Maineman
New member
It appears the "general backcountry" board's titles hacked by some very bored and uncreative individuals.
Lamest hacking attempt of all time
- Thread starter Maineman
- Start date
Help Support vftt.org:
natron
New member
LaLaLaLa LAME!
It appears that while the outcome is fairly lame, they were successful. We're only 1 revision behind on updates... I'll try and repair the titles, and figure out what happened. Might take a few days.
Tim
Tim
DougPaul
Well-known member
While the obvious damage may be lame, there is the question of what else they may have done that is not so obvious... I can think of some things that could be damaging to members (but I am not going to list them here...). It may also have been a proof-of-concept attack in preparation for something bigger.
Hopefully the next rev will close the hole, but of course, it may not...
(I used to do some computer security related work and studied some of the issues.)
Doug
Hopefully the next rev will close the hole, but of course, it may not...
(I used to do some computer security related work and studied some of the issues.)
Doug
I upgraded to the latest available software release - 4.2.1, and removed a recently-documented security hole. I also restored all the titles I could find that were tampered with. Thank you for reporting them, and for offers to help. I blocked the entire IP range from which the attack originated. It does not appear that any personal information was taken. Passwords are one-way encrypted so they cannot be stolen, but consider your user profile and what information you may have present there.
Note that many other sites were similarly affected. I will keep a close eye on things over the next week.
Tim
Note that many other sites were similarly affected. I will keep a close eye on things over the next week.
Tim
Thanks!!!!
sardog1
New member
- Joined
- Nov 8, 2003
- Messages
- 2,579
- Reaction score
- 231
Thanks for all your efforts!
natron
New member
Thanx Tim!
nartreb
Well-known member
> Passwords are one-way encrypted so they cannot be stolen
That's a bit overoptimistic. Stealing an encrypted password file is like using a pickup truck to steal an ATM: you still have to do the hard work of breaking in to get the good stuff, but you've got all the time in the world.
I doubt passwords were the primary target here (or they wouldn't have left such obvious tracks) but crackers may have made copies of the password file on the off chance that somebody else might want it, or for their own later amusement. Everybody should take this as a reminder to change their passwords once in a while.
That's a bit overoptimistic. Stealing an encrypted password file is like using a pickup truck to steal an ATM: you still have to do the hard work of breaking in to get the good stuff, but you've got all the time in the world.
I doubt passwords were the primary target here (or they wouldn't have left such obvious tracks) but crackers may have made copies of the password file on the off chance that somebody else might want it, or for their own later amusement. Everybody should take this as a reminder to change their passwords once in a while.
There was no login to the server, or the database, from any other IP than mine. Unlikely the passwords were stolen.
Tim
Tim
DougPaul
Well-known member
Many people use poor quality passwords that are easily guessed. Thus it is likely that a sizable portion of the passwords can be extracted from a stolen encrypted password file.
Doug
DougPaul
Well-known member
I read this in the opposite direction: if you cannot determine the method of entry, you cannot determine what the attacker was able to access (or install *).
The more skillful attackers also cover their tracks...
* Backdoors are often installed to allow easier future access.
IMO, given the obvious changes in the thread titles and the fact that a number of other sites were similarly defaced, this looks like a "script kiddie"** trying to notch up a score. However, even script kiddies can do serious damage.
** For a def of script kiddie, see http://en.wikipedia.org/wiki/Script_kiddie.
Doug
I appreciate everyone's concerns.
In reality, your password is sent in clear text over the wire any time you log in with it. If you check "keep me logged in", then a cookie is likewise sent in clear text. In either case, you can easily be impersonated. The site and data stored here is not particularly sensitive and thus neither Darren nor myself ever bothered to purchase and install a TLS certificate.
I'm relatively confident from spending several hours reading about this, discussing it on vBulletin's site, security scanning the site, and checking all the audit logs, that no sensitive information has been removed. The method of entry is known to be a vulnerability in vBulletin, and the hacker left plenty of signs in the log files, so if they were out to cover their tracks, they failed. I've updated to the latest software, removed the backdoors, repaired the thread titles, and applied a security workaround recommended by vBulletin (on top of blocking that particular hacker's entire IP range.) However, if you are extra security conscious, you should change your password, and remove your birthday, and any other personal information.
I have been watching every few hours and there are no signs of successful re-entry. The logs show all traffic from the originating site has been successfully blocked.
Your humble servant,
Tim
In reality, your password is sent in clear text over the wire any time you log in with it. If you check "keep me logged in", then a cookie is likewise sent in clear text. In either case, you can easily be impersonated. The site and data stored here is not particularly sensitive and thus neither Darren nor myself ever bothered to purchase and install a TLS certificate.
I'm relatively confident from spending several hours reading about this, discussing it on vBulletin's site, security scanning the site, and checking all the audit logs, that no sensitive information has been removed. The method of entry is known to be a vulnerability in vBulletin, and the hacker left plenty of signs in the log files, so if they were out to cover their tracks, they failed. I've updated to the latest software, removed the backdoors, repaired the thread titles, and applied a security workaround recommended by vBulletin (on top of blocking that particular hacker's entire IP range.) However, if you are extra security conscious, you should change your password, and remove your birthday, and any other personal information.
I have been watching every few hours and there are no signs of successful re-entry. The logs show all traffic from the originating site has been successfully blocked.
Your humble servant,
Tim
Last edited:
Paradox
New member
- Joined
- May 29, 2006
- Messages
- 2,268
- Reaction score
- 314
Thank you for your efforts, Tim.
Tom Rankin
Well-known member
It bears repeating at this juncture. Since your pw is not encrypted when sent, it should not be used for any other purpose, especially banking web pages!
DougPaul
Well-known member
This is a general principle: don't use the same password at more than one site. If your password is compromised at one, the attacker also gains free entry to your other sites.
Doug
NOTE
vBulletin has release a real solution to this. Thank you to the users who alerted me to it... I get notifications from vBulletin, but I appreciate the additional help.
The solution, unfortunately, requires a PHP upgrade. I scheduled this to happen with the hosting company, but it didn't seem to stick. So, I have gone back to the previous version of vBulletin, which still has the workaround to the problem. Unfortunately (again), this version has another recently-discovered exploit involving Forum Runner. I really want to get this fixed, so as soon as the support tickets get to the top of the queue, I'll get right on it. This means you may experience those odd Warnings about date/time and timezone, or the site may be unavailable.
Sorry for the confusion. Most upgrades are trivial and painless and the community never even notices. This one is not.
Tim
vBulletin has release a real solution to this. Thank you to the users who alerted me to it... I get notifications from vBulletin, but I appreciate the additional help.
The solution, unfortunately, requires a PHP upgrade. I scheduled this to happen with the hosting company, but it didn't seem to stick. So, I have gone back to the previous version of vBulletin, which still has the workaround to the problem. Unfortunately (again), this version has another recently-discovered exploit involving Forum Runner. I really want to get this fixed, so as soon as the support tickets get to the top of the queue, I'll get right on it. This means you may experience those odd Warnings about date/time and timezone, or the site may be unavailable.
Sorry for the confusion. Most upgrades are trivial and painless and the community never even notices. This one is not.
Tim
Nice job, Tim. For those who are unaware, Tim spent a LOT of time getting VFTT back up and running this evening.
He doesn't do it for an 'attaboy', but I'm sure he'd appreciate it.
Alan
He doesn't do it for an 'attaboy', but I'm sure he'd appreciate it.
Alan
Raven
Well-known member
Thanks for all the work Tim!!
Similar threads
