vBulletin.com compromised

The vBulletin team recently announced that they suffered a compromise which allowed the attackers access to vbulletin.com servers and database. On their own words:

We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.

If you have an account on vbulletin.com, consider it as compromised and change it asap. If you are reusing passwords and had the vbulletin password used anywhere else, you have to change these as well (and please stop reusing your passwords).

Arstechnica is covering this incident and they have more details.

My site is on vBulletin, what should I do?

First, change all your passwords. I also recommend disabling admin access (admincp) or restricting it only to trusted IP address, until we are sure there is no 0-day out there (read the arstechnica post for more details on it).

A simple .htaccess rule like this one should help:

order deny,allow
deny from all
allow from YOURIP

If you are using our CloudProxy Firewall, it will block access to the admin panel by default unless the IP is white listed, minimizing the risks (so you don’t need those .htaccess changes).

For the paranoid, you can be as extreme as the Defcon team and shut down your forum until the vulnerabilities are confirmed and patched.

We also highly recommend putting your forum behind a WAF – web site firewall – which will likely protect you against any new attack (specially if there is a SQL injection or RFI bug somewhere). We recommend our own CloudProxy, but anything at this point will suffice (ModSecurity is a good one if you like open source).

Our team is tracking this issue very closely and we will provide more details if we learn anything new.

Read more: vBulletin.com compromised

Story added 18. November 2013, content source with full text you can find at link above.