Pages: [1]
  Print  
Author Topic: Break In  (Read 2955 times)
Offline (Male) Josh @ Dreamland
Posted on: October 02, 2012, 11:07:10 AM

Prince of all Goldfish
Developer
Location: Pittsburgh, PA, USA
Joined: Feb 2008
Posts: 2955

View Profile Email
I believe it is my legal obligation to inform everyone we've had a break-in. Presumably by a bot.

At 2PM yesterday I received a report that malware was being hosted on our server and that it was likely we had been compromised. In fact, it appears that some entity had gained root access to our server and loaded a phishing page up on it. The files all belonged to the root account, which means that the entity had full access to our system; this includes databases.

I don't think anyone should be overly concerned, as all passwords are handled by SMF and are therefore salted and hashed.

We are unsure how the break-in occurred, but we believe it may have been related to an old wordpress install hosted elsewhere on this server. From this point forward, no one say "Wordpress" to me.

So, in an effort to uphold due dilligence, etc, this is your warning that it is possible (but unlikely) that someone has a copy of all salted password hashes. It is also possible they have a large list of email addresses. It is also possible (if extremely unlikely) that they can retrieve your password by allocating their presumably large network of bots to brute forcing the hashes. I wouldn't worry about that happening.

Most people don't use very powerful passwords over http, anyway.

So, this is your heads up. Sorry about the shitty news. We're wiping old shit we don't maintain and putting more security in place to prevent this from happening again.
Logged
"That is the single most cryptic piece of code I have ever seen." -Master PobbleWobble
"I disapprove of what you say, but I will defend to the death your right to say it." -Evelyn Beatrice Hall, Friends of Voltaire
Offline (Female) IsmAvatar
Reply #1 Posted on: October 06, 2012, 08:21:20 PM

LateralGM Developer
LGM Developer
Location: Pennsylvania/USA
Joined: Apr 2008
Posts: 886

View Profile Email
Do we know which pages were phishing? Anybody who logged in with those pages during that time would also have their account compromised.

Also, for those of you concerned, please feel free to change your password.
Logged
Offline (Male) Josh @ Dreamland
Reply #2 Posted on: October 07, 2012, 07:34:10 PM

Prince of all Goldfish
Developer
Location: Pittsburgh, PA, USA
Joined: Feb 2008
Posts: 2955

View Profile Email
The pages were removed by the host. They all belonged to the root user; none of them really had a nonprivileged ID attached.

By all means, feel free to change your passwords; I'm not going to because I seriously doubt it will be compromised (especially by anyone that would actually care to do so).
Logged
"That is the single most cryptic piece of code I have ever seen." -Master PobbleWobble
"I disapprove of what you say, but I will defend to the death your right to say it." -Evelyn Beatrice Hall, Friends of Voltaire
Pages: [1]
  Print