Forum hack- what happened?

[Alain De Vos]

Thanks for being honest. Appreciate that really i do. Today no cigarettes my friend. I will take one. Then walk dog. "Even if this out of thread."

 

[Espionage724]

A long time ago the forums ran on phpBB for a while.

I looked at phpBB vs MyBB and chose MyBB for some reason. I hosted for a bit before figuring out something to use it for (links back to my notes but with a little better categorization)

 

[Alain De Vos]

& Sirdice ,stating obvious www user change anything on /usr/local/www but never do su/sudo.

 

[blackbird9]

This is literally what happened.
SirDice and myself both caught the defacement live (and in some way, caused it by being online -- see point 3 in quote).
SirDice analyzed the code (which was put in a simple post), nuked the user and their post, found in the admin log what was changed (by "us"), reverted everything.
I was on the server itself, checking possible intrusions in file systems, databases, checking known good file hashes.
Meanwhile, I nudged DanGer to expedite the XF update.
All of this was basically done in under 30 minutes, but the FreeBSD Org wanted a little more detail and reassurance.
And that was it.

Well done for fixing it quickly. Do you know if they were able to get hold of any of our user account details? Names, emails, etc..?

 

[astyle]

Common misconception. Even the "limited" www user most webservers run on can be abused to attack/proxy other systems. It's not as "limited" as a lot of people think it is. As a matter of fact, it's not limited at all, it can do the same things as any other user account can do.

I have to admit, I had no idea about that. I thought that all those daemon accounts had some sort of finely tuned template/config according to which they are created. But I guess at some point, it ends up being 'security by obscurity'.

 

[GlitchyDot]

Pheeeewww... back. Here's a screenshot I managed to take during that time.

Makes me wonder, did everyone else see that same defacing of the Forums, or did anyone see/get a different image?

Same, also i clicked on it it played some music.

 

[Alain De Vos]

Crivens told us SirDice good idea.

 

[Espionage724]

Screenshot from Firefox 12:15PM EST

On a different screenshot bottom-left I saw a clock icon; is that YouTube watch later? Is it affected by cross-site cookies? Was the hijack code changed since it was deployed? (somewhere between 12:10 and 12:12PM)

I left that tab open for a minute and Firefox got laggy, and kind-of wonder if there was code doing something else in the background.

 

[SirDice]

I left that tab open for a minute and Firefox got laggy, and kind-of wonder if there was code doing something else in the background.

The defacement page had some javascript in it. One of those scripts fired off an endless stream of HTTP connections. That might be the reason.