After reviewing recent backup data, we have become aware that on January 9, 2016, masked by a period of peak activity, there was a security breach on the web server that hosts VaultWiki.org for a period of about 40 minutes.
If You Read Nothing Else
It is possible that the attacker has obtained email addresses of anyone who sent email messages to vaultwiki.org since January 2010 or who was a member of the vaultwiki.org web site since March 2008.If you ever submitted a "Ticket Support", "Install", "Upgrade", or "Import" service, the attacker may have obtained the following information:
- FTP server address and login information as of the ticket date
- Forum address and admin login information as of the ticket date
If you think you may have submitted non-temporary or currently-valid login information, we STRONGLY urge you to update your FTP and forum admin passwords immediately.
Please take any other steps you deem necessary to protect yourself.
Details
We have mounted an investigation, and we have already identified and closed the vulnerability that the perpetrator used to enter our system. We are also taking further steps this week to improve the security of our systems should any other currently unknown vulnerability be exploited in the future.Our logs for the minutes when the intruder was present suggest only that he (or she) was attempting to gain root privileges, and that it is unlikely that any significant amount of data was stolen, if any. However, you should still take steps to protect yourself.
The intruder certainly did have the opportunity to access the following data:
- Contact emails to our support staff. This includes email copies of Private Messages submitted to staff on our web site. This potentially includes every email message going back over 5 years. Some of those messages, dating back to March 2011, are known to contain sensitive login information.
- By using PHP to read and/or download it, the web site's database and daily database backups. Including the backups, this includes Support Tickets submitted on our web site as far back as December 2014.
How We Were Hacked
The attacker found our web site with a Google.com search for the vBSEO footer copyright. After obtaining a login, the attacker exploited a known remote code execution vulnerability in vBSEO. Unfortunately, since vBSEO has been defunct for a number of years, it was never patched by the developer Crawlability, Inc., and for whatever reason, we did not receive a notification when vBulletin Solutions made the goodwill gesture to notify their own clients of the issue. Thus, we remained vulnerable, and the attacker was able to upload a number of foreign PHP scripts onto our server on January 9. The attacker was tidy and did not cause a scene. It appears that he simply uploaded a few PHP scripts, then attempted to escalate privileges beyond the PHP user. When this failed, the attacker left.Steps We Have Taken
- We have cleaned all suspicious PHP scripts from our server and our server backups.
- We have run system-wide scans, and are virus free.
- In defense of unknown vBSEO vulnerabilities, we have completely removed vBSEO from VaultWiki.org.
- To protect individual accounts and licensing, we have reset all VaultWiki.org user passwords. You will need to use the password recovery form in order to login again: https://www.vaultwiki.org/login.php?do=lostpw
- We have taken care to re-evaluate and tweak the PHP user's permissions to prevent similar attacks while maintaining functionality.
- We are currently working on a new ticket system design that does not store any credentials in the database and where the PHP user cannot read any credentials after they have been submitted. We hope to have it operational by week's end.
- We have notified our agents, should they advise a legal course against the perpetrator.
At this point in time, we believe that VaultWiki.org is now secure and that business can proceed normally. We certainly regret this has happened and consider that this situation as a violation of the trust between us and our customers. We hope that we can rebuild that trust in the coming weeks and months.