Originally Posted by
colonius
3.) A system that has been compromised as far as having backdoors installed, should never be considered safe until reinstalled or restored from a known good backup. Evidence that "they never accessed the database" may be false, since the backdoor application could as well have scrubbed the log files to hide its tracks - very common, btw.
And yes, I do system security for a living.
We understand the flaws in md5 hashes, however everyone I've personally discussed this with has verified that the vBulletin hashing method is sufficiently secure.
While we haven't restored the files from backup, hourly snapshots were diff'ed and we have ensured that the system is secure. This was a script kiddie script that exploited a vulnerability right after it was announced and before we had an attempt to patch.