Site hacked! Check for infection! Change your Style!

New build announcements plus site news and changes.

Moderators: dorpond, trevor, Azhrei, Craig

User avatar
Azhrei
Site Admin
Posts: 12086
Joined: Mon Jun 12, 2006 1:20 pm
Location: Tampa, FL

Site hacked! Check for infection! Change your Style!

Post by Azhrei »

Our site was just hacked. The error log shows it started at about 8:18PM ET tonight.

I've found the kit and two or three places where the hack was inserted, but I need to keep looking. In the meantime, please run infection scans on your system.

I'll be updating to the latest phpBB later tonight (we're only one patchlevel behind, but perhaps that was enough?).

I'll post here again when I have more information.
Last edited by Azhrei on Tue Apr 13, 2010 1:53 pm, edited 1 time in total.
Reason: Removed "Global" status from this thread

User avatar
Azhrei
Site Admin
Posts: 12086
Joined: Mon Jun 12, 2006 1:20 pm
Location: Tampa, FL

Re: Site hacked -- check your computer for infection!

Post by Azhrei »

I hope I have everything corrected.

I've been asked for a name of what to scan for. I don't have a name. I only know that the hack was putting javascript code into every HTML and PHP page. That code started with the comment:

<!--Injection_head[SessionID=...]-->
and then ended with
<!--Injection_tail[SessionID=...]-->

Google'ing for information on that didn't give me any names. But this would be a browser-based attack, if that helps. I think most pages were failing to display properly due to the hack (4-5 messages at the top of each page) so maybe the infection wasn't working at all. It didn't affect my Firefox 3.6 on OSX at all.

As part of this process, I've updated the board to the latest patchlevel of code (3.0.7-PL1) and the bo2Soft style has not been updated by its author to work with this level of code. You may need to use the User Control Panel and select a different style.

You may have noticed that you had to login again. I flushed the session cache as well as corrected a couple of nuisances with the cookie settings. Hopefully I can make other changes in the future without affecting persistent logins again.

I took this opportunity to also install some additional mods. The ones visible to users will be the list of filename extensions that can be used as attachments (only works in the prosilver and subsilver2 styles currently; I may not update the other styles if it turns out to be time consuming) and the extended list of styles available. I chose a bunch of styles (light/dark backgrounds, large/small font, high/low contrast) so pick one that looks good on the machine you're using.

There were a couple of other mods but they're for admin/mod use.

Please check the gallery. The new forum uses different database table names and I'd be willing to bet that the gallery was somehow hooked into the user database for the forum so that the same username/password worked for both. The gallery may still work because I've left the old database tables in place for now, but if it fails then I purge those tables in about 4-5 days then we know where the problem is. :) But at least that gives me time to figure it out in advance.

When I saw the hacked site I was really hoping that 30-40 minutes would be it to install a brand new setup of phpBB3 and get everything configured. But weird problems while backing up the old forum package slowed me down. That, and I wanted to absolutely sure I got everything copied over. I'm really hoping that post attachments are still there (they should be) and things like spoilers and wiki BBcode still works (they should).

Let me know if you find anything amiss and I'll look into it asap.

(Sigh. I hate people who do nothing but cause the rest of us a lot of hassle.)

Oops, I just noticed that the smilies don't all appear... I'll look at that during the day today. Right now it's 3Am and I gotta get some sleep as I have a conference call in a few hours. :)

User avatar
wolph42
Winter Wolph
Posts: 9999
Joined: Fri Mar 20, 2009 5:40 am
Location: Netherlands
Contact:

Re: Site hacked -- check your computer for infection!

Post by wolph42 »

ah now we can post replies. I send you the pm cause i couldn't find the pm.

Some remarks questions:
- First off if anyone has experience in determining the type of hack and its name, that would be grant.
- Second, the spoilers aren't working (buttons are there but they don't hide the content) :(
- also the site interface has changed quite a bit and I've tried to change it in prefs but nothing happened, moreover I wouldn't know what the last type of interface was. Edit: my apos, it seems that I tested UI that looked very similar, they do work.
- I also noticed that the site tends to give a 'page not found' error occasionally, but restarting the site helps (might be that you're working on it?)
- attachements still work! :)
- I seem to log out in mid sessions
- the user avatars are gone (I just put mine back in case you're wondering)

User avatar
Azhrei
Site Admin
Posts: 12086
Joined: Mon Jun 12, 2006 1:20 pm
Location: Tampa, FL

Re: Site hacked -- check your computer for infection!

Post by Azhrei »

wolph42 wrote:ah now we can post replies. I send you the pm cause i couldn't find the pm.

Some points
- First off if anyone has experience in determining the type of hack and its name, that would be grant.
- Second, the spoilers aren't working :( also the site interface has changed quite a bit and I've tried to change it in prefs but nothing happened, moreover I wouldn't know what the last type of interface was.
As I said, the theme that most users had defaulted to was bo2Soft, but that's not available any more. :(
Spoiler
Testing...
With a title
Another test.
Okay, looks like they're back. At least for the prosilver style which is what I'm now using. People will have to report if they don't work for other styles.
- I also noticed that the site tends to give a 'page not found' error occasionally, but restarting the site helps (might be that you're working on it?)
- attachements still work! :)
I'm still having problems getting to the admin panel. I think the cookies are somehow messed up. The 3.0.7 software has an additional security check that I think was screwing up the old cookie values. Hopefully I have it fixed now so that the other admins and mods can get in and do their stuff. :)

User avatar
Azhrei
Site Admin
Posts: 12086
Joined: Mon Jun 12, 2006 1:20 pm
Location: Tampa, FL

Re: Site hacked -- check your computer for infection!

Post by Azhrei »

For some reason avatars are still not showing if they were uploaded. But I've copied them all over from the old location... I'll look into that some more, but it must be something to do with the encoded name used by the forum software...

User avatar
Azhrei
Site Admin
Posts: 12086
Joined: Mon Jun 12, 2006 1:20 pm
Location: Tampa, FL

Re: Site hacked -- check your computer for infection!

Post by Azhrei »

Hmm, turned the browser cache off and back on and my avatar showed up. So I'm done for the night/morning. 8)

User avatar
wolph42
Winter Wolph
Posts: 9999
Joined: Fri Mar 20, 2009 5:40 am
Location: Netherlands
Contact:

Re: Site hacked -- check your computer for infection!

Post by wolph42 »

Nice improvement of the interface

Code: Select all

Better yet
When posting code you now get a very nice boundary box so stuff doesnt get outta hand when somebody posts very long lines of codes...both Horizontally...
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
as vertically 
Nice!!  
In case Windows-Firefox people are wondering flushing cache: ctrl+R
don't know for other configs.

Darinth
Dragon
Posts: 424
Joined: Wed Oct 21, 2009 2:52 pm

Re: Site hacked -- check your computer for infection!

Post by Darinth »

Yeah, I tried to check the forums earlier and saw the site hacked banner ya had up while you were working on it. Oi... I hate people sometimes... really really do...

Will run a full sweep tonight to make sure nothing got through on to my system, sorry you had to deal with this kinda feces Azhrei. :(
Loyalty is not blind, and it cannot be forced. It is a sincere bond formed out of respect and gratitude.

User avatar
Azhrei
Site Admin
Posts: 12086
Joined: Mon Jun 12, 2006 1:20 pm
Location: Tampa, FL

Re: Site hacked -- check your computer for infection!

Post by Azhrei »

(I had to get out of bed for a conference call, but now that's over. So a quick read through here and then I'm going back to bed for another couple of hours. :))

Yeah, it's a pain when this kind of thing happens. But the worst part is not knowing how they got in. :( Without knowing I can't find a way to prevent it in the future. I'm going to be searching through the forums @ phpbb.com and see if anyone else has had this problem and their outcome.

But yes, I wish people would just keep their fingers off of things that don't belong to them, both in the physical world and the virtual one... :roll:

I also know that the spoiler BBcode hasn't been added back into the FAQ page yet, but I'll get to that later today. And I'll need to create/save a patch in case I need to do this again. In fact, I'm thinking of using my shell history to create a script out of all this. That's what I love about command line vs. a GUI: I can use a shell history to help automate things.

@Wolf42: Didn't the code blocks always scroll both ways? I'm pretty sure they did on my Mac, anyway. But I've noticed that the spoiler CSS isn't working as the div's used to hide the text block should display with a border line across the top and bottom and they don't show anymore, yet Firebug tells me that the CSS is being loaded. So that'll take some sleuthing to figure out what's wrong.

User avatar
jfrazierjr
Deity
Posts: 5176
Joined: Tue Sep 11, 2007 7:31 pm

Re: Site hacked -- check your computer for infection!

Post by jfrazierjr »

Azhrei wrote:Yeah, it's a pain when this kind of thing happens. But the worst part is not knowing how they got in. :( Without knowing I can't find a way to prevent it in the future. I'm going to be searching through the forums @ phpbb.com and see if anyone else has had this problem and their outcome.
Bummer... like you, I just don't see what joy people get from stupid stuff like this.
Azhrei wrote:I also know that the spoiler BBcode hasn't been added back into the FAQ page yet, but I'll get to that later today. And I'll need to create/save a patch in case I need to do this again. In fact, I'm thinking of using my shell history to create a script out of all this. That's what I love about command line vs. a GUI: I can use a shell history to help automate things.
I just noticed that the post/post reply does not have a spoiler button. I know thats probably a theme by theme thing, but if possible, could you start putting that in as I know people have asked "how to" before. Of course, I understand it may take a while to get into all of the themes.
I save all my Campaign Files to DropBox. Not only can I access a campaign file from pretty much any OS that will run Maptool(Win,OSX, linux), but each file is versioned, so if something goes crazy wild, I can always roll back to a previous version of the same file.

Get your Dropbox 2GB via my referral link, and as a bonus, I get an extra 250 MB of space. Even if you don't don't use my link, I still enthusiastically recommend Dropbox..

User avatar
jfrazierjr
Deity
Posts: 5176
Joined: Tue Sep 11, 2007 7:31 pm

Re: Site hacked -- check your computer for infection!

Post by jfrazierjr »

What do these do?
[wfunc]what exactly is a wfunc?[/wfunc]

what is a wiki tag?

[wroll]what is a wroll tag?[/wroll]

[wsearch]What is a wsearch tag?[/wsearch]

They don't seem to do anything, but are buttons on the normal post window.
I save all my Campaign Files to DropBox. Not only can I access a campaign file from pretty much any OS that will run Maptool(Win,OSX, linux), but each file is versioned, so if something goes crazy wild, I can always roll back to a previous version of the same file.

Get your Dropbox 2GB via my referral link, and as a bonus, I get an extra 250 MB of space. Even if you don't don't use my link, I still enthusiastically recommend Dropbox..

dochogan
Cave Troll
Posts: 30
Joined: Thu Mar 18, 2010 10:13 am

Re: Site hacked -- check your computer for infection!

Post by dochogan »

For anyone coming here to see why they can't post/reply etc., make sure you change your theme via the User Control Panel => Board Preferences => My Board Style

Az, bo2Soft still shows up in my theme list, btw.
---

Doc Hogan

User avatar
aliasmask
RPTools Team
Posts: 9024
Joined: Tue Nov 10, 2009 6:11 pm
Location: Bay Area

Re: Site hacked -- check your computer for infection!

Post by aliasmask »

I change my style to Pro Silver to get the post button. Is there a recommended style? ie the old style?

User avatar
kristof65
Dragon
Posts: 287
Joined: Tue Mar 31, 2009 9:48 pm
Location: Lakewood, CO

Re: Site hacked -- check your computer for infection!

Post by kristof65 »

dochogan wrote:For anyone coming here to see why they can't post/reply etc., make sure you change your theme via the User Control Panel => Board Preferences => My Board Style

Az, bo2Soft still shows up in my theme list, btw.
Can that get stickied someplace more obvious than buried in this thread? I only skimmed the thread, and didn't actually catch that - I had to figure it out on my own.

User avatar
Azhrei
Site Admin
Posts: 12086
Joined: Mon Jun 12, 2006 1:20 pm
Location: Tampa, FL

Re: Site hacked -- check your computer for infection!

Post by Azhrei »

As I said, those using the bo2Soft style will get some kind of failure (apparently it was the default in previous versions?). I think the missing resources (like a post button) are because the pages were in the server cache but the images weren't. (phpBB3 uses a preparsing cache to speed up page generation.)
Azhrei wrote:As part of this process, I've updated the board to the latest patchlevel of code (3.0.7-PL1) and the bo2Soft style has not been updated by its author to work with this level of code. You may need to use the User Control Panel and select a different style.
The styles that are "standard" and likely to have the most features are the ones I mentioned in my above post: prosilver, prosilver Special Edition, and subsilver2. I just deactivated the bo2Soft style and it looks like all those using it were automatically moved to the subAndreas08 style. I hadn't done that previously because I wasn't sure what would happen to those accounts and I wanted people to be able to login!

It appears that the SkyLineBlue is similar to the old style, so if you liked the old one you might try it. (That's the one I'm using at the moment. But I also like the Hestia and the Digital.)
Can that get stickied someplace more obvious than buried in this thread? I only skimmed the thread, and didn't actually catch that - I had to figure it out on my own.
Well, this thread is already an announcement so everyone should see it. I'll see about putting it at the top of every page, too. I can't help it if people see a subject like this one and don't read the entire thread! But I changed the subject line so that people will know to change their style.

Post Reply

Return to “Announcements”