The sawdustzone was hacked.

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • twistsol
    SawdustZone Patron
    • Dec 2002
    • 2957
    • Cottage Grove, MN, USA.
    • Ridgid R4512, 2x ShopSmith Mark V 520, 1951 Shopsmith 10ER

    The sawdustzone was hacked.

    The site was hacked due to an exploit in our software for which there was no patch. The exploit was recently published on the web and very easy to implement. The site has been restored from the Tuesday morning backup and the exploit has now been patched. Anything posted after 2019-Sep-24 at 4:45 AM Eastern time will have been lost.

    The backup from this morning occurred after the hack but before the majority of the damage had been done so that backup was unusable.
    Last edited by twistsol; 09-26-2019, 11:10 AM.
    Chr's
    __________
    An ethical man knows the right thing to do.
    A moral man does it.
  • leehljp
    The Full Monte
    • Dec 2002
    • 8521
    • Tunica, MS
    • BT3000/3100

    #2
    So what can we do? What is the best course of action from here?
    Hank Lee

    Experience is what you get when you don't get what you wanted!

    Comment

    • twistsol
      SawdustZone Patron
      • Dec 2002
      • 2957
      • Cottage Grove, MN, USA.
      • Ridgid R4512, 2x ShopSmith Mark V 520, 1951 Shopsmith 10ER

      #3
      From a site standpoint we have been secured since vBulletin released a patch yesterday afternoon.

      For users
      • The site doesn't store or used any financial data so there is nos risk there.
      • Passwords in the database are encrypted so those shouldn't be at risk.
      • Email addresses are stored in the user profile and are usually hidden. If the attacker downloaded the database before wiping it, those could be exposed.
      Chr's
      __________
      An ethical man knows the right thing to do.
      A moral man does it.

      Comment

      • dbhost
        Slow and steady
        • Apr 2008
        • 9333
        • League City, Texas
        • Ryobi BT3100

        #4
        Folks, this is simply from my perspective.

        Even with the encrypted passwords, the attacker now has your username and encrypted password. WIth enough computing power, and time, decryption of the hash is certainly a possibility.

        I recommend the following actions.
        #1. Change your password on this site.
        #2. If you use the same username / password on other sites, update those as well.
        #3. Be on the lookout for suspicious emails.

        As I understand it, the exploit was released, we were compromised, and THEN the vendor released a patch to prevent this issue.

        We didn't stand a chance.

        Considering some of the background on this issue, I am starting discussion within the administration / moderation team to determine what steps we should take next to prevent future incursions, what options there are, and what we could have done, or used differently that would have resulted in a better outcome for us.

        Please like and subscribe to my YouTube channel. Please check out and subscribe to my Workshop Blog.

        Comment


        • twistsol
          twistsol commented
          Editing a comment
          All good advice.
      • Jim Frye
        Veteran Member
        • Dec 2002
        • 1056
        • Maumee, OH, USA.
        • Ryobi BT3000 & BT3100

        #5
        Do you know if other vBulletin driven web sites were hacked also. I recall this happened several years ago and all vBulletin sourced sites were affected necessitating new passwords all around.
        Jim Frye
        The Nut in the Cellar.
        ”Sawdust Is Man Glitter”

        Comment

        • cwsmith
          Veteran Member
          • Dec 2005
          • 2758
          • NY Southern Tier, USA.
          • BT3100-1

          #6
          After experiencing a hack several years ago, it is essential that we change our passwords of course. I learned my own lesson back then when I found that I had used the same password on at least four different web sites. All of those soon were disturbed by an intruder, using my sign-in. So, lesson to the wise... DON'T use the same password EVER on another site.

          I keep a written log book of every password and site that I use and that is securely locked away.

          CWS
          Think it Through Before You Do!

          Comment

          • Black walnut
            Administrator
            • Aug 2015
            • 5476
            • BT3K

            #7
            Thanks for being on top of this Chr's!
            just another brick in the wall...

            Boycott McAfee. They placed an unresponsive popup on my pc.

            Comment

            • twistsol
              SawdustZone Patron
              • Dec 2002
              • 2957
              • Cottage Grove, MN, USA.
              • Ridgid R4512, 2x ShopSmith Mark V 520, 1951 Shopsmith 10ER

              #8
              Originally posted by Jim Frye
              Do you know if other vBulletin driven web sites were hacked also. I recall this happened several years ago and all vBulletin sourced sites were affected necessitating new passwords all around.
              Many others were. Not only was the exploit published, but a search script that located vBulletin sites that were running the affected versions. Apparently vBulletin had known about the security issue for years and didn't bother with fixing it until there had been a large scale attack on their customers.
              Chr's
              __________
              An ethical man knows the right thing to do.
              A moral man does it.

              Comment

              • Carlos
                Veteran Member
                • Jan 2004
                • 1893
                • Phoenix, AZ, USA.

                #9
                This is why I run ModSecurity on the servers where I host forums, because it looks at the requests at another level. It is basically a firewall for file and database calls from the software running on the system. Just yesterday I was having to tweak it because it was interfering with legit forum calls (user trying to upload a file that matched a blocked filename), but that's better than the thing being compromised. It's not terribly difficult to add on a cPanel server (and probably other hosting platforms).

                Comment

                • dbhost
                  Slow and steady
                  • Apr 2008
                  • 9333
                  • League City, Texas
                  • Ryobi BT3100

                  #10
                  Originally posted by Jim Frye
                  Do you know if other vBulletin driven web sites were hacked also. I recall this happened several years ago and all vBulletin sourced sites were affected necessitating new passwords all around.
                  Reportedly many other vBulletin sites were hacked. There was a botnet at work just slamming these sites with the exploit. This wasn't just someone sitting at a keyboard chiseling away...
                  Please like and subscribe to my YouTube channel. Please check out and subscribe to my Workshop Blog.

                  Comment

                  • dbhost
                    Slow and steady
                    • Apr 2008
                    • 9333
                    • League City, Texas
                    • Ryobi BT3100

                    #11
                    Originally posted by Carlos
                    This is why I run ModSecurity on the servers where I host forums, because it looks at the requests at another level. It is basically a firewall for file and database calls from the software running on the system. Just yesterday I was having to tweak it because it was interfering with legit forum calls (user trying to upload a file that matched a blocked filename), but that's better than the thing being compromised. It's not terribly difficult to add on a cPanel server (and probably other hosting platforms).
                    I have not run accross this. I am going to do some research into this. Not sure if additional firewalling would have helped, but it is worth looking into.
                    Please like and subscribe to my YouTube channel. Please check out and subscribe to my Workshop Blog.

                    Comment

                    • Carlos
                      Veteran Member
                      • Jan 2004
                      • 1893
                      • Phoenix, AZ, USA.

                      #12
                      It's really not a firewall, I was using an analogy. It basically intercepts the calls between the forum software (or anything running on the machine) and the actual functions. So a compromised product can't make dangerous calls, such as SQL UDF injections. That's what I was tweaking yesterday.

                      2019-09-24 11:23:29 www.cbr1100xx.org 70.190.190.174 403 211820: COMODO WAF: Detects MySQL UDFinjection and other data/structuremanipulation attempts||www.cbr1100xx.org|F|2
                      Hide
                      Request:
                      POST /forums/index.php?/topic/96239-hey-zero-how%E2%80%99s-europe/page/2/
                      Action Description:
                      Access denied with code 403 (phase 2).
                      Justification:
                      Pattern match "(?i?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|renam e|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at ARGS:topic_comment_96239.

                      Comment

                      Working...