General fluff => Announcements => Topic started by: Josh @ Dreamland on October 02, 2012, 11:07:10 AM

Title: Break In
Post by: Josh @ Dreamland on October 02, 2012, 11:07:10 AM
I believe it is my legal obligation to inform everyone we've had a break-in. Presumably by a bot.

At 2PM yesterday I received a report that malware was being hosted on our server and that it was likely we had been compromised. In fact, it appears that some entity had gained root access to our server and loaded a phishing page up on it. The files all belonged to the root account, which means that the entity had full access to our system; this includes databases.

I don't think anyone should be overly concerned, as all passwords are handled by SMF and are therefore salted and hashed.

We are unsure how the break-in occurred, but we believe it may have been related to an old wordpress install hosted elsewhere on this server. From this point forward, no one say "Wordpress" to me.

So, in an effort to uphold due dilligence, etc, this is your warning that it is possible (but unlikely) that someone has a copy of all salted password hashes. It is also possible they have a large list of email addresses. It is also possible (if extremely unlikely) that they can retrieve your password by allocating their presumably large network of bots to brute forcing the hashes. I wouldn't worry about that happening.

Most people don't use very powerful passwords over http, anyway.

So, this is your heads up. Sorry about the shitty news. We're wiping old shit we don't maintain and putting more security in place to prevent this from happening again.
Title: Re: Break In
Post by: IsmAvatar on October 06, 2012, 08:21:20 PM
Do we know which pages were phishing? Anybody who logged in with those pages during that time would also have their account compromised.

Also, for those of you concerned, please feel free to change your password.
Title: Re: Break In
Post by: Josh @ Dreamland on October 07, 2012, 07:34:10 PM
The pages were removed by the host. They all belonged to the root user; none of them really had a nonprivileged ID attached.

By all means, feel free to change your passwords; I'm not going to because I seriously doubt it will be compromised (especially by anyone that would actually care to do so).