Inappropriate Spam Private Messages

[ahecht]

Brandon, do you have any way to reset the passwords of users that are using their username as their password? Most of the users involved had 0 or 1 posts and aren't likely to log in any time soon to see this message.

[Blue_Mist]

Mine are completely gone as of Friday morning. Thank you very much for getting rid of the spam so quickly! Just another happy CDer knowing that Chief Delphi is the best site out there...

[Brandon Martus]

When I get back from IRI, I will be notifying those users with the same username/password that their password will be reset for them. I will also be upgrading the forums to the latest version, in the off chance that this was a vulnerability being exploited in our version of the software.

I have 2 unread PMs that I can't see in my inbox somewhere .. so I will go through and repair the PM listings when I get back home from IRI. Doing the quick fix that I did last night wasn't a complete fix .. just enough to get the inappropriate material out of peoples inboxes.

[basicxman]

all part of web development and admnistration, always protecting your site against SQL injection, XSS attacks, etc....

[Brandon Martus]

An update: after some research, this was not a vBulletin exploit. No data was compromised, or hacked. There are multiple other forums experiencing the same PM spam, all reporting that the accounts being compromised had username==password.

I will be resetting passwords on anybody who has username==password, to prevent this from happening in the future. vBulletin will most likely prevent people from setting username==password in future versions, it looks like, as well.

I still have to clean up inboxes -- mine has 2 unread, missing PMs.

EDIT: 117 passwords reset .. and it will perform this reset automatically, every night without notice to prevent future attacks.

EDIT: The private messages should be cleaned up now. Let me know if you still have weird things happening in your PM inbox.

[Elgin Clock]

Anyone still have a bold number X of unread private messages but none in their inbox like I still do?

[Brandon Martus]

Quote:

Originally Posted by Elgin Clock

Anyone still have a bold number X of unread private messages but none in their inbox like I still do?

A few have reported it .. one person got rid of the bold # by selecting all messages, marking as read. I'll look into it a little this weekend, if I can find some time.

[Richard Wallace]

Quote:

Originally Posted by Brandon Martus

A few have reported it .. one person got rid of the bold # by selecting all messages, marking as read....

That method worked for me.

[Elgin Clock]

Quote:

Originally Posted by Brandon Martus

A few have reported it .. one person got rid of the bold # by selecting all messages, marking as read. I'll look into it a little this weekend, if I can find some time.

Quote:

Originally Posted by Richard

That method worked for me.

Indeed it worked for me as well. Thanks!

[EmptyNerd]

Brandon - My box is showing 1 stored message, but it doesn't show up anywhere to delete. Clicking the "empty box" command doesn't get rid of it.

[kramarczyk]

Quote:

Originally Posted by EmptyNerd

Brandon - My box is showing 1 stored message, but it doesn't show up anywhere to delete. Clicking the "empty box" command doesn't get rid of it.

Quote:

Originally Posted by Brandon Martus

A few have reported it .. one person got rid of the bold # by selecting all messages, marking as read. I'll look into it a little this weekend, if I can find some time.

Quote:

Originally Posted by Richard

That method worked for me.

Quote:

Originally Posted by Elgin Clock

Indeed it worked for me as well. Thanks!

Yup, me too.

[Starke]

Quote:

Originally Posted by EmptyNerd

Brandon - My box is showing 1 stored message, but it doesn't show up anywhere to delete. Clicking the "empty box" command doesn't get rid of it.

Same for me!

[Nibbles]

I figured it out, check the checkbox in the header of the table, then in the bottom select "Mark as read". This will force the "unread messages" number in the database to refresh.

Either a SQL DELETE was used to get rid of the messages, or there is a bug in vBulletin which doesn't issue an update after a mass delete (I don't think vBulletin has such a control panel that can delete PMs, last I checked a few years ago).

Anyways, this solution worked for me. That bold "1 Unread message" was driving me crazy too.

[Brandon Martus]

Quote:

Originally Posted by Nibbles

Either a SQL DELETE was used to get rid of the messages, or there is a bug in vBulletin which doesn't issue an update after a mass delete (I don't think vBulletin has such a control panel that can delete PMs, last I checked a few years ago).

Anyways, this solution worked for me. That bold "1 Unread message" was driving me crazy too.

I deleted the spam PMs manually via sql, but forgot about the cached count that is tied to your user record. I just updated everybodies counts, so the #s should match the messages in your inboxes now.

[whytheheckme]

I liked having messages from 1969 in my PM box! Then I could say to my kids, "Hey kids, when I was your age, CD got attacked, and I have these messages from 1969 to show when Brandon fixed the problem remotely from IRI using nothing but his cell phone, a wad of gum and a paperclip!"


On a serious note, awesome job Brandon fixing everything promptly!

Jacob