Site hacked! Check for infection! Change your Style!
Moderators: dorpond, trevor, Azhrei, Craig
Site hacked! Check for infection! Change your Style!
Our site was just hacked. The error log shows it started at about 8:18PM ET tonight.
I've found the kit and two or three places where the hack was inserted, but I need to keep looking. In the meantime, please run infection scans on your system.
I'll be updating to the latest phpBB later tonight (we're only one patchlevel behind, but perhaps that was enough?).
I'll post here again when I have more information.
I've found the kit and two or three places where the hack was inserted, but I need to keep looking. In the meantime, please run infection scans on your system.
I'll be updating to the latest phpBB later tonight (we're only one patchlevel behind, but perhaps that was enough?).
I'll post here again when I have more information.
Last edited by Azhrei on Tue Apr 13, 2010 1:53 pm, edited 1 time in total.
Reason: Removed "Global" status from this thread
Reason: Removed "Global" status from this thread
Re: Site hacked -- check your computer for infection!
I hope I have everything corrected.
I've been asked for a name of what to scan for. I don't have a name. I only know that the hack was putting javascript code into every HTML and PHP page. That code started with the comment:
<!--Injection_head[SessionID=...]-->
and then ended with
<!--Injection_tail[SessionID=...]-->
Google'ing for information on that didn't give me any names. But this would be a browser-based attack, if that helps. I think most pages were failing to display properly due to the hack (4-5 messages at the top of each page) so maybe the infection wasn't working at all. It didn't affect my Firefox 3.6 on OSX at all.
As part of this process, I've updated the board to the latest patchlevel of code (3.0.7-PL1) and the bo2Soft style has not been updated by its author to work with this level of code. You may need to use the User Control Panel and select a different style.
You may have noticed that you had to login again. I flushed the session cache as well as corrected a couple of nuisances with the cookie settings. Hopefully I can make other changes in the future without affecting persistent logins again.
I took this opportunity to also install some additional mods. The ones visible to users will be the list of filename extensions that can be used as attachments (only works in the prosilver and subsilver2 styles currently; I may not update the other styles if it turns out to be time consuming) and the extended list of styles available. I chose a bunch of styles (light/dark backgrounds, large/small font, high/low contrast) so pick one that looks good on the machine you're using.
There were a couple of other mods but they're for admin/mod use.
Please check the gallery. The new forum uses different database table names and I'd be willing to bet that the gallery was somehow hooked into the user database for the forum so that the same username/password worked for both. The gallery may still work because I've left the old database tables in place for now, but if it fails then I purge those tables in about 4-5 days then we know where the problem is. But at least that gives me time to figure it out in advance.
When I saw the hacked site I was really hoping that 30-40 minutes would be it to install a brand new setup of phpBB3 and get everything configured. But weird problems while backing up the old forum package slowed me down. That, and I wanted to absolutely sure I got everything copied over. I'm really hoping that post attachments are still there (they should be) and things like spoilers and wiki BBcode still works (they should).
Let me know if you find anything amiss and I'll look into it asap.
(Sigh. I hate people who do nothing but cause the rest of us a lot of hassle.)
Oops, I just noticed that the smilies don't all appear... I'll look at that during the day today. Right now it's 3Am and I gotta get some sleep as I have a conference call in a few hours.
I've been asked for a name of what to scan for. I don't have a name. I only know that the hack was putting javascript code into every HTML and PHP page. That code started with the comment:
<!--Injection_head[SessionID=...]-->
and then ended with
<!--Injection_tail[SessionID=...]-->
Google'ing for information on that didn't give me any names. But this would be a browser-based attack, if that helps. I think most pages were failing to display properly due to the hack (4-5 messages at the top of each page) so maybe the infection wasn't working at all. It didn't affect my Firefox 3.6 on OSX at all.
As part of this process, I've updated the board to the latest patchlevel of code (3.0.7-PL1) and the bo2Soft style has not been updated by its author to work with this level of code. You may need to use the User Control Panel and select a different style.
You may have noticed that you had to login again. I flushed the session cache as well as corrected a couple of nuisances with the cookie settings. Hopefully I can make other changes in the future without affecting persistent logins again.
I took this opportunity to also install some additional mods. The ones visible to users will be the list of filename extensions that can be used as attachments (only works in the prosilver and subsilver2 styles currently; I may not update the other styles if it turns out to be time consuming) and the extended list of styles available. I chose a bunch of styles (light/dark backgrounds, large/small font, high/low contrast) so pick one that looks good on the machine you're using.
There were a couple of other mods but they're for admin/mod use.
Please check the gallery. The new forum uses different database table names and I'd be willing to bet that the gallery was somehow hooked into the user database for the forum so that the same username/password worked for both. The gallery may still work because I've left the old database tables in place for now, but if it fails then I purge those tables in about 4-5 days then we know where the problem is. But at least that gives me time to figure it out in advance.
When I saw the hacked site I was really hoping that 30-40 minutes would be it to install a brand new setup of phpBB3 and get everything configured. But weird problems while backing up the old forum package slowed me down. That, and I wanted to absolutely sure I got everything copied over. I'm really hoping that post attachments are still there (they should be) and things like spoilers and wiki BBcode still works (they should).
Let me know if you find anything amiss and I'll look into it asap.
(Sigh. I hate people who do nothing but cause the rest of us a lot of hassle.)
Oops, I just noticed that the smilies don't all appear... I'll look at that during the day today. Right now it's 3Am and I gotta get some sleep as I have a conference call in a few hours.
Re: Site hacked -- check your computer for infection!
ah now we can post replies. I send you the pm cause i couldn't find the pm.
Some remarks questions:
- First off if anyone has experience in determining the type of hack and its name, that would be grant.
- Second, the spoilers aren't working (buttons are there but they don't hide the content)
- also the site interface has changed quite a bit and I've tried to change it in prefs but nothing happened, moreover I wouldn't know what the last type of interface was. Edit: my apos, it seems that I tested UI that looked very similar, they do work.
- I also noticed that the site tends to give a 'page not found' error occasionally, but restarting the site helps (might be that you're working on it?)
- attachements still work!
- I seem to log out in mid sessions
- the user avatars are gone (I just put mine back in case you're wondering)
Some remarks questions:
- First off if anyone has experience in determining the type of hack and its name, that would be grant.
- Second, the spoilers aren't working (buttons are there but they don't hide the content)
- also the site interface has changed quite a bit and I've tried to change it in prefs but nothing happened, moreover I wouldn't know what the last type of interface was. Edit: my apos, it seems that I tested UI that looked very similar, they do work.
- I also noticed that the site tends to give a 'page not found' error occasionally, but restarting the site helps (might be that you're working on it?)
- attachements still work!
- I seem to log out in mid sessions
- the user avatars are gone (I just put mine back in case you're wondering)
GETTING STARTED WITH MAPTOOLS - TUTORIALS, DOCS, VIDEOS, TOOLS, ETC
DISCORD (the new MT forum!)
My stuff
Excel Tools: Table and Light editors
MT Tools: Bag of Tricks: Tools for Maptool, Dungeon Builder I, Dungeon Builder II,onMouseOverEvent.
Frameworks: Dark Heresy, Rogue Trader, Deathwatch, Black Crusade, Only War, SET Card Game, RoboRally
Wiki: Debugging Tutorial, Speed Up Your Macros, Working With Two CODE Levels, Shortcut Keys, Avoiding Stack Overflow, READ THIS
DISCORD (the new MT forum!)
My stuff
Excel Tools: Table and Light editors
MT Tools: Bag of Tricks: Tools for Maptool, Dungeon Builder I, Dungeon Builder II,onMouseOverEvent.
Frameworks: Dark Heresy, Rogue Trader, Deathwatch, Black Crusade, Only War, SET Card Game, RoboRally
Wiki: Debugging Tutorial, Speed Up Your Macros, Working With Two CODE Levels, Shortcut Keys, Avoiding Stack Overflow, READ THIS
Re: Site hacked -- check your computer for infection!
As I said, the theme that most users had defaulted to was bo2Soft, but that's not available any more.wolph42 wrote:ah now we can post replies. I send you the pm cause i couldn't find the pm.
Some points
- First off if anyone has experience in determining the type of hack and its name, that would be grant.
- Second, the spoilers aren't working also the site interface has changed quite a bit and I've tried to change it in prefs but nothing happened, moreover I wouldn't know what the last type of interface was.
Spoiler
Testing...
With a title
Another test.
I'm still having problems getting to the admin panel. I think the cookies are somehow messed up. The 3.0.7 software has an additional security check that I think was screwing up the old cookie values. Hopefully I have it fixed now so that the other admins and mods can get in and do their stuff.- I also noticed that the site tends to give a 'page not found' error occasionally, but restarting the site helps (might be that you're working on it?)
- attachements still work!
Re: Site hacked -- check your computer for infection!
For some reason avatars are still not showing if they were uploaded. But I've copied them all over from the old location... I'll look into that some more, but it must be something to do with the encoded name used by the forum software...
Re: Site hacked -- check your computer for infection!
Hmm, turned the browser cache off and back on and my avatar showed up. So I'm done for the night/morning.
Re: Site hacked -- check your computer for infection!
Nice improvement of the interface
Code: Select all
Better yet
When posting code you now get a very nice boundary box so stuff doesnt get outta hand when somebody posts very long lines of codes...both Horizontally...
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
as vertically
Nice!!
don't know for other configs.
GETTING STARTED WITH MAPTOOLS - TUTORIALS, DOCS, VIDEOS, TOOLS, ETC
DISCORD (the new MT forum!)
My stuff
Excel Tools: Table and Light editors
MT Tools: Bag of Tricks: Tools for Maptool, Dungeon Builder I, Dungeon Builder II,onMouseOverEvent.
Frameworks: Dark Heresy, Rogue Trader, Deathwatch, Black Crusade, Only War, SET Card Game, RoboRally
Wiki: Debugging Tutorial, Speed Up Your Macros, Working With Two CODE Levels, Shortcut Keys, Avoiding Stack Overflow, READ THIS
DISCORD (the new MT forum!)
My stuff
Excel Tools: Table and Light editors
MT Tools: Bag of Tricks: Tools for Maptool, Dungeon Builder I, Dungeon Builder II,onMouseOverEvent.
Frameworks: Dark Heresy, Rogue Trader, Deathwatch, Black Crusade, Only War, SET Card Game, RoboRally
Wiki: Debugging Tutorial, Speed Up Your Macros, Working With Two CODE Levels, Shortcut Keys, Avoiding Stack Overflow, READ THIS
Re: Site hacked -- check your computer for infection!
Yeah, I tried to check the forums earlier and saw the site hacked banner ya had up while you were working on it. Oi... I hate people sometimes... really really do...
Will run a full sweep tonight to make sure nothing got through on to my system, sorry you had to deal with this kinda feces Azhrei. :(
Will run a full sweep tonight to make sure nothing got through on to my system, sorry you had to deal with this kinda feces Azhrei. :(
Loyalty is not blind, and it cannot be forced. It is a sincere bond formed out of respect and gratitude.
Re: Site hacked -- check your computer for infection!
(I had to get out of bed for a conference call, but now that's over. So a quick read through here and then I'm going back to bed for another couple of hours. )
Yeah, it's a pain when this kind of thing happens. But the worst part is not knowing how they got in. Without knowing I can't find a way to prevent it in the future. I'm going to be searching through the forums @ phpbb.com and see if anyone else has had this problem and their outcome.
But yes, I wish people would just keep their fingers off of things that don't belong to them, both in the physical world and the virtual one...
I also know that the spoiler BBcode hasn't been added back into the FAQ page yet, but I'll get to that later today. And I'll need to create/save a patch in case I need to do this again. In fact, I'm thinking of using my shell history to create a script out of all this. That's what I love about command line vs. a GUI: I can use a shell history to help automate things.
@Wolf42: Didn't the code blocks always scroll both ways? I'm pretty sure they did on my Mac, anyway. But I've noticed that the spoiler CSS isn't working as the div's used to hide the text block should display with a border line across the top and bottom and they don't show anymore, yet Firebug tells me that the CSS is being loaded. So that'll take some sleuthing to figure out what's wrong.
Yeah, it's a pain when this kind of thing happens. But the worst part is not knowing how they got in. Without knowing I can't find a way to prevent it in the future. I'm going to be searching through the forums @ phpbb.com and see if anyone else has had this problem and their outcome.
But yes, I wish people would just keep their fingers off of things that don't belong to them, both in the physical world and the virtual one...
I also know that the spoiler BBcode hasn't been added back into the FAQ page yet, but I'll get to that later today. And I'll need to create/save a patch in case I need to do this again. In fact, I'm thinking of using my shell history to create a script out of all this. That's what I love about command line vs. a GUI: I can use a shell history to help automate things.
@Wolf42: Didn't the code blocks always scroll both ways? I'm pretty sure they did on my Mac, anyway. But I've noticed that the spoiler CSS isn't working as the div's used to hide the text block should display with a border line across the top and bottom and they don't show anymore, yet Firebug tells me that the CSS is being loaded. So that'll take some sleuthing to figure out what's wrong.
- jfrazierjr
- Deity
- Posts: 5176
- Joined: Tue Sep 11, 2007 7:31 pm
Re: Site hacked -- check your computer for infection!
Bummer... like you, I just don't see what joy people get from stupid stuff like this.Azhrei wrote:Yeah, it's a pain when this kind of thing happens. But the worst part is not knowing how they got in. Without knowing I can't find a way to prevent it in the future. I'm going to be searching through the forums @ phpbb.com and see if anyone else has had this problem and their outcome.
I just noticed that the post/post reply does not have a spoiler button. I know thats probably a theme by theme thing, but if possible, could you start putting that in as I know people have asked "how to" before. Of course, I understand it may take a while to get into all of the themes.Azhrei wrote:I also know that the spoiler BBcode hasn't been added back into the FAQ page yet, but I'll get to that later today. And I'll need to create/save a patch in case I need to do this again. In fact, I'm thinking of using my shell history to create a script out of all this. That's what I love about command line vs. a GUI: I can use a shell history to help automate things.
I save all my Campaign Files to DropBox. Not only can I access a campaign file from pretty much any OS that will run Maptool(Win,OSX, linux), but each file is versioned, so if something goes crazy wild, I can always roll back to a previous version of the same file.
Get your Dropbox 2GB via my referral link, and as a bonus, I get an extra 250 MB of space. Even if you don't don't use my link, I still enthusiastically recommend Dropbox..
Get your Dropbox 2GB via my referral link, and as a bonus, I get an extra 250 MB of space. Even if you don't don't use my link, I still enthusiastically recommend Dropbox..
- jfrazierjr
- Deity
- Posts: 5176
- Joined: Tue Sep 11, 2007 7:31 pm
Re: Site hacked -- check your computer for infection!
What do these do?
[wfunc]what exactly is a wfunc?[/wfunc]
what is a wiki tag?
[wroll]what is a wroll tag?[/wroll]
[wsearch]What is a wsearch tag?[/wsearch]
They don't seem to do anything, but are buttons on the normal post window.
[wfunc]what exactly is a wfunc?[/wfunc]
what is a wiki tag?
[wroll]what is a wroll tag?[/wroll]
[wsearch]What is a wsearch tag?[/wsearch]
They don't seem to do anything, but are buttons on the normal post window.
I save all my Campaign Files to DropBox. Not only can I access a campaign file from pretty much any OS that will run Maptool(Win,OSX, linux), but each file is versioned, so if something goes crazy wild, I can always roll back to a previous version of the same file.
Get your Dropbox 2GB via my referral link, and as a bonus, I get an extra 250 MB of space. Even if you don't don't use my link, I still enthusiastically recommend Dropbox..
Get your Dropbox 2GB via my referral link, and as a bonus, I get an extra 250 MB of space. Even if you don't don't use my link, I still enthusiastically recommend Dropbox..
Re: Site hacked -- check your computer for infection!
For anyone coming here to see why they can't post/reply etc., make sure you change your theme via the User Control Panel => Board Preferences => My Board Style
Az, bo2Soft still shows up in my theme list, btw.
Az, bo2Soft still shows up in my theme list, btw.
---
Doc Hogan
Doc Hogan
Re: Site hacked -- check your computer for infection!
I change my style to Pro Silver to get the post button. Is there a recommended style? ie the old style?
Downloads:
- Notepad++ MapTool addon
- RPEdit details (v1.3)
- Coding Tips: Modularity and Design
- Videos: Macro Writing Tools
Re: Site hacked -- check your computer for infection!
Can that get stickied someplace more obvious than buried in this thread? I only skimmed the thread, and didn't actually catch that - I had to figure it out on my own.dochogan wrote:For anyone coming here to see why they can't post/reply etc., make sure you change your theme via the User Control Panel => Board Preferences => My Board Style
Az, bo2Soft still shows up in my theme list, btw.
Re: Site hacked -- check your computer for infection!
As I said, those using the bo2Soft style will get some kind of failure (apparently it was the default in previous versions?). I think the missing resources (like a post button) are because the pages were in the server cache but the images weren't. (phpBB3 uses a preparsing cache to speed up page generation.)
It appears that the SkyLineBlue is similar to the old style, so if you liked the old one you might try it. (That's the one I'm using at the moment. But I also like the Hestia and the Digital.)
The styles that are "standard" and likely to have the most features are the ones I mentioned in my above post: prosilver, prosilver Special Edition, and subsilver2. I just deactivated the bo2Soft style and it looks like all those using it were automatically moved to the subAndreas08 style. I hadn't done that previously because I wasn't sure what would happen to those accounts and I wanted people to be able to login!Azhrei wrote:As part of this process, I've updated the board to the latest patchlevel of code (3.0.7-PL1) and the bo2Soft style has not been updated by its author to work with this level of code. You may need to use the User Control Panel and select a different style.
It appears that the SkyLineBlue is similar to the old style, so if you liked the old one you might try it. (That's the one I'm using at the moment. But I also like the Hestia and the Digital.)
Well, this thread is already an announcement so everyone should see it. I'll see about putting it at the top of every page, too. I can't help it if people see a subject like this one and don't read the entire thread! But I changed the subject line so that people will know to change their style.Can that get stickied someplace more obvious than buried in this thread? I only skimmed the thread, and didn't actually catch that - I had to figure it out on my own.