>>> Hooks in vBulletin are arbitrary PHP code which can be made to run on every page load.

Terrible. Why even allow this. A terrible, horrible cludgy hack.

What I find most sobering about this is that it sounds like were it not for the defacement 6 days after the hack, no one would ever have been any the wiser.

I know that DB-level and web-server-level intrusion detection systems exist - can the HN community comment on what might have detected this particular attack (even if only after-the-fact?).

I always suspected forums that don't have read-only or static mode would prove to be a bad choice as knowledge repository. Google queries returned a lot of ubuntuforums links for many ubuntu problems I encountered or random googling I did these past few days.

  >> They used this access to download the ‘user’ table which
  >> contained usernames, email addresses and salted and hashed
  >> (using md5) passwords for 1.82 million users.

Somewhere, oclHashcat makes room temperature rise.

In the "What We've Done" section, there's no mention of changing the password hashing algorithm away from md5 to bcrypt or PBKDF2.

Later in the page (in the "Hardening" section), they mention that they've switched the forums to use Ubuntu SSO for authentication, instead of needing to store forum passwords.

And I wonder what hashing approach Ubuntu SSO uses?

I think this is an unreasonable expectation if the upstream vBulletin code doesn't support it.

php, md5, xss. happy