Hate to say it, but consider this a FUCK YES. I'm not intentionally trying to set off a panic here, but if the admin accounts were hacked, and they were, you may as well consider all of your data here compromised, even if superficially it wasn't.
vB is MD5 + salt.While I agree that changing your passwords is a good thing to do after an incident like this, don't forget that your passwords are stored encrypted in the database so it's not like the hacker has the plaintext password of all users here just from gaining access to the database.
Does anyone know if vB uses MD5 or SHA1? Also, are the passwords salted before they are hashed?
What IS worrisome is that if they hacker rooted the server and dropped in code to skim logins before they hit the actual forum code, which you won't really know unless you format/reinstall the server or audit every single line of php on the server.
Although if the server did actually get rooted I wouldn't expect them to be still running(they wouldn't be if I managed them).
why is it someone suggesting to change pw...
why is it someone suggesting to change pw...
Folks, we were the victims of a serious forum breach early this morning, possibly from aliens
i think we been hacked
gotta love the big target vBulletin puts on us :/
not only that, to get to L&R you now have to do a search
to get to a link to L&R.
May as well change our passwords after this latest attack on AT. I think otherwise our accounts could be their next target.
Because, if the database itself was compromised, then the previously stored MD5 is all they need to replicate access to an account. The salt is readily available in the vB code.
Changing your password changes the MD5 stored in the database.
that won't be easy on any reasonable pw, with salt or not. just don't want to fuel the panic.
May as well change our passwords after this latest attack on AT. I think otherwise our accounts could be their next target.
Let me fix that for you - it wouldn't be easy provided they have no access to the DB or web server. Given that it's already been compromised... The fact is if you have what's stored in the database, you don't need to decrypt anything. You use THAT as is to generate authentication.
Anyway, there shouldn't be any need to panic anyway. After all, you guys aren't realistically using the same password on some random internet forum as you are for, lets say... you BANK account, right?
Anyway, there shouldn't be any need to panic anyway. After all, you guys aren't realistically using the same password on some random internet forum as you are for, lets say... you BANK account, right?
If it's any help, I notice that at least viewing single posts (showpost.php) is returning status code 500 (Internal Server Error), though the HTML is as normal. I wouldn't have noticed except that I'm working on a Greasemonkey script with AJAX.