Forum hack- what happened?

[Alain De Vos]

.

 

[Alain De Vos]

& Crivens & SirDice.

Meanwhile where is Foundation ? Hey , did something happened ?
We are here to collect money . We are on the high level.
Not this basic stuff which keeps thing going.
Let's make a marketing plan, we need a vision , a mission , a strategy.

 

[eternal_noob]

did everyone else see that same defacing of the Forums, or did anyone see/get a different image?

I took a screenshot with my cell phone.



These idiots don't even know what responsiveness is.

 

[SirDice]

Meanwhile where is Foundation ? Hey , did something happened ?

No. We were in constant contact with various folks from core, foundation and clusteradmin. So, none of this nonsense please.

 

[SirDice]

I wonder if the XSS hack was combined with other methods to do more damage.

Not that I could find in our situation. I took apart their injected javascript. It didn't do much besides redirecting to a github repo that hosted the "defacement" page. That defacement page also contained some javascript, but that was nothing more than a basic http/tcp/udp connection flooder. Nothing fancy and most of it didn't even work properly.

 

[Alain De Vos]

No. We were in constant contact with various folks from core, foundation and clusteradmin. So, none of this nonsense please.

There was a Foundation post on Facebook. Showing they knew nothing. Excuse me if I sometimes over-exagerate. I only tell my feelings. And really have no idea, the good/bad they do. So for me it is something "black".
- Do we really need KDE ?
- Wifi drivers for exotic hardware ?
Are priorities wright ?
---> Me I think more about Netapp & Jupiner.

 

[kpedersen]

I took a screenshot with my cell phone.

View attachment 25824

These idiots don't even know what responsiveness is.

They managed to center the div vertically. That's impressive enough

 

[Alain De Vos]

They never were able to access , kernel repo , package repo, or gain root access. Probably only xenforo administator session/cookie/password. And insert there own "front-page".

 

[eternal_noob]

They managed to center the div vertically.

That was funny.

 

[johnjohn]

I took a screenshot with my cell phone.

View attachment 25824

These idiots don't even know what responsiveness is.

i guess that my proxy blocked the bg image. i simply saw a black bg.

a simple cascading stylesheet would solve alot of responsive problems:

@media (max-width: 300px) { 
  .haha { display: block;  } 
}

and image sets work wonders these days:

Using responsive images in HTML - HTML | MDN

In this article, we'll learn about the concept of responsive images — images that work well on devices with widely differing screen sizes, resolutions, and other such features — and look at what tools HTML provides to help implement them. This helps to improve performance across different devices.

developer.mozilla.org

 

[DutchDaemon]

This is about the corresponding hack on linux.org from this thread.

"Edit2: more info: https://github.com/methosiea/xenforo-2-xss
So, the attack chain is basically:

1. Attacker registers an account
2. New post w/ the xss payload - it goes to the queue
3. An admin views it, it fires off the xss payload stealing his session
4. Attacker creates the malicious widget"

I wonder if the XSS hack was combined with other methods to do more damage.

I also wonder why someone would hack a public forum.

/grandpa

This is literally what happened.
SirDice and myself both caught the defacement live (and in some way, caused it by being online -- see point 3 in quote).
SirDice analyzed the code (which was put in a simple post), nuked the user and their post, found in the admin log what was changed (by "us"), reverted everything.
I was on the server itself, checking possible intrusions in file systems, databases, checking known good file hashes.
Meanwhile, I nudged DanGer to expedite the XF update.
All of this was basically done in under 30 minutes, but the FreeBSD Org wanted a little more detail and reassurance.
And that was it.

 

[Alain De Vos]

This was quickly solved. When recently someone, updated package database with a bad package, inserting some bad sql into db, I think it took at least 18hours before fix. Nobody could download any package , not on quarterly ,not on "current".
For other architectures it took 3 days.
Here it is much about nothing.

& About this bad package sql. Not one word from foundation. Not one.

 

[MrBSD]

The hack also took down linux.org's forum so I guess it's not a good look for Linux forums, too, eh?

Exactly. Us open source heads always brag about how both linux and freebsd are super secure, and then we have our forums pwnd like this. Its pretty embarrassing.

 

[SirDice]

how both linux and freebsd are super secure

The security of the OS isn't going to stop a parsing bug in a web application. That's how most, if not all, hacks happen nowadays. It very rarely happens because of a bug in the OS itself.

 

[joneum@]

Many people complain, but only a few are truly willing to offer support.

 

[anguisette]

Exactly. Us open source heads always brag about how both linux and freebsd are super secure, and then we have our forums pwnd like this. Its pretty embarrassing.

XenForo is not open source. also, XenForo is not Linux or FreeBSD, it's a piece of third-party software.

and anyone claiming that any OS is "super secure" is... possibly misunderstanding how security works. perhaps you could say FreeBSD is "more secure" than, say, AIX, in the sense that it has fewer security advisories (i don't know of any statistics about this off hand, so let's just stipulate that it's true), but that doesn't mean FreeBSD "is super secure". if you don't apply security updates, it's not secure. if you run EOL releases, it's not secure. if you don't attend to physical security, it's not secure. if you run an Internet-accessible sshd with weak passwords, it's not secure.

security is far more about process than it is about choice of software.

 

[astyle]

This was quickly solved. When recently someone, updated package database with a bad package, inserting some bad sql into db, I think it took at least 18hours before fix. Nobody could download any package , not on quarterly ,not on "current".
For other architectures it took 3 days.
Here it is much about nothing.

& About this bad package sql. Not one word from foundation. Not one.
View attachment 25826

Yeah, having a good, workable plan on how to get back up and running reasonably quickly after an incident IS one important aspect of administering a public service. Another important aspect is being able to communicate solid info about the status of the said service. But sometimes, it's faster to fix the situation than to fully analyze what happened and write an announcement. Besides, when a situation is solved, analysis stops being that incredibly urgent. Basically, it takes some level-headed thinking to realize that the priority should be on technically rectifying the problematic situation, rather than analysis and announcements. Especially given the fact that the Forums are basically a communication platform with no real alternative method of reaching the users. Kind of like having roads washed out by a flash flood - nothing happens until the road is fixed, and fast, and full analysis of the economic and social impact of that flood can wait.