As you probably know, the website was hacked earlier this month. I’ve been working on fixing this up over the past couple of weeks, and can now report back with an update.
A zero-day exploit for vBulletin was recently discovered. This affected any forums where the /install/upgrade.php file was left in place after an installation or upgrade. The exploit enables a remote attacker to silently create a new administrator account, with full access to the forums control panel. Pretty nasty stuff.
When last upgrading this website, I made the mistake of deleting /install/install.php, but not doing a full clean-up of the directory. This opened up a vulnerability which was exploited to create three new admin accounts over the course of a few days. One of these accounts then installed a PHP backdoor, and used this remote shell to manipulate files on the server, and deface the website.
How It Was Fixed
As soon as I discovered the site had been compromised, I took it offline and changed the passwords for important logins. Then I restored the site from backups to a new server (this is where daily backups really come in handy).
It took quite a while to get rid of the infected files, clean up the malicious administrator accounts, and check for any further vulnerabilities. The same attack was actually repeated while I was in the process of applying security patches! But I finally got it all cleaned up, and the site went live again roughly 24 hours after the homepage was defaced.
Since then I have been working with the security team at CodeGuard and analysing the logs to confirm further details of the incident, and find what can be done to prevent similar attacks in the future.
How It Affects You
There’s no way to know for sure what the attacker(s) did while the site was compromised. The particular vulnerability which was exploited has affected many other vBulletin forums recently. So far I have not found any indication that this was a targeted attack against MMWA in particular.
The safest way to approach this is to assume a worst-case scenario. The attacker had direct access to the filesystem, and full admin privileges on the forums. This means they could potentially access everything on the site, including:
[li]Private messages[/li][li]Order history on the Gigs site[/li][li]Email addresses[/li][li]Hashed passwords[/li][/ul]
All passwords were salted and hashed, so there is a low risk of plaintext passwords being recovered. But this is still possible, especially if you used a weak password which might be vulnerable to a dictionary attack.
If you used this password on any other websites besides MMWA Forums, I recommend you change it immediately!
What Happens Next
Later today I will be resetting the password on all accounts as a routine precaution. You should receive an email with your username, and a link to set a new password.
I’ve implemented much more rigorous logging and backup procedures since this attack. Notifications have been set up so that any suspicious activity will be noticed immediately. While I already had regular backups in place, the recovery process took longer than expected. This is something I’ll be much more prepared for after the experience of last week.
I’m also looking into more secure hosting solutions. Up until recently I was using shared hosting, with a number of domains on the same filesystem. As the site continues to grow and gains a higher profile, I think it’s worth investing in infrastructure which will be both secure and scalable moving forward in the medium term. Most likely I will be moving the blog and forums to separate hosting providers, with a specialty in WordPress and vBulletin respectively.
The purpose of this post is to be transparent about what’s happened, and exactly what information may have been compromised. While websites are hacked all the time, I realise you’ve trusted me with certain information by participating in this community, and I do feel a personal obligation to protect that information. I’m sorry that your trust has been let down on this occasion. It’s the first major security breach I’ve had to handle in my time as a webmaster, so it’s been very much an education for me in best practices, backups, and security in general. I can assure you I’m doing my best to prevent anything like this happening again.
Please let me know if you have any questions or comments about what’s happened. And thank you for your continue support of this community!