Forum hack- what happened?

DutchDaemon said:
This is literally what happened.
SirDice and myself both caught the defacement live (and in some way, caused it by being online -- see point 3 in quote).
SirDice analyzed the code (which was put in a simple post), nuked the user and their post, found in the admin log what was changed (by "us"), reverted everything.
I was on the server itself, checking possible intrusions in file systems, databases, checking known good file hashes.
Meanwhile, I nudged DanGer to expedite the XF update.
All of this was basically done in under 30 minutes, but the FreeBSD Org wanted a little more detail and reassurance.
And that was it.
Click to expand...
Well done for fixing it quickly. Do you know if they were able to get hold of any of our user account details? Names, emails, etc..?
 
SirDice said:
Common misconception. Even the "limited" www user most webservers run on can be abused to attack/proxy other systems. It's not as "limited" as a lot of people think it is. As a matter of fact, it's not limited at all, it can do the same things as any other user account can do.
Click to expand...
I have to admit, I had no idea about that. I thought that all those daemon accounts had some sort of finely tuned template/config according to which they are created. But I guess at some point, it ends up being 'security by obscurity'.
 
astyle said:
Pheeeewww... back. Here's a screenshot I managed to take during that time.

Makes me wonder, did everyone else see that same defacing of the Forums, or did anyone see/get a different image?
Click to expand...
Same, also i clicked on it it played some music.
bsd hack.png
 
Screenshot from Firefox 12:15PM EST

On a different screenshot bottom-left I saw a clock icon; is that YouTube watch later? Is it affected by cross-site cookies? Was the hijack code changed since it was deployed? (somewhere between 12:10 and 12:12PM)

I left that tab open for a minute and Firefox got laggy, and kind-of wonder if there was code doing something else in the background.
 
MrBSD said:
Us open source heads always brag about how both linux and freebsd are super secure, ...
Click to expand...
We do? I definitely don't. Anyone who brags that "Linux and FreeBSD are super secure" is uninformed, and hasn't thought through the issues. As others have said: The security of a (very good) piece of software such as XenForo is not correlated with the security of the thing that is being discussed on the forum that uses XenForo. If this had been a forum devoted to raising pot-bellied pigs or to repairing chainsaw motors, would you have complained that pigs or chainsaws are less secure?

There might be a grain of truth in the observation that the Linux and FreeBSD kernels, or base OS distributions are more secure than some other operating systems. Clearly, the security of traditional Windows has a bad reputation . Whether that's deserved or not in a complex question, to which the answer is not at all clear. For example, cp/m at first seems completely insecure: anyone who can walk up to the keyboard of a powered-up and functioning (!) cp/m machine can take complete control of it. Which doesn't mean that it is insecure, only that protecting it uses different tools as for more modern machines.

Also, OpenBSD would like to have a word.

MrBSD said:
Its because you are taking what im saying literally.
Click to expand...
That's easily fixable.
 
While browsing the forums after the defacement, I used Firefox with NoScript enabled. With JavaScript disabled, there was no redirect to the defacement page. Instead, the “Forums” and “New posts” pages appeared, at the time, as shown in the screenshots below. At first, I didn’t realize what was happening until I accessed the forums using a Firefox profile without NoScript.

Defam-The FreeBSD Forums.png Defam-New posts The FreeBSD Forums.png
 
I'm gonna hang around the HardenedBSD peeps for a bit. Something so basic and surface level for mild inconvenience on a GUI to the community generated by a Bash script
 
rcbsdpge said:
I'm gonna hang around the HardenedBSD peeps for a bit. Something so basic and surface level for mild inconvenience on a GUI to the community generated by a Bash script
Click to expand...
You are confused and having hardened FreeBSD even more would not have solved the problem. The problem was with XenForo's software taking XenForo's generated forum offline. FreeBSD was not involved in that process directly as evidenced by the fact that Linux XenForo forums were also taken over which is why that fact was brought up.
 
drhowarddrfine said:
You are confused and having hardened FreeBSD even more would not have solved the problem. The problem was with XenForo's software taking XenForo's generated forum offline. FreeBSD was not involved in that process directly as evidenced by the fact that Linux XenForo forums were also taken over which is why that fact was brought up.
Click to expand...
It was some kind of user content injection for what I understood. Wouldn't it be preventable by quickly analyzing posted user content in a RAM sandbox to catch suspicious results? There must be arbitrary differences between actual substantial content of a user and a hostile server takedown attempt with nested content that's interpreted by a server component...
 
MG said:
a hostile server takedown attempt
Click to expand...
There was no server takedown attempt. It was forum software only and the problem was isolated to that and that alone. The server was fine. The mods had complete control over the server and were able to fix the XenForo software by remote access through the server. The server itself was not compromised. So many people don't understand that.
 
I took a look at what people were saying about it on the linux.org forums... And found that the tone of the conversation was a bit more lighthearted than in this thread. In here, it's like, "Sigh. A mess to clean up.", while on linux.org, it's more like "Oh, well, took a stumble, got a scrape, let's get up and move on.".

One concrete difference is that on linux.org, one of the admins there posted a code snippet to actually explain in technical detail what happened, so that people could connect the dots between the problems with XenForo and the code that caused things to go haywire. Normally, that kind of info is a bit of an Easter egg hunt (pardon the pun, sine the actual Easter Sunday is right around the corner), and you have to really know your way around the browser if you wanna extract the problematic code and connect the dots needed to realize what actually happened, and what course of action to take based on that knowledge.
 
drhowarddrfine said:
Some people may find that interesting but it has nothing to do with FreeBSD. Or Linux for that matter.
Click to expand...
Well, duh, I continued to use FreeBSD on my machines, because nothing happened there. Ohhh, I did use my FreeBSD machines to view the defaced site, take screenshots, etc. - but come on, it was a XenForo software issue, not a FreeBSD issue. Yeah, it was disheartening to be locked out of the FreeBSD Forums for a bit, I enjoy the conversations there.
 
You must log in or register to reply here.
Back
Top