PDA

View Full Version : Site Hacked - again 2011-05-12



Kym
05-05-2011, 1:54pm
In summary... (deja vu)

1. Were back !!

2. I restored to the backup at 3.20am AEST today

3. Many sites have been hacked, it was due to a 3rd party add-on that is very common. The add-on has been fixed.


Edit:
You need to re-vote and/or re-enter competitions, also re-post anything from this morning.

Technical: It was an SQL injection attack (bug in the add-on product) that created a new Admin user, and went downhill from there.

ameerat42
05-05-2011, 1:55pm
AP Team. Just wondering whether today's outage was as bad as the stupid video I got indicated???
Am.

ving
05-05-2011, 1:57pm
go team! :th3:

Mary Anne
05-05-2011, 1:58pm
Great and :wd:

mercho
05-05-2011, 2:01pm
Good to see it back up so quick! :th3:

BecM
05-05-2011, 2:05pm
I know some good Navy Seals that can sort the bas%$#ds out :)

JimD
05-05-2011, 2:07pm
I wondered what happened.

geoffsta
05-05-2011, 2:10pm
I hope they didn't hack the site to gain info about members, like email addresses and stuff.
Must have been the Hole family. Kayke Hole, Bung Hole, and Brother R. Sole.

Kym
05-05-2011, 2:21pm
I hope they didn't hack the site to gain info about members, like email addresses and stuff.
Must have been the Hole family. Kayke Hole, Bung Hole, and Brother R. Sole.

Yes, they may have, but we don't seem to have evidence that they did.

Emails are the only thing of value.
Passwords are one-way hashed so they can't get those.
We don't store anything other that what you see in your profile.
The shop does not store CC details.

arnica
05-05-2011, 2:57pm
I kept on refreshing ... wanting the site to be back up ....

agb
05-05-2011, 3:17pm
Is there any chance the users may have downloaded anything after viewing something on the site? I know I am possibly showing my ignorance of such matters, but I can cope with that. I hope.

Analog6
05-05-2011, 3:18pm
Oxygen thieves. Thanks to all concerned for your great and speedy work restoring us.

PH005
05-05-2011, 3:55pm
Well done Kym, and all concerned. By coincidence the Westpac online site was down at the same time.

Dylan & Marianne
05-05-2011, 4:09pm
phew, that swedish song was on par with being rick rolled!

Kym
05-05-2011, 5:01pm
AP Team. Just wondering whether today's outage was as bad as the stupid video I got indicated???
Am.


phew, that swedish song was on par with being rick rolled!

Yup the video was the goal of the exercise.

From what is reported by other sites it was not very damaging. I did a full recovery, as it was the safest option.
Some user accounts had passwords changes, account titles changed to "hacked by xxx", and the annoying video replacing several index files.
Also all Admins were banned and a new false Admin account created. Rick, Cheryl and I have a backdoor key so that is pointless.
I have changed key internal passwords.

Chilli
05-05-2011, 5:24pm
and I thought i'd been banned....

ricktas
05-05-2011, 5:57pm
NOTE : all posts, threads, competition entries and votes placed this morning before the hack will no longer exist. Everything posted to AP between about 3.20am and the hack time, is gone. We have restored the site from the backup that happens around 3.20am (AEST) each day.

Please feel free to re-post your threads and comments, re-enter your competition entries and vote again. This only affects those posts, threads, votes and entries since around 3.20am today. Anything done before that time has been restored.

Ian Brewster
06-05-2011, 8:12am
Hi Kym,

Your quick efforts much appreciated.

With the competitions that closed yesterday 5th May, the Qualifying Vote is showing in orange. If I go to re-vote, I am advised that my vote has been recorded - thats fine. I presume some later date will now apply before this vote can move to the Final Vote status. Could we be advised what is planned/happening on these comps?

Ian

ricktas
06-05-2011, 8:58am
Hi Kym,

Your quick efforts much appreciated.

With the competitions that closed yesterday 5th May, the Qualifying Vote is showing in orange. If I go to re-vote, I am advised that my vote has been recorded - thats fine. I presume some later date will now apply before this vote can move to the Final Vote status. Could we be advised what is planned/happening on these comps?

Ian

That is now fixed. With all that transpired yesterday, I wanted to make sure the site was stable and everything was fine before I moved the polls to final voting. By leaving them, it also allowed those that had voted and lost their votes, to re-vote. Final Polls are now up and running

Ms Monny
06-05-2011, 9:13am
Sorry Kym for inboxing you on this without actually reading what had happened. I thought I was going senile. Have to say sorry to someone else for accusing them of deleting their image and then re-posting the edited version. :o

Kym
06-05-2011, 9:14am
@Ian - the comp system was largely unaffected. Only comp entries and votes between 3.20am and about 10.30am yesterday were lost.


Technical notes (partly from the vBulletin support site). Note vBulletin is secure, it was a bug in an 3rd party addon that allowed the hack.
This has been a very wide spread attack, many forums have been hit, including other Australian photographic fora.

What was affected? (from vBulletin support staff)


I've seen template tables changed.
I've seen admin users inserted
I've seen existing Admins banned
I've seen shells uploaded (aka trojan)
I've seen user titles changed
I've seen plugins added
I've seen files uploaded (redirects to video)


How did the attack work?
It was an SQL injection that:

Injected code into a plugin
When that plugin ran for a normal user, it loaded the rest of the attack code and files, which then did more nasty things (see quote above)

Magic, more or less. The uploaded trojan allowed the database passwords and other sensitive information to be obtained. It also allow further hacks to be insert into the site. Nasty stuff :angry0:

Which all validates my decision (with approval from Rick) to restore to the backup rather than try to fix the running system (yes, we backup daily!).

We are conducting an additional security review of all of AP add-ons this weekend.

In the light of what happened at Sony over the last couple of weeks this is minor, but blinkin annoying. Now to task Seal Team 6 onto :violent10: TeamAnimus (the hackers).

Kym
06-05-2011, 9:15am
Monica - all is forgiven :cool:

gcflora
06-05-2011, 12:44pm
I'd have restored from backup as well rather than trying to "fix" the intrusion (just like I'd reinstall someone's OS if they got a virus or trojan, rather then trying to fix it and have the niggling feeling something may have been missed in the clean-up).

I must also thank Kym for providing detailed information which helped me ensure my site is safe (I think!) from the attack.

Kevin M
07-05-2011, 5:21pm
well done Kym and the team.... :)

Analog6
08-05-2011, 6:54am
I put a rude message on their blogsite - I think all Ap users should go and do that en masse and make their site, hopefully, unwieldy at the least!

piXelatedEmpire
10-05-2011, 12:19pm
I'd be hesitant to even visit a site of known hackers. You don't know what they've got running on their site.

kiwi
12-05-2011, 1:44pm
Missed you

and eternal damnation to site hackers....scum sum aand more scum the lot of you :(

Boo53
12-05-2011, 1:45pm
Obviously its happened again

What a bunch of Ar@eholes.

Thanks to Kym, et al for all the hard work to get things up and running again

mercho
12-05-2011, 1:45pm
Hacked again?

mercho
12-05-2011, 1:48pm
100% agree darren.

Most of them are smart cookies, would be good to see their "expertise" put to better use!

ving
12-05-2011, 1:48pm
no kym didnt pay the electricity bill :p

ving
12-05-2011, 1:53pm
what they said!

ameerat42
12-05-2011, 1:53pm
Just 4 interest sake, where is this crowd (dis-)located. (Sorry, thinking about enhancements to their limbs.)
If in Oz, are there any laws that can be thrown @ them?
Umm...

Kym
12-05-2011, 1:53pm
Yes, sadly. We are trying to fix it permanently

terry.langham
12-05-2011, 1:55pm
Missed you

and eternal damnation to site hackers....scum sum aand more scum the lot of you :(

Careful Kiwi, this one has done 4mths of MMA training. :eek:

Good work again Rick, Kym and crew.

colinbm
12-05-2011, 1:57pm
Maybe the SH*T-HEADS are trying to get the May Madness Award :eek:
Col

mercho
12-05-2011, 1:57pm
More than likely some remote European country.

I don't think there is too much that can be done legally.

Look at all the issues sony is going through at the moment.

Debom
12-05-2011, 2:00pm
good to see you are back again, i kept checking in to see if you were up and running again! I am not very knowledgable about these things but I can imagine that it must be damned annoying and frustrating to see this happen to your site. Good on everyone for getting it back up again so quickly!

BecM
12-05-2011, 2:01pm
no kym didnt pay the electricity bill :p

:lol::lol::lol:

Kym
12-05-2011, 2:03pm
NOTE : all posts, threads, competition entries and votes placed this morning 2011-05-12 before the hack will no longer exist. Everything posted to AP between about 3.20am and the hack time, is gone. We have restored the site from the backup that happens around 3.20am (AEST) each day.

Please feel free to re-post your threads and comments, re-enter your competition entries and vote again. This only affects those posts, threads, votes and entries since around 3.20am today. Anything done before that time has been restored.

Boo53
12-05-2011, 2:05pm
It must be sad that their lives are so meaningless that something as pathetic as hacking harmless sites is seen as an achievement.

:(

WhoDo
12-05-2011, 2:15pm
Any chance the actual injection took place before the backup and the bomb is still ticking?

William
12-05-2011, 2:22pm
Just 4 interest sake, where is this crowd (dis-)located. (Sorry, thinking about enhancements to their limbs.)
If in Oz, are there any laws that can be thrown @ them?
Umm...

Ahh you did'nt see the original message, Dunno what the image of the kid had to do with it !! The message "You've been Hackered" thats the spelling, came up , Saying we're all pussyies and basically something about he cant be stopped , And a whole lot of other weird stuff , Wish I'd written down the address that was on the page , Some address in Devon England The voice on the message was'nt very English tho , Spelling was really bad also , Was hoping Kym got a screen grab or something :angry0:

Kym
12-05-2011, 2:27pm
I've got the hack code, but won't publish it.

Kym
12-05-2011, 2:39pm
100% agree darren.
Most of them are smart cookies, would be good to see their "expertise" put to better use!

Err not often, they are usually 'script kiddies' who copy hacks from others as they are not very creative.
The very few with true skills don't get out that much. :p

terry.langham
12-05-2011, 2:45pm
, Was hoping Kym got a screen grab or something :angry0:

I took a screen grab but didn't paste to something so it may be lost. Unless someone can tell me how to retrieve it? I hit the prt sc button but didn't do anything after that.

William
12-05-2011, 2:50pm
Err not often, they are usually 'script kiddies' who copy hacks from others as they are not very creative.
The very few with true skills don't get out that much. :p

:eek: You mean that literally Kym ? Are they usually Kids with nothing better to do , The face that was half hidden with the red scribble trying to hide was of a very young person, That would also account for the bad spelling i guess

Dylan & Marianne
12-05-2011, 2:55pm
thanks team for getting the site back up again - I didn't get rick rolled this time though !

mudman
12-05-2011, 2:58pm
not enough J.C red Kym. maybe Kiwi not so harmless.:D

Kym
12-05-2011, 3:45pm
:eek: You mean that literally Kym ? Are they usually Kids with nothing better to do , The face that was half hidden with the red scribble trying to hide was of a very young person, That would also account for the bad spelling i guess

Yes! http://www.urbandictionary.com/define.php?term=script+kiddie Mindless juvenile scum.

We have located and fixed a secondary security hole.

Kym
12-05-2011, 4:08pm
Any chance the actual injection took place before the backup and the bomb is still ticking?

I double checked ;)

William
12-05-2011, 4:15pm
Yes! http://www.urbandictionary.com/define.php?term=script+kiddie Mindless juvenile scum.

We have located and fixed a secondary security hole.

Thanks Kym, Thats an interesting read :th3: So they're young jerks with no brains and rely on others expertise , Even Hackers and Crackers dont like them :D You live and learn, I did'nt even know there was adifference, Hackers are smart cool guys , We'll I'll be , I was tempted to have a look at the sites they referred to , But was'nt game too !! Good one mate , I did notice it says they usually get caught , Because there Dumb :lol:

peterb666
12-05-2011, 4:53pm
and I thought i'd been banned....

You are OK, Rick will never see that post now. :D

agb
12-05-2011, 5:17pm
Is it a case of having been hacked once the word gets around and someone with not much behind the ears thinks thats and easy target I will have a go too?

piXelatedEmpire
12-05-2011, 8:38pm
was the second attack related to the first one ie the same third party add-on?

ricktas
12-05-2011, 8:40pm
was the second attack related to the first one ie the same third party add-on?

We are not going to reveal their entry path as by putting it out there, other sites that are still using the add-on and not installed the fix, will then be open to attack from others as they learn about how to get in.

Kym
12-05-2011, 8:41pm
was the second attack related to the first one ie the same third party add-on?

Yes, it appears so. I've upgraded it (again). The payload was different, hence the Script kiddie reference

julie21
13-05-2011, 9:14am
As you said, "If only they used their abilities for good...not evil".
Good work Kym and AP to be able to restore the site for all. :) Well done and may the blighters move on...or better still, be caught.:th3:

Doninoz
13-05-2011, 10:53am
Kym, you did a valiant job of getting back so quick. I've spent a lifetime (job) heading up a company who do internet and intranet security and I can tell you some of the new malware/trojans are fast and almost initially impossible to detect.

My company servers got DOS attacked by a USA based large ISP a few years ago and my MS Enterprise Exchange got so clogged it kept crashing as thousands of emails kept hitting me every few seconds. So after requesting GEO#$% stop this attack to no avail, I wrote a simple little program to send 999,999 return messages back to the originating server for each email they sent me. GEO#$% crashed and thousands of users complained to their ISP. They were out of business for 3 weeks...even after I had stopped sending there were enough messages floating around the net that had to eventually be sent to their servers.

They got the FBI onto me and I go a visit from the Federal Police. After showing them what had been happening, they just laughed, told me to not send any more and left, laughing hilariously at my success in stopping the DOS attack! I'm not suggesting you do something like this but I know how you must feel. Punishment is not severe enough for these corporate criminals!

Patagonia
13-05-2011, 11:12am
Glad we are back, cheers to all the team that keeps this going and growing, is there anything we can do to help besides reporting all strange activity?

regards

thomasdaley
13-05-2011, 6:33pm
Seems a lot of vbulletin board were attacked. "http://www.keleko.com/2011/fixes-for-vbulletin-forums-hacked-by-team-animus/" So nothing personal.

Kym
13-05-2011, 7:09pm
Yes, but those clean up instructions are incomplete.

Charmed
14-05-2011, 7:13pm
If a hacker wants in , they will get in NO MATTER WHAT
You're deluding yourself if you think ramping up security will stop them.

I also had my sites hacked twice not so long ago.
Alerted hosting, changed passwords. Checked and scanned sites for any "odd looking files" & any nasties , all came up clean and updated CMS and plug ins
As I said there's not a lot one can do, but hope they move on quickly.

I was lucky, back up on a regular basis & keep a copy on localhost.

Oh & my hacker according to isp was from France

Kym
15-05-2011, 12:21am
We have been continuing to work on security.
We have tracked our attacks to IP addresses in Norway and Sweden.
We have blocked a lot of IP address ranges.

We have also made some other changes that will help but I don't want to reveal.

Kym
15-05-2011, 5:04pm
Many web sites get 'hacked' from time to time, as we well know.
It begs the question how do the cretins get in and do damage?
Here is the layman's version of a technical explanation.
I've written this post in terms of the technology we use to power AP, namely PHP (http://www.php.net/) and MySQL (http://www.mysql.com/downloads/mysql/).

For an attack to work the hacker must find a way to execute some malicious program code
on the target server.
FYI: This is different to a cross site scripting attack (http://en.wikipedia.org/wiki/Cross-site_scripting) where the hacker gets some malicious
program code to run in people's browsers.

There are three typical methods of attacking a server.

Send some block of text that overflows a buffer and causes binary code to run on the server.
This method is traditionally used to attack Windows systems as the target hardware and
operating system are well known.


Send some form text to an unprotected dynamic SQL database statement,
or other dynamic execution (PHP eval statement).
eg: Say we have this psuedo code in our program:

SELECT userid, username, password
FROM user
WHERE username = '$Input_username' AND password = '$Input_password';
If I sent the text ' OR 1; DELETE FROM user; -- as the $Input_username variable and it were not first
sanitised the line execute becomes:

SELECT userid, username, password
FROM user
WHERE username = '' OR 1; DELETE FROM user; --' AND password = 'Password';
The above attack would simply wipe out the user table in the database - crude but it demonstrates the problem.
Note the -- means ignore the rest of the SQL statement ('--' is a comment marker)


Set a cookie so that a similar attack as item 2 occurs.
This attack is a bit more subtle as it requires setting a cookie that you know will be used
without being first sanitised.



Attacks 2 and 3 were what happened to AP in the last fortnight.
Both require knowledge of what is running on the forum, i.e. where a weakness exists.

Stopping these attacks requires that all input from the client browser is assumed malicious
and it is filtered to escape ' and other characters into a harmless quoted format when
using that input in a dynamic (run time) SQL statement or PHP eval statement.
There are standard library filter functions to do this, but sometimes they get missed.

So the hacker to be successful needs to look at code used by the forum (eg. a well known plugin)
and then exploit any weakness found. The hacker skills in this case need not be particularly
advanced, this information and howto is well known.
Generally these sort of hackers are script kiddies (http://www.urbandictionary.com/define.php?term=script+kiddie).

So how do we stop this?
We just need to keep up to date with patches and check and double check any new 3rd party code.
I need to ensure (and I do) that my programming style uses the appropriate input filters by default.

Can a site be 100% safe?
Theoretically yes, but there are usually bugs in software than can be exploited.
So instead we just try to keep ahead of the game and also have a decent backup strategy, which AP does.