s0
|
|
« on: September 24, 2016, 07:45:26 AM » |
|
|
|
« Last Edit: August 16, 2017, 03:06:50 PM by ProgramGamer »
|
Logged
|
|
|
|
Landshark RAWR
|
|
« Reply #1 on: September 24, 2016, 11:13:29 AM » |
|
|
|
|
Logged
|
|
|
|
Landshark RAWR
|
|
« Reply #2 on: September 24, 2016, 11:15:07 AM » |
|
|
|
|
Logged
|
|
|
|
Capntastic
|
|
« Reply #3 on: September 24, 2016, 11:17:58 AM » |
|
:(
|
|
|
Logged
|
|
|
|
s0
|
|
« Reply #4 on: September 24, 2016, 11:25:42 AM » |
|
so, what has been done about this? what info did the hacker have access to? would like some info from an ADMIN
|
|
|
Logged
|
|
|
|
b∀ kkusa
|
|
« Reply #5 on: September 24, 2016, 11:29:00 AM » |
|
all your drome shitposts are now public
|
|
|
Logged
|
|
|
|
s0
|
|
« Reply #6 on: September 24, 2016, 11:31:34 AM » |
|
oh no!!!
|
|
|
Logged
|
|
|
|
Manuel Magalhães
|
|
« Reply #7 on: September 24, 2016, 11:41:40 AM » |
|
all your drome shitposts are now public
"how to tell a horror story in seven words"
|
|
|
Logged
|
|
|
|
s0
|
|
« Reply #8 on: September 24, 2016, 11:42:21 AM » |
|
no but seriously, i would like an official word from an admin on this.
|
|
|
Logged
|
|
|
|
|
alvarop
|
|
« Reply #10 on: September 24, 2016, 11:48:30 AM » |
|
like yo is my password out there and shit?
|
|
|
Logged
|
|
|
|
s0
|
|
« Reply #11 on: September 24, 2016, 11:49:05 AM » |
|
that's exactly what i'm trying to get confirmation on. i changed mine fwiw.
|
|
|
Logged
|
|
|
|
|
s0
|
|
« Reply #13 on: September 24, 2016, 11:59:58 AM » |
|
i'm not so sure about that. we don't have 190k users lol. not even close.
|
|
|
Logged
|
|
|
|
Landshark RAWR
|
|
« Reply #14 on: September 24, 2016, 12:03:45 PM » |
|
im thinking those big random strings could be password hashes. your password is safeish but still crackable
|
|
|
Logged
|
|
|
|
Matthew
|
|
« Reply #15 on: September 24, 2016, 12:04:08 PM » |
|
Just wrapping up work on this! Here's some details:
What Happened?
Someone was able to access to the SMF forum administration section via the progrium account. Very likely this was via an SMF vulnerability, but it also may have been a shared password problem.
Using the admin tools, they appear to have been able to download a database export. They then edited templates to deface the site. (The overnight downtime was because they mangled the settings file, which also confirms their only access to the box was via the admin tools--they never gained shell access).
What Do They Have?
If they have a full database export, they have your email and a salted password hash.
They very likely don't have the full backup (the admin/web tools are pretty bad with timing out). The backup_members table they quoted on Twitter only has 1,793 entries.
Is My Password Leaked?
The real answer here is "maybe". It took my 980Ti ten minutes to perform a "rockyou" dictionary attack against the TIGSource password hashes. (Rockyou.txt is a dictionary file with 14 million passwords from real leaks--if your password is in there, then yes, you're at risk).
If your password was something basic, and you also use that same password on the email associated with your TIGSource account, change both immediately.
What Should I Do?
- Change your password, and to something secure - (And use a password manager to never re-use passwords between sites) - Ignore an social engineering/spam efforts that might come into your email
What Steps Have Been Taken?
This is already a fully-patched SMF 1.x install, but SMF 1.x is also crazy old.
In the the meantime, I put in some tripwire logging on file changes, and also disabled many of the PHP file-related functions, in case it was an SMF exploit and not some other entry point. This might have broken attachment uploads, and maybe some other things.
I disabled all administrative access, and will disable admin access on my own account unless I'm using it for admin purposes.
I restored the files to the last backup. (I do nightly database backups and weekly file backups).
The offending IP was from a VPS service; I reported it to their abuse contact.
|
|
« Last Edit: September 24, 2016, 12:25:37 PM by Matthew »
|
Logged
|
|
|
|
Manuel Magalhães
|
|
« Reply #16 on: September 24, 2016, 12:08:38 PM » |
|
Thanks for providing information on this, Matthew.
|
|
|
Logged
|
|
|
|
s0
|
|
« Reply #17 on: September 24, 2016, 12:10:25 PM » |
|
thanks, matthew. i assumed as much but it's good to have official confirmation. i made a sticky in General linking to your post.
edit: i also made a sticky in Devlogs because that's where our traffic is lol
|
|
« Last Edit: September 24, 2016, 12:23:34 PM by Silbereisen »
|
Logged
|
|
|
|
|
Matthew
|
|
« Reply #19 on: September 24, 2016, 12:27:36 PM » |
|
Another FYI--it looks like they were only able to grab 4% of the members table. The admin backup tools don't really work on a forum this size--they'll time out, and I've never used them so never fixed. The tweet here shows "backup_members", and that only has 1,793 entries.
(I disabled that whole side of the admin section now).
|
|
|
Logged
|
|
|
|
|