Security Breach June 24, 2012
- Tank Program
- Forum & Project Admin, PhD
- Posts: 6711
- Joined: Thu Dec 18, 2003 7:03 pm
Security Breach June 24, 2012
Approximately 14 months ago, the Wiki suffered a security breach. This was evident and the Wiki was repaired. What was unknown was that either in conjunction or separately, the Forums were also breached. A back door allowing file access and execution privileges appears to have been installed shortly after the Wiki breach. This back door was accessed for a period of approximately one week, then left in place and ignored.
It is impossible to tell what was done during this period of access, only that there were no visible effects, which is why it remained undetected. The back door would have allowed raw database access, as well as access to the Forums software.
The back door remained in place, but was not accessed again, until earlier this month. At this point several additional back doors were installed. A few days ago, additional action was taken resulting in the advertisements discussed here. The config.php file was altered to call an external php file. This file checked source IPs and user-agents to determine whether or not the viewer was human. If that was determined to be the case, the script would perform two primary functions. The script would check a pre-defined url, and download its contents to a cache file. The cache file would then be read in and displayed - this would be the advertisements that were seen.
To the best of my knowledge, that is what happened.
At this point, all identified back doors have been removed, and the forums software has been reloaded clean. While I am reasonably certain that I have found everything, I cannot guarantee it due to the size of the forums database and the number of uploaded attachments. I strongly suggest that all members immediately change their passwords. If your forums password is used elsewhere, change it at those locations as well. I do not know for certain that the database was lifted and/or any passwords stolen, but it is technically possible that this has happened.
Apologies for any inconvenience.
It is impossible to tell what was done during this period of access, only that there were no visible effects, which is why it remained undetected. The back door would have allowed raw database access, as well as access to the Forums software.
The back door remained in place, but was not accessed again, until earlier this month. At this point several additional back doors were installed. A few days ago, additional action was taken resulting in the advertisements discussed here. The config.php file was altered to call an external php file. This file checked source IPs and user-agents to determine whether or not the viewer was human. If that was determined to be the case, the script would perform two primary functions. The script would check a pre-defined url, and download its contents to a cache file. The cache file would then be read in and displayed - this would be the advertisements that were seen.
To the best of my knowledge, that is what happened.
At this point, all identified back doors have been removed, and the forums software has been reloaded clean. While I am reasonably certain that I have found everything, I cannot guarantee it due to the size of the forums database and the number of uploaded attachments. I strongly suggest that all members immediately change their passwords. If your forums password is used elsewhere, change it at those locations as well. I do not know for certain that the database was lifted and/or any passwords stolen, but it is technically possible that this has happened.
Apologies for any inconvenience.
Re: IMPORTANT - Security Breach 120624 - Read Me Now
We all thank you very much for your work, and also for alerting us of the potentual password issue.
I'd just like to say tyvm
I'd just like to say tyvm
-The King-
Owner of The Kingdom
Owner of The Kingdom
Re: IMPORTANT - Security Breach 120624 - Read Me Now
I could only post here by copying the URL I got from clicking the reply button of a different topic and changing the relevant bits. The POST REPLY/QUOTE button aren't shown here. And the Board Index seems to be differently positioned (but it works).
edit: And now, after I posted, these buttons are there again.
edit2: and after going to the board-index and reopening the topic, they're gone. haha
edit: And now, after I posted, these buttons are there again.
edit2: and after going to the board-index and reopening the topic, they're gone. haha
Re: IMPORTANT - Security Breach 120624 - Read Me Now
/me is glad he uses different passwords for EVERYTHING.
Thanks for the alert.
Thanks for the alert.
--They say nobody is perfect, then they say practice makes perfect. I wish they would make up their minds.
--The less people speak of their greatness, the more we think of it.
--Dealing with backstabbers, there was one thing I learned. They're only powerful when you got your back turned.
--I don't have to attend every argument I'm invited to.
--The dumber people think you are, the more surprised they're going to be when you kill them.
--There are two types of people - those who come into a room and say, "Well, here I am!" and those who come in and say, "Ah, there you are."
--It doesn't matter what temperature a room is, it's always room temperature.
--You can't have everything in the world, where would you put it?
--The less people speak of their greatness, the more we think of it.
--Dealing with backstabbers, there was one thing I learned. They're only powerful when you got your back turned.
--I don't have to attend every argument I'm invited to.
--The dumber people think you are, the more surprised they're going to be when you kill them.
--There are two types of people - those who come into a room and say, "Well, here I am!" and those who come in and say, "Ah, there you are."
--It doesn't matter what temperature a room is, it's always room temperature.
--You can't have everything in the world, where would you put it?
- Tank Program
- Forum & Project Admin, PhD
- Posts: 6711
- Joined: Thu Dec 18, 2003 7:03 pm
Re: IMPORTANT - Security Breach 120624 - Read Me Now
Global Announcements appear to be handled funny. They take on the properties of which every parent forum you click through from. Or from the first forum from View New Posts, which is the Welcome forum which is locked to regular users. Clicking from the top of one of the other forums works fine, that's effectively the same as changing the relevant bits. Just a bit of phpBB weirdness I think.Word wrote:I could only post here by copying the URL I got from clicking the reply button of a different topic and changing the relevant bits.
- Jonathan
- A Brave Victim
- Posts: 3391
- Joined: Thu Feb 03, 2005 12:50 am
- Location: Not really lurking anymore
Re: IMPORTANT - Security Breach 120624 - Read Me Now
It also thinks the entire thread is unread all the time. Global announcements don't work quite right.
ˌɑrməˈɡɛˌtrɑn
-
- Posts: 5
- Joined: Wed Feb 20, 2008 3:19 am
- Location: California
Re: IMPORTANT - Security Breach 120624 - Read Me Now
pretty sure my email got hacked because of this..
- Jonathan
- A Brave Victim
- Posts: 3391
- Joined: Thu Feb 03, 2005 12:50 am
- Location: Not really lurking anymore
Re: IMPORTANT - Security Breach 120624 - Read Me Now
Pretty unlikely, unless your password is worthless and you used the same one.
ˌɑrməˈɡɛˌtrɑn
-
- Posts: 8
- Joined: Sat Feb 20, 2010 5:14 am
Re: IMPORTANT - Security Breach 120624 - Read Me Now
Actually my facebook and email were hacked recently and I had no knowledge of how, but this makes sense and it was probably this.. Oh well I already changed those passwords and no harm was done so it's all good!
edit: LMAO posted this before I looked at the dates..I'm a noob >.<
edit: LMAO posted this before I looked at the dates..I'm a noob >.<
Re: IMPORTANT - Security Breach 120624 - Read Me Now
I can see what happend to my old account now...