Coincidence?

[Rhisiart]

I manage a running club forum using vBulletin. Over the last few months, numerous spammers have set up user accounts, only for me to delete them once I know they are there.

After a while I gave up and closed down user registration. Now to join, prospective members have to email me with some evidence that they are local and that are genuine sports people.

So far so good. However this morning - out of the ordinary I may add - I logged into the forum admin control panel using Windows XP on the VMware virtual machine and within twenty minutes some hackwallah from Turkey had broken in and had created a new user account.

I suspect he did it to prove it could be done. I just find it hard to believe that he would have achieved this had I logged in using MacOS. Or am I wrong?

 

[symphonix]

It is hard to know without knowing at what point you've been compromised.

If it was a vulnerability in VBulletin, or if your VBulletin password was insecure and was brute-force hacked, or had been picked up through being used at another site, then no, using a Mac would not have made a difference.

If the access was gleaned using spyware, a keylogger, or remote access to a file share on your computer, perhaps grabbing your cookie files or any documents containing the word "password" then it might have made a real difference. Perhaps the access had been achieved much earlier, perhaps you accessed your account from another compromised computer, or perhaps the database backend to the forum was vulnerable enough to allow the hacker to read the username/password table.

The real question is, where did this guy get in? Without carefully checking each link in the chain, you can't really be sure. Would I discount a Windows virus/spyware program infecting your Windows VM: hell, no. It would be pretty high on my list of suspects.

 

[Rhisiart]

Yes, I need to investigate it a little more. It just seemed a coincidence that this person got in whilst I was using Windows.

Interestingly the hacker's username is the same one identified in another forum hosted in our village. That person was traced back to Turkey, but after that it was a dead end.

Your reply is very helpful. I shall delve into the forum control panel and see if I can see anything that might help.

 

[rubaiyat]

btw Is Wallahwallah Hindii for a homosexual?

 

[Rhisiart]

I don't know. That's outside my scope of practice.

I do sometimes refer to the good wife as the dobi wallah (at the risk of having certain parts of my body removed against my will).

 

[fryke]

In my experience, such hacks are done by (ab)using existing exploits for the forum software. It's a drag.