Q: zomg did the forums get pwned?

[FliesLikeABrick]

A: Yes. 

Q: Do you know how?
A: Not exactly

Q: Do you intend to find out
A: Yes

Q: Do you have ideas?
A: yes

Q: What is to keep them from doing it again, since you just put the forums back without making any changes?
A: Nothing.

Q: What can I do?
A: Be patient, don't bother me.  If you want information, watch this thread or come to #soldat.forums on quakenet.


Q: What backup did you restore from?
A: I was able to restore from a backup approximately 5 hours old.  Some posts and recent changes were lost, but overall this is a very good restore point, few forums that are compromised have such a recent restore point.

[blackdevil0742]

Q: Is like the last time where you adviced us to change password(s)?

[Spasm]

   We need Battle Eye for the forums now

[swebonny]

But the good this is that it´s back

[DePhille]

Thanks for restoring them.
Hope we find the cause soon.

[miketh2005]

HACKERS

[Iron Man]

yeah, i think it rolled back because i posted, someone else posted, and now both posts are gone..

[mar77a]

take them down until you find out where the vulnerability is

[andrelie]

im scared

[DePhille]

take them down until you find out where the vulnerability is

Chakra's password I think. It has been changed so don't worry.

[blackdevil0742]

Yeah he was the only one online except an other fella that had member color on users online.

[FliesLikeABrick]

I don't want to take it down until the problem is found, that gains very little.  Regardless of whether I take it down or leave it up and it gets screwed again, posts would be lost or never occur at all.  At least if I leave it up, it lets me more easily look into what happened.

I believe the problem was Chakra's password, I have yet to look into the logs at all because I'm at work and busy. 

Yes, everyone please change your passwords ASAP.  It is more than likely that whoever compromised the forums took a database snapshot (I'll be able to look up if he did), and therefore has all of the password hashes... but the way that SMF stores passwords is quite good.  It isn't critical that you change your password unless you're a mod/admin/beta tester.  I still recommend you do, as it is a good practice for when things like this happen.

I might not be able to look into this until later today/tonight, but I'll post any information about what I find here, unless I think it is a danger to the forums or will give the kiddie who did this any kind of advantage.

[Daimarus]

FLAB, I know some about hacking, but a little about hacking forums.

I think that they may OWN* forums in at least 2 simple ways:

1) Bruteforce'ing the password - Even old BrutusA2 can do that...
2) Cookie-Stealing - Admin may get on ANY site and he may "catch" the bad code, that will steal cookies from SoldatForums and e.g. send them on FTP server. I did that method once on test forums. It works as good as bruteforce'ing, but takes less time.

You cannot defend by any of those methods, except making a limit of logins per 1 minute (anti-bruteforce) and not-opening any links from people (impossible xD)


*- Owning a forum/site means taking control or wrecking the forum/site. In simple words xD

[andrelie]

what will happen to the people that did this?

[Flamiex]

Cookie-Stealing will not work on today's standard of forums, the cookie only contains your session id which is linked with your ip/browser/other information sent from your pc, so it wont let you use a session id on a different PC.

but anyway, I suggest you upgrade the forums to the latest version...

[Dark Jesus]

What had happened?

[DePhille]

What had happened?

Someone deleted all the SoldatForums topics, members, style, ...
We do not know exactly or forsure how this happened but most likely someone was able to get into Chakra's account. The forums have been down for approximately 50-60 minutes. FliesLikeABrick used a back-up to restore the forum's content and we only lost 5 hours worth of post. So any posts that were made between 6AM(EST) and 11AM(EST) today (15th of August 2007) are gone.
FliesLikeABrick is currently trying to find out who is responsible for this.

Grtz, DePhille

[FliesLikeABrick]

I found out how they did it, and I have the IP of the person who did it.  If you have access to a large amount of login/user data on your sites and would like to try to look this up for me, send me a PM and I'll give you the IP.

[LtKillroy]

I found out how they did it, and I have the IP of the person who did it. If you have access to a large amount of login/user data on your sites and would like to try to look this up for me, send me a PM and I'll give you the IP.

Are you at the liberty of giving up the name, there is an army surplus store down the street and well... In all seriousness, can you keep this from happening again, I mean, who would want to hack a random forum for a small game?

[..::HHH::..]

i think you should tell us who did it.. so we can all hate him togetah..