vBulletin insecure?

[gkgcpanel]

We have had 3 sites that were all hacked within the last 2 sites. No other sites are effected. All 3 of these were running some version of vBulletin.

We did restore the sites from backup, and within hours they were hacked again.

We can find no point of entry directly to the server. These 3 sites are the only ones running vBulletin at this time.

I can find no mention of any security issues with vBulletin, but it's the only common link for all 3 sites.

Anyone run into this before? Should be stop allowing vBulletin scripts all together..?

 

[zigzam]

Are you running the latest version of vbulletin?

 

[Voltar]

Were you using the latest version of vBulletin? Or at the very least apply the security fixes? Are the boards heavily modded, and if so, were all the mods updated? Are you using any PHP security features like open_basedir and/or suPHP?

More importantly, have you determined how the sites were hacked in the first place so you can close up the security hole?

 

[MMarko]

Aslo right forum for questions about vBulletin would be their official support forum.

 

[AndyReed]

I can find no mention of any security issues with vBulletin, but it's the only common link for all 3 sites.

Anyone run into this before? Should be stop allowing vBulletin scripts all together..?

vBulliten can be hacked very easily regardless of security features enabled on your server. This article explains what you need to do to secure vBulliten: http://servertune.com/kbase/entry/339/

Although nothing in the cyberspace is "bullet proof", but what's in the article should help stop the bad guys.

 

[EJeanmaire]

From my experience over the years, all of the off the shelf php scripts... (vBulletin, phpBB, phpnuke, etc etc) are targets for exploiters. If your version is out of date, you are an easy target. If you are on the current version, you still have some risk as the vendors can be slow to release patches. IMHO stay away unless you are diligent on upgrading.

 

[Silver_2000]

From my experience over the years, all of the off the shelf php scripts... (vBulletin, phpBB, phpnuke, etc etc) are targets for exploiters. If your version is out of date, you are an easy target. If you are on the current version, you still have some risk as the vendors can be slow to release patches. IMHO stay away unless you are diligent on upgrading.

BY off the shelf PHP scripts you would include Cpanel right ?
The issues with VBulletin are MUCH different from issues with Phpbb and others. If your server is setup securely and software is relatively recent most if not all of the exploits can be avoided.

Id be willing to bet the VB installs are really old. Its asking for trouble to not keep software updated

 

[cPanelDavidG]

BY off the shelf PHP scripts you would include Cpanel right ?

cPanel is coded in Perl, not PHP.