next »

[s0]

Matthew edit:  Details in my reply further down

[Landshark RAWR]

i saw this on twitter earlier
https://twitter.com/EigenLenk/status/779750155952201728

[Landshark RAWR]

checking that twitter account i found this https://twitter.com/Allergically/status/779740325275430916

[Capntastic]

:(

[s0]

so, what has been done about this? what info did the hacker have access to? would like some info from an ADMIN

[ｂ∀ ｋｋｕｓａ]

all your drome shitposts are now public

[s0]

oh no!!!

[Manuel Magalhães]

all your drome shitposts are now public

"how to tell a horror story in seven words"

[s0]

no but seriously, i would like an official word from an admin on this.

[DireLogomachist]

Apparently not the first from this guy. He claimed credit for this one a month ago.

https://www.hackread.com/exile-mod-gaming-forum-hacked/

[alvarop]

like yo is my password out there and shit?

[s0]

that's exactly what i'm trying to get confirmation on. i changed mine fwiw.

[DireLogomachist]

And he's had access for near a month if this is anything to go by.

https://twitter.com/Allergically/status/773319922650849284

Well shit.

[s0]

i'm not so sure about that. we don't have 190k users lol. not even close.

[Landshark RAWR]

im thinking those big random strings could be password hashes. your password is safeish but still crackable

[Matthew]

Just wrapping up work on this!  Here's some details:

What Happened?

Someone was able to access to the SMF forum administration section via the progrium account.  Very likely this was via an SMF vulnerability, but it also may have been a shared password problem.

Using the admin tools, they appear to have been able to download a database export.  They then edited templates to deface the site.  (The overnight downtime was because they mangled the settings file, which also confirms their only access to the box was via the admin tools--they never gained shell access).

What Do They Have?

If they have a full database export, they have your email and a salted password hash.

They very likely don't have the full backup (the admin/web tools are pretty bad with timing out).  The backup_members table they quoted on Twitter only has 1,793 entries.

Is My Password Leaked?

The real answer here is "maybe".  It took my 980Ti ten minutes to perform a "rockyou" dictionary attack against the TIGSource password hashes.  (Rockyou.txt is a dictionary file with 14 million passwords from real leaks--if your password is in there, then yes, you're at risk).  

If your password was something basic, and you also use that same password on the email associated with your TIGSource account, change both immediately.

What Should I Do?

- Change your password, and to something secure
- (And use a password manager to never re-use passwords between sites)
- Ignore an social engineering/spam efforts that might come into your email

What Steps Have Been Taken?

This is already a fully-patched SMF 1.x install, but SMF 1.x is also crazy old.

In the the meantime, I put in some tripwire logging on file changes, and also disabled many of the PHP file-related functions, in case it was an SMF exploit and not some other entry point.  This might have broken attachment uploads, and maybe some other things.

I disabled all administrative access, and will disable admin access on my own account unless I'm using it for admin purposes.

I restored the files to the last backup.  (I do nightly database backups and weekly file backups).

The offending IP was from a VPS service; I reported it to their abuse contact.

[Manuel Magalhães]

Thanks for providing information on this, Matthew.

[s0]

thanks, matthew. i assumed as much but it's good to have official confirmation. i made a sticky in General linking to your post.

edit: i also made a sticky in Devlogs because that's where our traffic is lol

[s0]

this goes without saying, but using the same password everywhere or using a "common" password for important sites is a really bad idea.

here's a guide on how to create a secure password: https://nakedsecurity.sophos.com/2015/03/02/why-you-cant-trust-password-strength-meters/

[Matthew]

Another FYI--it looks like they were only able to grab 4% of the members table.  The admin backup tools don't really work on a forum this size--they'll time out, and I've never used them so never fixed.  The tweet here shows "backup_members", and that only has 1,793 entries.

(I disabled that whole side of the admin section now).