Loads of forums hacked in ways I do not understand

I read earlier that there had been over 35,000 hacks on vb sites. I do not understand all the techy stuff but it seems that VB has some serious security problems.
But then what should we expect from a site that protects unethical staff members who support known and self confessed hackers.

BiGal5 once said I did not understand the word IRONY! and Maths!! Perhaps I understand it better now.

2+2 = a li'l bigger 2.

An exploit was found in the vBulletin upgrade script earlier this year. Before this exploit vBulletin officially only required deleting the install script after an install or upgrade but the upgrade script was generally deemed safe to leave on the server.

As a result of the exploit vBulletin now recommends deleting the entire /install/ directory which includes both scripts and numerous other files.

As a result of this exploit and the fact hundreds of thousands of sites use vBulletin, it was no surprise a percentage of those admins did not bother keeping up to date on security issues and either ignored emails or had changed their emails in the years since installing the software and as a result an estimated 30,000 sites were compromised starting in the end of September of this year when the details of how to use the exploit became public and every wanna-be hacker tried their hand at it. In most cases the damage to sites was minimal, just middle-eastern hackers changing the front page to their "Hacked by XXXXXX" message- luckily most of these guys left the data intact. They generally just want to shock admins into taking security more seriously rather than actually harm the communities long term. (Because lets face it, these admins who don't care about security probably also don't have recent backups in place either.)

Anyway... That is where the headline came from. It was a fair easy and far reaching hack resulting in so many compromised sites.

Usually when an exploit is found in software (including vBulletin- it happens from time to time) it is much "harder" to exploit and that limits the number of sites affected before a patch is released and installed.

One more thing about that exploit with the upgrade script... Any Admin that followed the recommended security procedures rather than merely the required minimums would have had the hack prevented by way of requiring a separate password to access in the /install/ and /admincp/ folders to begin with.

vBulletin has various options for stronger security beyond the "out of the box" minimums but it takes an Admin willing to implement them to actually work as intended.

Alan_James said:

2+2 = a li'l bigger 2.

Click to expand...

One river + another river = a little bigger river. QED.

But all these bad things which I don't really under stand happens because somebody who has ties to Vbulletin or sumpn of that sort supports self confessed liars and scammers on his site.

He allows them to harass an innocent man (whose name they do not know) on his site by posting insane things while pretending to be him.

BirdOPrey5 said:

by way of requiring a separate password to access in the /install/ and /admincp/ folders to begin with.

Click to expand...

So my practice of using "419eater" as password on all the sites that I own, and am admin of, and on the numerous other sites that I am a global mod of, and the other countless sites that I am a member of good standing, and the rest of the sites where I have been banned, is not a good idea at all?