Forum hack- what happened?

[Alain De Vos]

Thanks for being honest. Appreciate that really i do. Today no cigarettes my friend. I will take one. Then walk dog. "Even if this out of thread."

 

[Espionage724]

A long time ago the forums ran on phpBB for a while.

I looked at phpBB vs MyBB and chose MyBB for some reason. I hosted for a bit before figuring out something to use it for (links back to my notes but with a little better categorization)

 

[Alain De Vos]

& Sirdice ,stating obvious www user change anything on /usr/local/www but never do su/sudo.

 

[blackbird9]

This is literally what happened.
SirDice and myself both caught the defacement live (and in some way, caused it by being online -- see point 3 in quote).
SirDice analyzed the code (which was put in a simple post), nuked the user and their post, found in the admin log what was changed (by "us"), reverted everything.
I was on the server itself, checking possible intrusions in file systems, databases, checking known good file hashes.
Meanwhile, I nudged DanGer to expedite the XF update.
All of this was basically done in under 30 minutes, but the FreeBSD Org wanted a little more detail and reassurance.
And that was it.

Well done for fixing it quickly. Do you know if they were able to get hold of any of our user account details? Names, emails, etc..?

 

[astyle]

Common misconception. Even the "limited" www user most webservers run on can be abused to attack/proxy other systems. It's not as "limited" as a lot of people think it is. As a matter of fact, it's not limited at all, it can do the same things as any other user account can do.

I have to admit, I had no idea about that. I thought that all those daemon accounts had some sort of finely tuned template/config according to which they are created. But I guess at some point, it ends up being 'security by obscurity'.

 

[GlitchyDot]

Pheeeewww... back. Here's a screenshot I managed to take during that time.

Makes me wonder, did everyone else see that same defacing of the Forums, or did anyone see/get a different image?

Same, also i clicked on it it played some music.

 

[Alain De Vos]

Crivens told us SirDice good idea.

 

[Espionage724]

Screenshot from Firefox 12:15PM EST

On a different screenshot bottom-left I saw a clock icon; is that YouTube watch later? Is it affected by cross-site cookies? Was the hijack code changed since it was deployed? (somewhere between 12:10 and 12:12PM)

I left that tab open for a minute and Firefox got laggy, and kind-of wonder if there was code doing something else in the background.

 

[SirDice]

I left that tab open for a minute and Firefox got laggy, and kind-of wonder if there was code doing something else in the background.

The defacement page had some javascript in it. One of those scripts fired off an endless stream of HTTP connections. That might be the reason.

 

[ralphbsz]

Us open source heads always brag about how both linux and freebsd are super secure, ...

We do? I definitely don't. Anyone who brags that "Linux and FreeBSD are super secure" is uninformed, and hasn't thought through the issues. As others have said: The security of a (very good) piece of software such as XenForo is not correlated with the security of the thing that is being discussed on the forum that uses XenForo. If this had been a forum devoted to raising pot-bellied pigs or to repairing chainsaw motors, would you have complained that pigs or chainsaws are less secure?

There might be a grain of truth in the observation that the Linux and FreeBSD kernels, or base OS distributions are more secure than some other operating systems. Clearly, the security of traditional Windows has a bad reputation . Whether that's deserved or not in a complex question, to which the answer is not at all clear. For example, cp/m at first seems completely insecure: anyone who can walk up to the keyboard of a powered-up and functioning (!) cp/m machine can take complete control of it. Which doesn't mean that it is insecure, only that protecting it uses different tools as for more modern machines.

Also, OpenBSD would like to have a word.

Its because you are taking what im saying literally.

That's easily fixable.

 

[DutchDaemon]

Well done for fixing it quickly. Do you know if they were able to get hold of any of our user account details? Names, emails, etc..?

Answered here.

 

[Alexander Mishin]

The defacement page had some javascript in it. One of those scripts fired off an endless stream of HTTP connections. That might be the reason.

After I blocked javascript with NoScript, I could read the forum quite comfortably.

 

[T-Daemon]

While browsing the forums after the defacement, I used Firefox with NoScript enabled. With JavaScript disabled, there was no redirect to the defacement page. Instead, the “Forums” and “New posts” pages appeared, at the time, as shown in the screenshots below. At first, I didn’t realize what was happening until I accessed the forums using a Firefox profile without NoScript.

 

[drhowarddrfine]

If this had been a forum devoted to raising pot-bellied pigs or to repairing chainsaw motors, would you have complained that pigs or chainsaws are less secure?

Well let's think about that. I would think chainsaws would be less secure if they were running but pigs are always on except when they're sleeping.

 

[rcbsdpge]

I'm gonna hang around the HardenedBSD peeps for a bit. Something so basic and surface level for mild inconvenience on a GUI to the community generated by a Bash script

 

[Charlie Brown]

A long time ago the forums ran on phpBB for a while. It too had its fair share of security issues. Software rarely is completely free of bugs, open or closed source doesn't really matter. Closed source may be a bit better at hiding them.

I'm not sure that hiding bug is more secure then letting them be know publicly

 

[drhowarddrfine]

I'm gonna hang around the HardenedBSD peeps for a bit. Something so basic and surface level for mild inconvenience on a GUI to the community generated by a Bash script

You are confused and having hardened FreeBSD even more would not have solved the problem. The problem was with XenForo's software taking XenForo's generated forum offline. FreeBSD was not involved in that process directly as evidenced by the fact that Linux XenForo forums were also taken over which is why that fact was brought up.