Site hacked

Forum rules and nettiquette, along with other items of general interest.

Important information about this forum is contained here, and members MUST familiarise themselves with the posts here, as well as what is contained within the FAQ.

Please do not complain if you ask a question regarding a topic covered here or in the FAQ and in response you get a rather brusque, obtuse or sarcastic response. We get sick and tired of answering the same questions, day in, day out, when the answers are clearly published, in plain view, and all that is required is for you to open your eyes and read them!

Moderator: Moderators

Forum rules
Please ensure that you have a meaningful location included in your profile. Please refer to the FAQ for details of what "meaningful" is.

Site hacked

Postby gstark on Tue Dec 21, 2004 9:01 am

My server was hacked overnight.

Most things are already back to normal, but my email access isn't yet fully restored. use gary.stark@gmail.com if you need to contact me today.
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Postby Glen on Tue Dec 21, 2004 9:03 am

Well done in fixing it Gary, I noticed it was unusual at about 6.50 am this morning when only you and I were on. Thanks
User avatar
Glen
Moderator
 
Posts: 11819
Joined: Sat Aug 07, 2004 3:14 pm
Location: Sydney - Neutral Bay - Nikon

Postby Matt. K on Tue Dec 21, 2004 9:08 am

Gary
Canon executives.
Regards

Matt. K
User avatar
Matt. K
Former Outstanding Member Of The Year and KM
 
Posts: 9981
Joined: Mon Sep 06, 2004 7:12 pm
Location: North Nowra

Postby Onyx on Tue Dec 21, 2004 9:12 am

Any idea who, why, how, when?

Shall I ready the toughies to send round to ruffle up some geeky heads?
User avatar
Onyx
Senior Member
 
Posts: 3631
Joined: Sat Aug 07, 2004 6:51 pm
Location: westsyd.nsw.au

Postby Glen on Tue Dec 21, 2004 9:14 am

Matt, the enemy within. Maxwell executives.

(they have seen our prices from Poon)
User avatar
Glen
Moderator
 
Posts: 11819
Joined: Sat Aug 07, 2004 3:14 pm
Location: Sydney - Neutral Bay - Nikon

Postby bago100 on Tue Dec 21, 2004 9:27 am

Gary
You have done well to get the site back up again.
Thank you.
Do you have a lead on the hackers location / identity?
Will organise Dargan, Cricketfan, Xerubus and Matt and the rest of the Brisbane Chapter to pay them a visit if they are from around here :D
Cheers
Graham
User avatar
bago100
Senior Member
 
Posts: 862
Joined: Mon Sep 06, 2004 6:42 pm
Location: Shanghai China until Feb 2010

Postby Onyx on Tue Dec 21, 2004 10:03 am

I saw a screen cap of the site defaced.
A big far queue to those turd for brains responsible. Your brand certainly 'owns us' don't they? Once you bite off the hand that feeds you, who's technology are they going to copy from then?
User avatar
Onyx
Senior Member
 
Posts: 3631
Joined: Sat Aug 07, 2004 6:51 pm
Location: westsyd.nsw.au

Postby Mj on Tue Dec 21, 2004 12:07 pm

Matt. K wrote:Gary
Canon executives.


Nope... I can confirm that they are all busy on other worries at the minute... :lol:
User avatar
Mj
Senior Member
 
Posts: 1048
Joined: Fri Aug 20, 2004 3:37 pm
Location: Breakfast Point, Sydney {Australia}

Postby gstark on Tue Dec 21, 2004 12:10 pm

Graham,

bago100 wrote:Gary
You have done well to get the site back up again.
Thank you.
Do you have a lead on the hackers location / identity?


No idea; best guess is script kiddies exploiting a hole in Apache.

It's a worm of some sort, and it's hit us twice so far today. I'm not sure of how or why yet, and I'm not yet convinced that we're secure against it either.
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Postby Maximus on Tue Dec 21, 2004 12:15 pm

and I'm not yet convinced that we're secure against it either


Uh oh... :(
Maximus
Newbie
 
Posts: 37
Joined: Wed Nov 24, 2004 2:27 pm

Postby gstark on Tue Dec 21, 2004 12:35 pm

Maximus wrote:
and I'm not yet convinced that we're secure against it either


Uh oh... :(


The problem here is that I don't know which exploit has been used. Not having that knowledge makes me very nervous about the remedy that we've applied.

While I'm here, a big thank you to Leigh who upgraded the server and reinstalled the files from the backup locations when this happened the second time.

He's done well.

As he always does.
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Postby Glen on Tue Dec 21, 2004 12:40 pm

Well done Leigh, most appreciated by all :D :D :D
User avatar
Glen
Moderator
 
Posts: 11819
Joined: Sat Aug 07, 2004 3:14 pm
Location: Sydney - Neutral Bay - Nikon

Postby Onyx on Tue Dec 21, 2004 12:49 pm

I feel like we're still sitting ducks waiting for the next strike.

Thanks Gary and Leigh for restoring the site. This place means so much to so many of us. :)
User avatar
Onyx
Senior Member
 
Posts: 3631
Joined: Sat Aug 07, 2004 6:51 pm
Location: westsyd.nsw.au

Postby MCWB on Tue Dec 21, 2004 1:06 pm

Onyx wrote:I feel like we're still sitting ducks waiting for the next strike

What does not kill us can only make us stronger. :twisted: Thanks Gary and Leigh for getting it back underway so quickly. :)
User avatar
MCWB
Senior Member
 
Posts: 2121
Joined: Mon Oct 11, 2004 10:55 pm
Location: Epping/CBD, Sydney-D200, D70

Postby petal666 on Tue Dec 21, 2004 1:41 pm

Mj wrote:
Matt. K wrote:Gary
Canon executives.


Nope... I can confirm that they are all busy on other worries at the minute... :lol:


Yes, their bank account is so full they have to start a new one :D
Canon 1D III
User avatar
petal666
Senior Member
 
Posts: 737
Joined: Thu Sep 16, 2004 7:17 am
Location: Toowng QLD - 1D III

Postby gstark on Tue Dec 21, 2004 1:44 pm

One other point - some avatars may be missing at the moment.

Please don't panic yet. I'll try to restore them this evening; if they're not back to normal tomorrow, please go ahead and reinstall what you need.
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Postby Nnnnsic on Tue Dec 21, 2004 2:55 pm

This exploit can kiss my ass. This is really pissing me off. Let's try this again...
Producer & Editor @ GadgetGuy.com.au
Contributor for fine magazines such as PC Authority and Popular Science.
User avatar
Nnnnsic
I'm a jazz singer... so I know what I'm doing
 
Posts: 7770
Joined: Sun Aug 08, 2004 12:29 am
Location: Cubicle No. 42... somewhere in Bondi, NSW

Postby PlatinumWeaver on Tue Dec 21, 2004 2:56 pm

Are we back now?
PlatinumWeaver / Dean
Asking the Stupid Questions
<a href="http://www.platinumweaver.net/" alt="PlatinumWeaver Homepage">http://www.platinumweaver.net/</a>
PlatinumWeaver
Member
 
Posts: 498
Joined: Thu Nov 04, 2004 3:43 pm
Location: Melbourne, VIC

Postby gstark on Tue Dec 21, 2004 3:01 pm

PlatinumWeaver wrote:Are we back now?


yes, but don't ask us for how long.

This exploit is really pissing me off. All the more because I don't yet know what's behind it, and there's no information out on the net about it.

It's like being drunk, and trying to fight someone who's invisible.

What a bunch of cowardly little wimps though ... too damn scared to tell you who the hell they are and why they're doing this.
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Postby PlatinumWeaver on Tue Dec 21, 2004 3:05 pm

Are you hosting the site locally?
PlatinumWeaver / Dean
Asking the Stupid Questions
<a href="http://www.platinumweaver.net/" alt="PlatinumWeaver Homepage">http://www.platinumweaver.net/</a>
PlatinumWeaver
Member
 
Posts: 498
Joined: Thu Nov 04, 2004 3:43 pm
Location: Melbourne, VIC

Postby Nnnnsic on Tue Dec 21, 2004 3:06 pm

I'd say that the "hacker" is a script kiddie who doesn't know how to use the app and hasn't figured out where to put his signature in it.
Producer & Editor @ GadgetGuy.com.au
Contributor for fine magazines such as PC Authority and Popular Science.
User avatar
Nnnnsic
I'm a jazz singer... so I know what I'm doing
 
Posts: 7770
Joined: Sun Aug 08, 2004 12:29 am
Location: Cubicle No. 42... somewhere in Bondi, NSW

Postby gstark on Tue Dec 21, 2004 3:13 pm

Dean

PlatinumWeaver wrote:Are you hosting the site locally?


yes.

The server is in my living room; this exploit is affecting every one of the domians that we host. It's totally mindless, in that all it does is overwrite the htm/l and php files with its garbage.

The problem is that I can't find any information that tells me precisely where the vulnerbility is; without that knowledge, what patch/es do you apply, and to what modules?

The best info that I've seen is a couple of things on phpbb, but they're very scant on the actual detail. And I can't put those fixes into place from where I am right now because the firewall here prevents me from accessing the server at a control level.

I'll be home in an hour or so ...
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Postby mic on Tue Dec 21, 2004 3:13 pm

I just restored my avatar before, so I'm just checking if it is back when I post this.

Then my computer came up with : This site has just been defaced with worm virus 9. x ?
Couldn't get on for about 15 min

Back on now.

Mic. :oops:
User avatar
mic
Retired Egg Flipper
 
Posts: 2167
Joined: Thu Oct 28, 2004 2:33 pm
Location: Glen Waverly VIC

Postby sirhc55 on Tue Dec 21, 2004 3:17 pm

I personally would like to send 50,000V down the line and burn the b@stards

Chris
Chris
--------------------------------
I started my life with nothing and I’ve still got most of it left
User avatar
sirhc55
Key Member
 
Posts: 12930
Joined: Fri Sep 17, 2004 6:57 pm
Location: Port Macquarie - Olympus EM-10

Postby Capturedview on Tue Dec 21, 2004 3:19 pm

petal666 wrote:
Mj wrote:
Matt. K wrote:Gary
Canon executives.


Nope... I can confirm that they are all busy on other worries at the minute... :lol:


Yes, their bank account is so full they have to start a new one :D


Why are you even here petal666?
User avatar
Capturedview
Newbie
 
Posts: 20
Joined: Tue Oct 19, 2004 5:52 pm
Location: Sydney

Postby Nnnnsic on Tue Dec 21, 2004 3:23 pm

Capturedview wrote:
Why are you even here petal666?


Because he is.

I'm not sure I see a problem with that.
Producer & Editor @ GadgetGuy.com.au
Contributor for fine magazines such as PC Authority and Popular Science.
User avatar
Nnnnsic
I'm a jazz singer... so I know what I'm doing
 
Posts: 7770
Joined: Sun Aug 08, 2004 12:29 am
Location: Cubicle No. 42... somewhere in Bondi, NSW

Postby gstark on Tue Dec 21, 2004 3:38 pm

We're putting in place a procedure where we can be back on line within minutes of an attack. I could probably automate it too, if I wanted to. :)

These so-called hackers are just pains in the butt. We shall deal with them in due course.
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Postby stubbsy on Tue Dec 21, 2004 3:45 pm

Gary

Monumental pain in the ***

Thanks for keeping on top of things as best you can. Don't get too depressed about it. The script kiddies will get bored and move on to playing with themselves again sooner or later.

Cheers

Stubbsy
User avatar
stubbsy
Moderator
 
Posts: 10748
Joined: Wed Dec 08, 2004 7:44 pm
Location: Newcastle NSW - D700

Postby Nnnnsic on Tue Dec 21, 2004 3:47 pm

The automated process probably involves an alarm sitting next to my bed to wake me up to fix it. :)
Producer & Editor @ GadgetGuy.com.au
Contributor for fine magazines such as PC Authority and Popular Science.
User avatar
Nnnnsic
I'm a jazz singer... so I know what I'm doing
 
Posts: 7770
Joined: Sun Aug 08, 2004 12:29 am
Location: Cubicle No. 42... somewhere in Bondi, NSW

Postby Greg B on Tue Dec 21, 2004 3:52 pm

Capturedview wrote:Why are you even here petal666?


Possible answers....

1. Maybe to hang out with folks with real cameras. :lol:

2. Would you want to hang out with other Canon owners? :lol:

3. Because this forum is better than any other forum, regardless of brand issues.

4. Because this forum accepts and welcomes all comers who maintain the standards of good spirit that have been established.
Greg - - - - D200 etc

Talent hits a target no one else can hit; Genius hits a target no one else can see.
- Arthur Schopenhauer
User avatar
Greg B
Moderator
 
Posts: 5938
Joined: Fri Sep 03, 2004 7:14 pm
Location: Surrey Hills, Melbourne

Postby Glen on Tue Dec 21, 2004 4:00 pm

Gary and Leigh, thanks for persevering with this, appreciated by all :) :) :)
User avatar
Glen
Moderator
 
Posts: 11819
Joined: Sat Aug 07, 2004 3:14 pm
Location: Sydney - Neutral Bay - Nikon

Postby BBJ on Tue Dec 21, 2004 4:04 pm

Bit of a bugger wondered why the site was down earlier. Hope you sort it out Gary. I also run a server 24/7 and yeh i get hit all the time, firewall get most but yeh if you can get an Ip number would be handy, and keep logs.
D3,D2x,D70,18-70 kit lens,Sigma 70-200mm F2.8EX HSM,Nikon AF-I 300m F2.8, TC20E 2X
80-400VR,SB800,Vosonic X Drive,VP6210 40
http://www.oz-images.com
User avatar
BBJ
Senior Member
 
Posts: 3651
Joined: Mon Nov 15, 2004 8:49 pm
Location: Mt Gambier South Australia-D70-D2X

Postby birddog114 on Tue Dec 21, 2004 4:09 pm

BBJ wrote:Bit of a bugger wondered why the site was down earlier. Hope you sort it out Gary. I also run a server 24/7 and yeh i get hit all the time, firewall get most but yeh if you can get an Ip number would be handy, and keep logs.


BBJ,
If we get one of these morons, can I send to you to feed the shark down there? :shock:
Last edited by birddog114 on Tue Dec 21, 2004 4:18 pm, edited 1 time in total.
Birddog114
VNAF, My Beloved Country and Airspace
User avatar
birddog114
Senior Member
 
Posts: 15881
Joined: Sat Aug 07, 2004 8:18 pm
Location: Belmore,Sydney

Postby Nnnnsic on Tue Dec 21, 2004 4:10 pm

If it's coming in the way Dad and I think it's coming in, I doubt we'll be able to find an ip for it.

Mind you, I've contacted one of the other sites this also affected to see if he's got any permanent solutions and / or ip addresses for us to... ahem... talk to.
Producer & Editor @ GadgetGuy.com.au
Contributor for fine magazines such as PC Authority and Popular Science.
User avatar
Nnnnsic
I'm a jazz singer... so I know what I'm doing
 
Posts: 7770
Joined: Sun Aug 08, 2004 12:29 am
Location: Cubicle No. 42... somewhere in Bondi, NSW

Postby Onyx on Tue Dec 21, 2004 4:15 pm

hey Nnnsic, you were asking on OCAU which other sites I had seen affected. Looks like you've found one, but anyway:

NissanSilvia, SkylinesAustralia, MackayCruising were the other ones mentioned in the OCAU Pub, same red front on plain black background job. Maybe you could band together with their webmasters and figure out where the unwanted intrusion was, and prevent it from happening again.
User avatar
Onyx
Senior Member
 
Posts: 3631
Joined: Sat Aug 07, 2004 6:51 pm
Location: westsyd.nsw.au

Postby PlatinumWeaver on Tue Dec 21, 2004 4:27 pm

PlatinumWeaver / Dean
Asking the Stupid Questions
<a href="http://www.platinumweaver.net/" alt="PlatinumWeaver Homepage">http://www.platinumweaver.net/</a>
PlatinumWeaver
Member
 
Posts: 498
Joined: Thu Nov 04, 2004 3:43 pm
Location: Melbourne, VIC

Postby Mj on Tue Dec 21, 2004 4:58 pm

Nnnnsic wrote:The automated process probably involves an alarm sitting next to my bed to wake me up to fix it. :)


Sometimes it's the simple ideas that work the best :lol: :lol: :lol:
User avatar
Mj
Senior Member
 
Posts: 1048
Joined: Fri Aug 20, 2004 3:37 pm
Location: Breakfast Point, Sydney {Australia}

Postby BBJ on Tue Dec 21, 2004 4:58 pm

Hey Birdy , i would gladly feed them to our sharks down here, for sure and well i guess even if i went to sort them out would be enough fright for the lil mongrels.
For Gary, if u have some details i am sure u will find this ineteresting if u dont already have it but i use it a lot as running servers on IRC for the last 10 years or so i always get young hackers doing there crap just to disrupt things.
Anyhow have a look could come in handy for some:http://www.dnsstuff.com/
D3,D2x,D70,18-70 kit lens,Sigma 70-200mm F2.8EX HSM,Nikon AF-I 300m F2.8, TC20E 2X
80-400VR,SB800,Vosonic X Drive,VP6210 40
http://www.oz-images.com
User avatar
BBJ
Senior Member
 
Posts: 3651
Joined: Mon Nov 15, 2004 8:49 pm
Location: Mt Gambier South Australia-D70-D2X

Postby gstark on Tue Dec 21, 2004 5:01 pm

John,

Been using dnsstuff for quite a while; it's grat to test one's setup too.

Thanx.

Dean,

Everything's pointing to the hole in phpbb. What's still not yet known is hoew much underlying damage was done.
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Postby Raydar on Tue Dec 21, 2004 5:59 pm

Thanks Gary and Leigh :wink:

For getting it all up & going again.

I thought it was a little strange this morning at 5:15 when I tried to access the site.
When I saw the page I new some prick had done the dirty!!!!!!

Cheers
Ray :P
>> All of us could take a lesson from the weather. It pays no attention to criticism<<
User avatar
Raydar
Senior Member
 
Posts: 1366
Joined: Sun Aug 08, 2004 7:57 am
Location: Lismore, Northern - NSW

Postby PlatinumWeaver on Tue Dec 21, 2004 7:15 pm

I'd change the database username & password at the very least and upgrade to 2.0.1.1 asap..
PlatinumWeaver / Dean
Asking the Stupid Questions
<a href="http://www.platinumweaver.net/" alt="PlatinumWeaver Homepage">http://www.platinumweaver.net/</a>
PlatinumWeaver
Member
 
Posts: 498
Joined: Thu Nov 04, 2004 3:43 pm
Location: Melbourne, VIC

Postby Kristine on Tue Dec 21, 2004 8:19 pm

Gary

Sorry to hear of your problems. If you want any assistance with your box, PM me - I am more than happy to have one of our guys help you out.

Cheers
Kristine
Kristine
Member
 
Posts: 211
Joined: Fri Oct 29, 2004 7:02 pm
Location: Western Australia

Postby gstark on Wed Dec 22, 2004 7:20 am

Kristine wrote:Gary

Sorry to hear of your problems. If you want any assistance with your box, PM me - I am more than happy to have one of our guys help you out.

Cheers
Kristine


Thanx Kristine; I think I'm there now. Curiously, I suspect that this exploit could also have happenned had we been hosting on your system too; the issue was an exploit in the phpbb code.

If you have any clients running phpbb systems, you might want to get them to make sure that they're running the very latest version to avoid this hassle.

Given that it scans the whole site and rewrites all php and htm/l files that can be seen from within the virtual server - as the virtual server user - what sort of risk does that impose for you?

And would you like to have a copy of the exploit itself?
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Postby Kristine on Thu Dec 23, 2004 11:31 am

Hi Gary

Sorry for not getting back to you sooner, but I have really limited Internet access while I am in Sydney.

We have not had any problems with any sites that are running PHPBB – all sites are using the latest version (we have software for all sites updated on a regular basis).

I hope that all your problems are now sorted out with your box. As I offered previously, I can have someone look at your security (check for vulnerabilities in your server etc.). One of the guys that we contract server and security work to (he runs his own company) also does contract work for the Australian Federal Police (testing security etc.). He can test your box and email you with any vulnerability with your server and tell you what needs to be done to fix it (he can also fix it for you if you like). Just PM me or send me across an email if you want to go ahead and test the security on your box.


Cheers
Kristine
Kristine
Member
 
Posts: 211
Joined: Fri Oct 29, 2004 7:02 pm
Location: Western Australia


Return to Information