Forum hack- what happened?

DutchDaemon said:
This is literally what happened.
SirDice and myself both caught the defacement live (and in some way, caused it by being online -- see point 3 in quote).
SirDice analyzed the code (which was put in a simple post), nuked the user and their post, found in the admin log what was changed (by "us"), reverted everything.
I was on the server itself, checking possible intrusions in file systems, databases, checking known good file hashes.
Meanwhile, I nudged DanGer to expedite the XF update.
All of this was basically done in under 30 minutes, but the FreeBSD Org wanted a little more detail and reassurance.
And that was it.
Click to expand...
Well done for fixing it quickly. Do you know if they were able to get hold of any of our user account details? Names, emails, etc..?
 
SirDice said:
Common misconception. Even the "limited" www user most webservers run on can be abused to attack/proxy other systems. It's not as "limited" as a lot of people think it is. As a matter of fact, it's not limited at all, it can do the same things as any other user account can do.
Click to expand...
I have to admit, I had no idea about that. I thought that all those daemon accounts had some sort of finely tuned template/config according to which they are created. But I guess at some point, it ends up being 'security by obscurity'.
 
astyle said:
Pheeeewww... back. Here's a screenshot I managed to take during that time.

Makes me wonder, did everyone else see that same defacing of the Forums, or did anyone see/get a different image?
Click to expand...
Same, also i clicked on it it played some music.
bsd hack.png
 
Screenshot from Firefox 12:15PM EST

On a different screenshot bottom-left I saw a clock icon; is that YouTube watch later? Is it affected by cross-site cookies? Was the hijack code changed since it was deployed? (somewhere between 12:10 and 12:12PM)

I left that tab open for a minute and Firefox got laggy, and kind-of wonder if there was code doing something else in the background.
 
MrBSD said:
Us open source heads always brag about how both linux and freebsd are super secure, ...
Click to expand...
We do? I definitely don't. Anyone who brags that "Linux and FreeBSD are super secure" is uninformed, and hasn't thought through the issues. As others have said: The security of a (very good) piece of software such as XenForo is not correlated with the security of the thing that is being discussed on the forum that uses XenForo. If this had been a forum devoted to raising pot-bellied pigs or to repairing chainsaw motors, would you have complained that pigs or chainsaws are less secure?

There might be a grain of truth in the observation that the Linux and FreeBSD kernels, or base OS distributions are more secure than some other operating systems. Clearly, the security of traditional Windows has a bad reputation . Whether that's deserved or not in a complex question, to which the answer is not at all clear. For example, cp/m at first seems completely insecure: anyone who can walk up to the keyboard of a powered-up and functioning (!) cp/m machine can take complete control of it. Which doesn't mean that it is insecure, only that protecting it uses different tools as for more modern machines.

Also, OpenBSD would like to have a word.

MrBSD said:
Its because you are taking what im saying literally.
Click to expand...
That's easily fixable.
 
While browsing the forums after the defacement, I used Firefox with NoScript enabled. With JavaScript disabled, there was no redirect to the defacement page. Instead, the “Forums” and “New posts” pages appeared, at the time, as shown in the screenshots below. At first, I didn’t realize what was happening until I accessed the forums using a Firefox profile without NoScript.

Defam-The FreeBSD Forums.png Defam-New posts The FreeBSD Forums.png
 
You must log in or register to reply here.
Back
Top