DSLRUsers.com

[gstark]

My server was hacked overnight.

Most things are already back to normal, but my email access isn't yet fully restored. use gary.stark@gmail.com if you need to contact me today.

[Glen]

Well done in fixing it Gary, I noticed it was unusual at about 6.50 am this morning when only you and I were on. Thanks

[Matt. K]

Gary
Canon executives.

[Onyx]

Any idea who, why, how, when?

Shall I ready the toughies to send round to ruffle up some geeky heads?

[Glen]

Matt, the enemy within. Maxwell executives.

(they have seen our prices from Poon)

[bago100]

Gary
You have done well to get the site back up again.
Thank you.
Do you have a lead on the hackers location / identity?
Will organise Dargan, Cricketfan, Xerubus and Matt and the rest of the Brisbane Chapter to pay them a visit if they are from around here
Cheers
Graham

[Onyx]

I saw a screen cap of the site defaced.
A big far queue to those turd for brains responsible. Your brand certainly 'owns us' don't they? Once you bite off the hand that feeds you, who's technology are they going to copy from then?

[Mj]

Gary
Canon executives.

Nope... I can confirm that they are all busy on other worries at the minute...

[gstark]

Graham,

Gary
You have done well to get the site back up again.
Thank you.
Do you have a lead on the hackers location / identity?

No idea; best guess is script kiddies exploiting a hole in Apache.

It's a worm of some sort, and it's hit us twice so far today. I'm not sure of how or why yet, and I'm not yet convinced that we're secure against it either.

[Maximus]

and I'm not yet convinced that we're secure against it either

Uh oh...

[gstark]

and I'm not yet convinced that we're secure against it either

Uh oh...

The problem here is that I don't know which exploit has been used. Not having that knowledge makes me very nervous about the remedy that we've applied.

While I'm here, a big thank you to Leigh who upgraded the server and reinstalled the files from the backup locations when this happened the second time.

He's done well.

As he always does.

[Glen]

Well done Leigh, most appreciated by all

[Onyx]

I feel like we're still sitting ducks waiting for the next strike.

Thanks Gary and Leigh for restoring the site. This place means so much to so many of us.

[MCWB]

I feel like we're still sitting ducks waiting for the next strike

What does not kill us can only make us stronger. Thanks Gary and Leigh for getting it back underway so quickly.

[petal666]

Gary
Canon executives.

Nope... I can confirm that they are all busy on other worries at the minute...

Yes, their bank account is so full they have to start a new one

[gstark]

One other point - some avatars may be missing at the moment.

Please don't panic yet. I'll try to restore them this evening; if they're not back to normal tomorrow, please go ahead and reinstall what you need.

[Nnnnsic]

This exploit can kiss my ass. This is really pissing me off. Let's try this again...

[PlatinumWeaver]

Are we back now?

[gstark]

Are we back now?

yes, but don't ask us for how long.

This exploit is really pissing me off. All the more because I don't yet know what's behind it, and there's no information out on the net about it.

It's like being drunk, and trying to fight someone who's invisible.

What a bunch of cowardly little wimps though ... too damn scared to tell you who the hell they are and why they're doing this.

[PlatinumWeaver]

Are you hosting the site locally?

[Nnnnsic]

I'd say that the "hacker" is a script kiddie who doesn't know how to use the app and hasn't figured out where to put his signature in it.

[gstark]

Dean

Are you hosting the site locally?

yes.

The server is in my living room; this exploit is affecting every one of the domians that we host. It's totally mindless, in that all it does is overwrite the htm/l and php files with its garbage.

The problem is that I can't find any information that tells me precisely where the vulnerbility is; without that knowledge, what patch/es do you apply, and to what modules?

The best info that I've seen is a couple of things on phpbb, but they're very scant on the actual detail. And I can't put those fixes into place from where I am right now because the firewall here prevents me from accessing the server at a control level.

I'll be home in an hour or so ...

[mic]

I just restored my avatar before, so I'm just checking if it is back when I post this.

Then my computer came up with : This site has just been defaced with worm virus 9. x ?
Couldn't get on for about 15 min

Back on now.

Mic.

[sirhc55]

I personally would like to send 50,000V down the line and burn the b@stards

Chris

[Capturedview]

Gary
Canon executives.

Nope... I can confirm that they are all busy on other worries at the minute...

Yes, their bank account is so full they have to start a new one

Why are you even here petal666?

[Nnnnsic]

Why are you even here petal666?

Because he is.

I'm not sure I see a problem with that.

[gstark]

We're putting in place a procedure where we can be back on line within minutes of an attack. I could probably automate it too, if I wanted to.

These so-called hackers are just pains in the butt. We shall deal with them in due course.

[stubbsy]

Gary

Monumental pain in the ***

Thanks for keeping on top of things as best you can. Don't get too depressed about it. The script kiddies will get bored and move on to playing with themselves again sooner or later.

Cheers

Stubbsy

[Nnnnsic]

The automated process probably involves an alarm sitting next to my bed to wake me up to fix it.

[Greg B]

Why are you even here petal666?

Possible answers....

1. Maybe to hang out with folks with real cameras.

2. Would you want to hang out with other Canon owners?

3. Because this forum is better than any other forum, regardless of brand issues.

4. Because this forum accepts and welcomes all comers who maintain the standards of good spirit that have been established.

[Glen]

Gary and Leigh, thanks for persevering with this, appreciated by all

[BBJ]

Bit of a bugger wondered why the site was down earlier. Hope you sort it out Gary. I also run a server 24/7 and yeh i get hit all the time, firewall get most but yeh if you can get an Ip number would be handy, and keep logs.

[birddog114]

Bit of a bugger wondered why the site was down earlier. Hope you sort it out Gary. I also run a server 24/7 and yeh i get hit all the time, firewall get most but yeh if you can get an Ip number would be handy, and keep logs.

BBJ,
If we get one of these morons, can I send to you to feed the shark down there?

[Nnnnsic]

If it's coming in the way Dad and I think it's coming in, I doubt we'll be able to find an ip for it.

Mind you, I've contacted one of the other sites this also affected to see if he's got any permanent solutions and / or ip addresses for us to... ahem... talk to.

[Onyx]

hey Nnnsic, you were asking on OCAU which other sites I had seen affected. Looks like you've found one, but anyway:

NissanSilvia, SkylinesAustralia, MackayCruising were the other ones mentioned in the OCAU Pub, same red front on plain black background job. Maybe you could band together with their webmasters and figure out where the unwanted intrusion was, and prevent it from happening again.

[PlatinumWeaver]

http://www.webmasterworld.com/forum103/246.htm

http://www.phpbb.com/phpBB/viewtopic.php?t=240513

http://www.addict3d.org/index.php?page= ... ty&ID=2622

[Mj]

The automated process probably involves an alarm sitting next to my bed to wake me up to fix it.

Sometimes it's the simple ideas that work the best

[BBJ]

Hey Birdy , i would gladly feed them to our sharks down here, for sure and well i guess even if i went to sort them out would be enough fright for the lil mongrels.
For Gary, if u have some details i am sure u will find this ineteresting if u dont already have it but i use it a lot as running servers on IRC for the last 10 years or so i always get young hackers doing there crap just to disrupt things.
Anyhow have a look could come in handy for some:http://www.dnsstuff.com/

[gstark]

John,

Been using dnsstuff for quite a while; it's grat to test one's setup too.

Thanx.

Dean,

Everything's pointing to the hole in phpbb. What's still not yet known is hoew much underlying damage was done.

[Raydar]

Thanks Gary and Leigh

For getting it all up & going again.

I thought it was a little strange this morning at 5:15 when I tried to access the site.
When I saw the page I new some prick had done the dirty!!!!!!

Cheers
Ray

[PlatinumWeaver]

I'd change the database username & password at the very least and upgrade to 2.0.1.1 asap..

[Kristine]

Gary

Sorry to hear of your problems. If you want any assistance with your box, PM me - I am more than happy to have one of our guys help you out.

Cheers
Kristine

[gstark]

Gary

Sorry to hear of your problems. If you want any assistance with your box, PM me - I am more than happy to have one of our guys help you out.

Cheers
Kristine

Thanx Kristine; I think I'm there now. Curiously, I suspect that this exploit could also have happenned had we been hosting on your system too; the issue was an exploit in the phpbb code.

If you have any clients running phpbb systems, you might want to get them to make sure that they're running the very latest version to avoid this hassle.

Given that it scans the whole site and rewrites all php and htm/l files that can be seen from within the virtual server - as the virtual server user - what sort of risk does that impose for you?

And would you like to have a copy of the exploit itself?

[Kristine]

Hi Gary

Sorry for not getting back to you sooner, but I have really limited Internet access while I am in Sydney.

We have not had any problems with any sites that are running PHPBB – all sites are using the latest version (we have software for all sites updated on a regular basis).

I hope that all your problems are now sorted out with your box. As I offered previously, I can have someone look at your security (check for vulnerabilities in your server etc.). One of the guys that we contract server and security work to (he runs his own company) also does contract work for the Australian Federal Police (testing security etc.). He can test your box and email you with any vulnerability with your server and tell you what needs to be done to fix it (he can also fix it for you if you like). Just PM me or send me across an email if you want to go ahead and test the security on your box.


Cheers
Kristine