Home forum Help Search Login Register

Site Sections

User Info

Welcome, Guest. Please login or register.
Did you miss your activation email?
December 17, 2017, 03:26:00 PM

Login with username, password and session length

Recent Topics

Site Tips

Some articles do not have author names in them. If you know who the author is, let us know!
Pages: [1] 2
Send this topic Print
Author Topic: Guess what happened  (Read 41268 times)
0 Members and 1 Guest are viewing this topic.
Nifelhein
Administrator
*****

Spell Energy / Taint +22/-0
Offline Offline

Gender: Male
Posts: 2,115


Whisper's Will


« on: April 28, 2011, 10:12:33 PM »

ooooook.

Seems the latest version of the software still suffers from teh very same vulnerability the other version had, as a result the very same hacker visited us yesterday and left a message: "in one week if the vulnerability stands I will remove all files".

He only changed the index files to show he could do it, which is kinda nice considering everything, but just to be safe i deleted the entire folders structure and flashed back a clean backup copy I had from before reinstalling tinyportal (the articles / downloads / frontpage software).

I have installed and started configuring an alternative to what we had, but since I am not happy with the configuration yet I have not enabled it for everyone to see, meanwhile we are back to safe and stable forums.

I won't give up, I refuse to give up.

May the Shadow never hack us down,

Nif.
Logged

"We cannot live only for ourselves. A thousand fibers connect us with our fellow men; and among those fibers, as sympathetic threads, our actions run as causes, and they come back to us as effects."
 - Attributed to Herman Melville.
Pheros
Avatar of the Witch Queen
*****

Spell Energy / Taint +6/-2
Offline Offline

Gender: Male
Posts: 1,465



WWW
« Reply #1 on: April 28, 2011, 11:28:23 PM »

Huh...an ultimatum?  Interesting.

I suppose if you have to have a hacker, having a chaotic neutral one is preferable to a neutral evil one...

Thanks for working this out Nif...good luck, and give a shout if you need help...
Logged

1.6180339887...
Dunkin stats
JustinInOz
Heepa-Heepa


Spell Energy / Taint +1/-0
Offline Offline

Posts: 35


« Reply #2 on: April 28, 2011, 11:53:38 PM »

What a pain.

This deleting thing is just bluff and bs, right?
Logged
Nifelhein
Administrator
*****

Spell Energy / Taint +22/-0
Offline Offline

Gender: Male
Posts: 2,115


Whisper's Will


« Reply #3 on: April 29, 2011, 04:31:57 AM »

I don't know, but what stands is that it is there and at any time he may come back and take ats offline, something I don't want to happen. In any case tge fact that he did it so soon after I installed tinyportal is enough proof that the problem was in it and still is, specially when we stood months without his visit while without that software.

The downloads mod imports data from the old one, so that part would be a a perfect migration, but let's see how things behave.
Logged
Bleak Knight
Global Moderator
*****

Spell Energy / Taint +13/-7
Offline Offline

Gender: Male
Posts: 571


AKA Draug


« Reply #4 on: April 29, 2011, 05:52:28 AM »

We have backup somewhere, right?

I don't quite see why he would target AtS with anything. We're a small, harmless site with no political, religious or other views. Seems such a waste of time and effort. Anonymous at least targets things for a reason.
Logged
Nifelhein
Administrator
*****

Spell Energy / Taint +22/-0
Offline Offline

Gender: Male
Posts: 2,115


Whisper's Will


« Reply #5 on: April 29, 2011, 06:40:09 AM »

Ihave backups on my own computer before making any big change on the site, as well as after cleaning up problems. I usually do backups once every 3 months as well.

And there are the host backups as well, datawise we would probably loose very little, but the time and effort involved in fixing this is usually not so small, and there is also the risk that a breach like this is used to reach other sites in the same server.

All in all tinyportal, while powerful and very pretty, isn't worth the risk we open ourselves to by using it.

Some hackers just target sites to show they can, this one in particular seems to have increased boldness and pride since he first attacked us, things are looking more professional on his side now, and I don't want to see what the next step might be.
Logged
IchBin
Heepa-Heepa


Spell Energy / Taint +0/-0
Offline Offline

Posts: 5


« Reply #6 on: April 29, 2011, 11:43:54 AM »

Hi guys. I'm the current developer of the TinyPortal software. Sorry this happened to you. But I'm posting here to hopefully get some more information so that I can fix this if indeed the problem lies within TinyPortal. Can I ask what version of the TP software you were using? Also, did you upgrade from and older version? And what is the oldest version you have previously had installed?

The reason I ask, is that there was a known vulnerability in the FCKEditor software that was used in TP 0.9.8 all the way through TP 1.0 beta 3. This folder would have had to been manually removed in order to fix the exploit. Sorry you guys went through the down time. I hope I can get some information from you to fix this.

If possible, could you provide me with your server logs on the day that your site went down? The access_log and error_log would be great to have.

Thank you very much.

-IchBin
Logged
Nifelhein
Administrator
*****

Spell Energy / Taint +22/-0
Offline Offline

Gender: Male
Posts: 2,115


Whisper's Will


« Reply #7 on: April 29, 2011, 04:47:29 PM »

Hello IchBin!

I was thinking about making a post about the issue on Tinyportal.net but since I don't have much info I was afraid of being considered offensive or bashing tp, thus being dismissed when reporting my story. I know how tight the development team is and was a frequent reader on the site before bloc closed it and now I drop by every now and then on tp.net

I previously had 0.9.8 but had already removed the fckeditor manually after a previous hack. The last version we were using was the latest, labeled RC1 but numbered 1.0.3 in the package manager, I don't mind setting you an admin account and an ftp account if you want, I will see if I can pull the erro and acess logs from the server for you guys, if I end up being ablše to keep TP I would be more than happy, I have a very soft spot for it.

Let me know whether you prefer to keep the conversation here, on tp.net to involve the rest of the team or by mail.

- Nif.
Logged
IchBin
Heepa-Heepa


Spell Energy / Taint +0/-0
Offline Offline

Posts: 5


« Reply #8 on: April 29, 2011, 05:02:30 PM »

Doesn't matter where we talk about this really. I think there is an exploit in the downloads manager. One of the other TP Team members just reported that he had his site hacked too. So, I've got some work to figure things out and hopefully quickly. From what I'm hearing,  they are uploading a PHP file into the downloads manager masked as an image file. I would have thought that the .htaccess file would have kept anyone from directly hitting a file in the downloads to hack a site like this, but I'll have to investigate. Thanks for your patience, and for being a TP fan. I can only hope I do TP justice in future development. Any logs you can get would be great. I'll keep this topic subscribed so I know if you reply. Thanks!
Logged
mit_2k
Heepa-Heepa


Spell Energy / Taint +0/-0
Offline Offline

Posts: 30


« Reply #9 on: May 03, 2011, 06:05:55 AM »

Blagh, that sucks!
Thanks for keeping up the fight Nif!
Logged

---
But would I run today just to die another day,
Give up now and every fight has been in vain.

Turisas - Stand up and Fight
Nifelhein
Administrator
*****

Spell Energy / Taint +22/-0
Offline Offline

Gender: Male
Posts: 2,115


Whisper's Will


« Reply #10 on: May 03, 2011, 07:25:18 AM »

IchBin, by the time we talked I couldn't get the log files of the day of the attack, I even contacted my host but they don't keep any more than one day of log stored and the configuration was not set to allow me to get more than the current day (though it now is).

As far as I can tell you they upload an "image" file through the downloads manager that can then be run to extract the rootkit to te website, it places its files inside the tpimages folder. I believe I might even have the rootkit files in an infected backup I kept from a previous attack on the website, I will have to check the backup files.
Logged
IchBin
Heepa-Heepa


Spell Energy / Taint +0/-0
Offline Offline

Posts: 5


« Reply #11 on: May 03, 2011, 08:52:19 AM »

No problems Nifelhein. I have figured out the cause and am working on a fix as we speak. Should have it ready in the next day or two I hope. Will post back here when it's out.
Logged
Nifelhein
Administrator
*****

Spell Energy / Taint +22/-0
Offline Offline

Gender: Male
Posts: 2,115


Whisper's Will


« Reply #12 on: May 03, 2011, 09:35:29 AM »

Awesome, hopefully it will fix it for good, when I was hacked last year my host said that vulnerability was in tinyportal for a looong time.
Logged
Blackstorm
Lightbearer
*

Spell Energy / Taint +0/-0
Offline Offline

Posts: 74



« Reply #13 on: May 09, 2011, 06:20:06 AM »

God. I really hate those useless hackers. If someone find a vulnerability in a site, he should report to the admin and to the developers of the targeted software. This "I'm smarter than your updates" thing is really childish. I just wish to have the knowledege to help you, nif... Sorry I can't...
Logged

---
It was the sort of thing you expected in the Street of Alchemists. The neighbours *preferred* explosions, which were at least identifiable and soon over. They were better than the smells, which crept up on you.

(Terry Pratchett, Moving Pictures)
Nifelhein
Administrator
*****

Spell Energy / Taint +22/-0
Offline Offline

Gender: Male
Posts: 2,115


Whisper's Will


« Reply #14 on: May 09, 2011, 07:20:12 AM »

I totally agree with you, thankfully IchBin, who is a member of the support team behind TP is now aware of the issue and working on getting rid of it, maybe we will not have to change our site's software after all! mrgreen
Logged
Blackstorm
Lightbearer
*

Spell Energy / Taint +0/-0
Offline Offline

Posts: 74



« Reply #15 on: May 09, 2011, 08:05:13 AM »

I hope that. Screw the hacker Smiley
Logged
IchBin
Heepa-Heepa


Spell Energy / Taint +0/-0
Offline Offline

Posts: 5


« Reply #16 on: May 09, 2011, 11:07:43 AM »

I have released the fix today. Feel free to download it from the SMF site or the TinyPortal site.
Logged
Nifelhein
Administrator
*****

Spell Energy / Taint +22/-0
Offline Offline

Gender: Male
Posts: 2,115


Whisper's Will


« Reply #17 on: May 09, 2011, 04:49:25 PM »

IchBin,

I would like to thank you for your attention and concern on the issue, I will be applying the fix as soon as I get time to do a full backup of the files and database. I will let you know if anything else pops up.

Cheers!

- NIf.
Logged
IchBin
Heepa-Heepa


Spell Energy / Taint +0/-0
Offline Offline

Posts: 5


« Reply #18 on: May 09, 2011, 05:20:13 PM »

No problem Nif. I'm just sorry you guys had to go through the process of building and fixing your site again.

I know there's still bugs in some of the features and stuff, so feel free to report anything that you find if you can. Cheers.

Logged
Nifelhein
Administrator
*****

Spell Energy / Taint +22/-0
Offline Offline

Gender: Male
Posts: 2,115


Whisper's Will


« Reply #19 on: May 09, 2011, 07:05:46 PM »

Well, for one thing I will really be able to tell you if the ulnerability is gone, because the hacker visited us like 4 times already in a period of 1 year. But don't be sorry, I know how had it is to spot something like that in the code and am more than happy to help if and when i can.

Thanks again, for this issue and for all your hard work with TP, and extend my thanks to bloc, lesmond, crip, g6 and all the others who worked and work on tp, the software is good and deserves to be praised.
Logged
Nifelhein
Administrator
*****

Spell Energy / Taint +22/-0
Offline Offline

Gender: Male
Posts: 2,115


Whisper's Will


« Reply #20 on: May 10, 2011, 08:21:00 AM »

I have installed the version of Tp with the fix, hopefully that means no more hacks, but if it happens again I will try to get on it fast and grab logs to help the tp team fix the issue for good.
Logged
TwiceBorn
Editor
*****

Spell Energy / Taint +4/-0
Offline Offline

Gender: Male
Posts: 663



« Reply #21 on: May 11, 2011, 12:31:21 AM »

Thanks again to you both, Nif and IchBin -- your time and effort are greatly appreciated. Thanks for helping us keep this community alive!
Logged

samwise7
Insurgent Spy
**

Spell Energy / Taint +0/-1
Offline Offline

Gender: Male
Posts: 223


Just when you thought it was safe to smile...


WWW
« Reply #22 on: May 11, 2011, 06:58:35 AM »

Yeah, I really don't understand why a hacker would go to so much trouble to mess with this site... 
Logged

"Everything important in RPGs happens the moment you stop holding onto the rulebook with both hands." -Jeff Rients
http://samwise7.yolasite.com  (Art, Blog, RPG Settings, YouTube, etc.)
Nifelhein
Administrator
*****

Spell Energy / Taint +22/-0
Offline Offline

Gender: Male
Posts: 2,115


Whisper's Will


« Reply #23 on: May 11, 2011, 07:40:27 AM »

The Shadow fears us Wink
Logged
samwise7
Insurgent Spy
**

Spell Energy / Taint +0/-1
Offline Offline

Gender: Male
Posts: 223


Just when you thought it was safe to smile...


WWW
« Reply #24 on: May 11, 2011, 09:07:48 AM »

...and rightly so.  Smiley
Logged
Pages: [1] 2
Send this topic Print
Against the Shadow  |  Forum  |  Midnight & RPGs  |  News (Moderators: Kane, Bleak Knight, Glacialis)  |  Topic: Guess what happened
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2015, Simple Machines
AtS Dark Mercury design by Nifelhein, based on the Mercury theme by Bloc
Valid XHTML 1.0! Valid CSS!
Page created in 0.083 seconds with 78 queries.
TinyPortal © 2005-2011