Announcement

Collapse
No announcement yet.

The sawdustzone was hacked.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • The sawdustzone was hacked.

    The site was hacked due to an exploit in our software for which there was no patch. The exploit was recently published on the web and very easy to implement. The site has been restored from the Tuesday morning backup and the exploit has now been patched. Anything posted after 2019-Sep-24 at 4:45 AM Eastern time will have been lost.

    The backup from this morning occurred after the hack but before the majority of the damage had been done so that backup was unusable.
    Last edited by twistsol; 09-26-2019, 11:10 AM.
    Chr's
    __________
    An ethical man knows the right thing to do.
    A moral man does it.

  • #2
    So what can we do? What is the best course of action from here?
    Hank Lee

    Experience is what you get when you don't get what you wanted!

    Comment


    • #3
      From a site standpoint we have been secured since vBulletin released a patch yesterday afternoon.

      For users
      • The site doesn't store or used any financial data so there is nos risk there.
      • Passwords in the database are encrypted so those shouldn't be at risk.
      • Email addresses are stored in the user profile and are usually hidden. If the attacker downloaded the database before wiping it, those could be exposed.
      Chr's
      __________
      An ethical man knows the right thing to do.
      A moral man does it.

      Comment


      • #4
        Folks, this is simply from my perspective.

        Even with the encrypted passwords, the attacker now has your username and encrypted password. WIth enough computing power, and time, decryption of the hash is certainly a possibility.

        I recommend the following actions.
        #1. Change your password on this site.
        #2. If you use the same username / password on other sites, update those as well.
        #3. Be on the lookout for suspicious emails.

        As I understand it, the exploit was released, we were compromised, and THEN the vendor released a patch to prevent this issue.

        We didn't stand a chance.

        Considering some of the background on this issue, I am starting discussion within the administration / moderation team to determine what steps we should take next to prevent future incursions, what options there are, and what we could have done, or used differently that would have resulted in a better outcome for us.

        Please like and subscribe to my YouTube channel. Please check out and subscribe to my Workshop Blog.

        Comment


        • twistsol
          twistsol commented
          Editing a comment
          All good advice.

      • #5
        Do you know if other vBulletin driven web sites were hacked also. I recall this happened several years ago and all vBulletin sourced sites were affected necessitating new passwords all around.
        Jim Frye
        The Nut in the Cellar.

        Comment


        • #6
          After experiencing a hack several years ago, it is essential that we change our passwords of course. I learned my own lesson back then when I found that I had used the same password on at least four different web sites. All of those soon were disturbed by an intruder, using my sign-in. So, lesson to the wise... DON'T use the same password EVER on another site.

          I keep a written log book of every password and site that I use and that is securely locked away.

          CWS
          Think it Through Before You Do!

          Comment


          • #7
            Thanks for being on top of this Chr's!
            just another brick in the wall...

            Comment


            • #8
              Originally posted by Jim Frye View Post
              Do you know if other vBulletin driven web sites were hacked also. I recall this happened several years ago and all vBulletin sourced sites were affected necessitating new passwords all around.
              Many others were. Not only was the exploit published, but a search script that located vBulletin sites that were running the affected versions. Apparently vBulletin had known about the security issue for years and didn't bother with fixing it until there had been a large scale attack on their customers.
              Chr's
              __________
              An ethical man knows the right thing to do.
              A moral man does it.

              Comment


              • #9
                This is why I run ModSecurity on the servers where I host forums, because it looks at the requests at another level. It is basically a firewall for file and database calls from the software running on the system. Just yesterday I was having to tweak it because it was interfering with legit forum calls (user trying to upload a file that matched a blocked filename), but that's better than the thing being compromised. It's not terribly difficult to add on a cPanel server (and probably other hosting platforms).

                Comment


                • #10
                  Originally posted by Jim Frye View Post
                  Do you know if other vBulletin driven web sites were hacked also. I recall this happened several years ago and all vBulletin sourced sites were affected necessitating new passwords all around.
                  Reportedly many other vBulletin sites were hacked. There was a botnet at work just slamming these sites with the exploit. This wasn't just someone sitting at a keyboard chiseling away...
                  Please like and subscribe to my YouTube channel. Please check out and subscribe to my Workshop Blog.

                  Comment


                  • #11
                    Originally posted by Carlos View Post
                    This is why I run ModSecurity on the servers where I host forums, because it looks at the requests at another level. It is basically a firewall for file and database calls from the software running on the system. Just yesterday I was having to tweak it because it was interfering with legit forum calls (user trying to upload a file that matched a blocked filename), but that's better than the thing being compromised. It's not terribly difficult to add on a cPanel server (and probably other hosting platforms).
                    I have not run accross this. I am going to do some research into this. Not sure if additional firewalling would have helped, but it is worth looking into.
                    Please like and subscribe to my YouTube channel. Please check out and subscribe to my Workshop Blog.

                    Comment


                    • #12
                      It's really not a firewall, I was using an analogy. It basically intercepts the calls between the forum software (or anything running on the machine) and the actual functions. So a compromised product can't make dangerous calls, such as SQL UDF injections. That's what I was tweaking yesterday.

                      2019-09-24 11:23:29 www.cbr1100xx.org 70.190.190.174 403 211820: COMODO WAF: Detects MySQL UDFinjection and other data/structuremanipulation attempts||www.cbr1100xx.org|F|2
                      Hide
                      Request:
                      POST /forums/index.php?/topic/96239-hey-zero-how%E2%80%99s-europe/page/2/
                      Action Description:
                      Access denied with code 403 (phase 2).
                      Justification:
                      Pattern match "(?i?:create[\\t\\n\\r ]{1,}function[\\t\\n\\r ]{1,}[a-zA-Z0-9_]{1,}[\\t\\n\\r ]{1,}returns)|(?:;[\\t\\n\\r ]{0,}?(?:alter|create|delete|desc|insert|load|renam e|select|truncate|update)[\\t\\n\\r ]{0,}?[(\\[]{0,1}[a-zA-Z0-9_]{2,}))" at ARGS:topic_comment_96239.

                      Comment

                      Working...
                      X