Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length

 
Advanced search

1370094 Posts in 64433 Topics- by 56484 Members - Latest Member: Spacybits

December 05, 2019, 02:16:36 PM

Need hosting? Check out Digital Ocean
(more details in this thread)
TIGSource ForumsCommunityTownhallForum IssuesTIG has been hacked! (OLD)
Pages: [1] 2 3
Print
Author Topic: TIG has been hacked! (OLD)  (Read 12053 times)
Silbereisen
Overlord
Administrator
Level 10
******


eurovision winner 2014


View Profile
« on: September 24, 2016, 07:45:26 AM »

Matthew edit:  Details in my reply further down
« Last Edit: August 16, 2017, 03:06:50 PM by ProgramGamer » Logged
Landshark RAWR
Level 10
*****



View Profile
« Reply #1 on: September 24, 2016, 11:13:29 AM »

i saw this on twitter earlier
https://twitter.com/EigenLenk/status/779750155952201728
Logged

Landshark RAWR
Level 10
*****



View Profile
« Reply #2 on: September 24, 2016, 11:15:07 AM »

checking that twitter account i found this https://twitter.com/Allergically/status/779740325275430916
Logged

Capntastic
Community Friendlord
Administrator
Level 10
******



View Profile WWW
« Reply #3 on: September 24, 2016, 11:17:58 AM »

:(
Logged
Silbereisen
Overlord
Administrator
Level 10
******


eurovision winner 2014


View Profile
« Reply #4 on: September 24, 2016, 11:25:42 AM »

so, what has been done about this? what info did the hacker have access to? would like some info from an ADMIN
Logged
b∀ kkusa
Global Moderator
Level 10
******



View Profile
« Reply #5 on: September 24, 2016, 11:29:00 AM »

all your drome shitposts are now public
Logged
Silbereisen
Overlord
Administrator
Level 10
******


eurovision winner 2014


View Profile
« Reply #6 on: September 24, 2016, 11:31:34 AM »

oh no!!!
Logged
Manuel Magalhães
Forum Dungeon Master
Level 10
*****



View Profile WWW
« Reply #7 on: September 24, 2016, 11:41:40 AM »

all your drome shitposts are now public
"how to tell a horror story in seven words"
Logged

Silbereisen
Overlord
Administrator
Level 10
******


eurovision winner 2014


View Profile
« Reply #8 on: September 24, 2016, 11:42:21 AM »

no but seriously, i would like an official word from an admin on this.
Logged
DireLogomachist
Level 4
****



View Profile
« Reply #9 on: September 24, 2016, 11:47:32 AM »

Apparently not the first from this guy. He claimed credit for this one a month ago.

https://www.hackread.com/exile-mod-gaming-forum-hacked/

Logged


Living and dying by Hanlon's Razor
alvarop
Level 9
****


ignorant


View Profile WWW
« Reply #10 on: September 24, 2016, 11:48:30 AM »

like yo is my password out there and shit?
Logged

i make games that can only ever be played once on http://throwaway.fun
Silbereisen
Overlord
Administrator
Level 10
******


eurovision winner 2014


View Profile
« Reply #11 on: September 24, 2016, 11:49:05 AM »

that's exactly what i'm trying to get confirmation on. i changed mine fwiw.
Logged
DireLogomachist
Level 4
****



View Profile
« Reply #12 on: September 24, 2016, 11:58:40 AM »

And he's had access for near a month if this is anything to go by.

https://twitter.com/Allergically/status/773319922650849284

Well shit.
Logged


Living and dying by Hanlon's Razor
Silbereisen
Overlord
Administrator
Level 10
******


eurovision winner 2014


View Profile
« Reply #13 on: September 24, 2016, 11:59:58 AM »

i'm not so sure about that. we don't have 190k users lol. not even close.
Logged
Landshark RAWR
Level 10
*****



View Profile
« Reply #14 on: September 24, 2016, 12:03:45 PM »

im thinking those big random strings could be password hashes. your password is safeish but still crackable
Logged

Matthew
Rapture
Administrator
Level 3
******


Milling About


View Profile WWW
« Reply #15 on: September 24, 2016, 12:04:08 PM »

Just wrapping up work on this!  Here's some details:

What Happened?

Someone was able to access to the SMF forum administration section via the progrium account.  Very likely this was via an SMF vulnerability, but it also may have been a shared password problem.

Using the admin tools, they appear to have been able to download a database export.  They then edited templates to deface the site.  (The overnight downtime was because they mangled the settings file, which also confirms their only access to the box was via the admin tools--they never gained shell access).

What Do They Have?

If they have a full database export, they have your email and a salted password hash.

They very likely don't have the full backup (the admin/web tools are pretty bad with timing out).  The backup_members table they quoted on Twitter only has 1,793 entries.

Is My Password Leaked?

The real answer here is "maybe".  It took my 980Ti ten minutes to perform a "rockyou" dictionary attack against the TIGSource password hashes.  (Rockyou.txt is a dictionary file with 14 million passwords from real leaks--if your password is in there, then yes, you're at risk).  

If your password was something basic, and you also use that same password on the email associated with your TIGSource account, change both immediately.

What Should I Do?

- Change your password, and to something secure
- (And use a password manager to never re-use passwords between sites)
- Ignore an social engineering/spam efforts that might come into your email

What Steps Have Been Taken?

This is already a fully-patched SMF 1.x install, but SMF 1.x is also crazy old.

In the the meantime, I put in some tripwire logging on file changes, and also disabled many of the PHP file-related functions, in case it was an SMF exploit and not some other entry point.  This might have broken attachment uploads, and maybe some other things.

I disabled all administrative access, and will disable admin access on my own account unless I'm using it for admin purposes.

I restored the files to the last backup.  (I do nightly database backups and weekly file backups).

The offending IP was from a VPS service; I reported it to their abuse contact.
« Last Edit: September 24, 2016, 12:25:37 PM by Matthew » Logged

Matthew Wegner
Currently: Aztez
Founder, Flashbang Studios
Partner, Indie Fund
Editor, Fun-Motion
Co-Chair, IGF
Manuel Magalhães
Forum Dungeon Master
Level 10
*****



View Profile WWW
« Reply #16 on: September 24, 2016, 12:08:38 PM »

Thanks for providing information on this, Matthew.
Logged

Silbereisen
Overlord
Administrator
Level 10
******


eurovision winner 2014


View Profile
« Reply #17 on: September 24, 2016, 12:10:25 PM »

thanks, matthew. i assumed as much but it's good to have official confirmation. i made a sticky in General linking to your post.

edit: i also made a sticky in Devlogs because that's where our traffic is lol
« Last Edit: September 24, 2016, 12:23:34 PM by Silbereisen » Logged
Silbereisen
Overlord
Administrator
Level 10
******


eurovision winner 2014


View Profile
« Reply #18 on: September 24, 2016, 12:16:35 PM »

this goes without saying, but using the same password everywhere or using a "common" password for important sites is a really bad idea.

here's a guide on how to create a secure password: https://nakedsecurity.sophos.com/2015/03/02/why-you-cant-trust-password-strength-meters/
Logged
Matthew
Rapture
Administrator
Level 3
******


Milling About


View Profile WWW
« Reply #19 on: September 24, 2016, 12:27:36 PM »

Another FYI--it looks like they were only able to grab 4% of the members table.  The admin backup tools don't really work on a forum this size--they'll time out, and I've never used them so never fixed.  The tweet here shows "backup_members", and that only has 1,793 entries.

(I disabled that whole side of the admin section now).
Logged

Matthew Wegner
Currently: Aztez
Founder, Flashbang Studios
Partner, Indie Fund
Editor, Fun-Motion
Co-Chair, IGF
Pages: [1] 2 3
Print
Jump to:  

Theme orange-lt created by panic