Forums appear to have been hacked

User avatar
KB
Site Admin
Posts: 20112
Joined: Tue Jun 13, 2006 11:23 pm
Platform: Mac
Location: Truro, Cornwall
Contact:

Thu Feb 23, 2012 6:49 pm Post

Hello all,

I'm afraid that it looks as though the forums have been hacked. Over the past few days, I've noticed that it sometimes gets very slow when trying to load random pages, and in the last few minutes I have, upon refreshing certain pages, been redirected to the following URL:

Code: Select all

http://ustreambesttv.rr.nu/7f/


Obviously, this is not something we are doing ourselves. It seems that at least one other PHPBB forum has been likewise compromised: http://mormondiscussions.com/phpBB3/vie ... 0&p=559635

We're not PHPBB experts - we use the PHPBB forums because they are easy to set up and maintain and we don't have any experience in this area. Therefore, please bear with us while we investigate and try to nip this in the bud. In the meantime, be very careful to cancel any odd pages that suddenly start loading, and ensure that you don't allow anything to download (if you're on Windows, ensure your virus protection is turned on).

We apologise for this - we've had spammers attack the forums before and bombard it with porn (hence the extra questions when you register), but never anything like this.

If you see any other pages turning up or odd behaviour, please reply below and let us know. And if anyone knows anything about this because they've seen it done elsewhere, likewise, please let us know as it may help us find the cause.

All the best,
Keith
"You can't waltz in here, use my toaster, and start spouting universal truths without qualification."

User avatar
Sin
Posts: 801
Joined: Wed Mar 02, 2011 4:05 am
Platform: Mac
Location: Georgia

Thu Feb 23, 2012 7:19 pm Post

I was just redirected to the same site when I went to the homepage.

User avatar
KB
Site Admin
Posts: 20112
Joined: Tue Jun 13, 2006 11:23 pm
Platform: Mac
Location: Truro, Cornwall
Contact:

Thu Feb 23, 2012 7:27 pm Post

We are taking the forums down in a moment, as the hack is pretty severe. We may be down for a couple of days looking at it. Sorry everyone!
"You can't waltz in here, use my toaster, and start spouting universal truths without qualification."

User avatar
KB
Site Admin
Posts: 20112
Joined: Tue Jun 13, 2006 11:23 pm
Platform: Mac
Location: Truro, Cornwall
Contact:

Fri Feb 24, 2012 11:18 am Post

Right, we're back up! For now, at least. We believe we've located the source of the attack and nixed it, and Ioa has spent the past day furiously patching up all files. The main website should be fine now (although parts of it may be out of date as we had to revert to an earlier version and patch it up with changes, so we may have missed some things). Ioa also believes he has cleared out all the malicious code from the forums, so we've put them back up, albeit somewhat tentatively. If you see any redirects, please let us know immediately.

Crucially, I'd like to reassure everybody that no sensitive data was affected by this attack. We outsource all of our sales and serial number generation to reputable companies with many years of experience in these fields - namely, eSellerate and Apple. The hacks were to our site only and had no way at all of affecting eSellerate's servers any more than they had any way of affecting Apple's, all of which are entirely separate.

Moreover, there is no indication that the hack tried to retrieve email addresses from users' forum accounts - it seems to have just inserted some code to redirect pages at random. So, there should be no cause for concern on the part of our customers; this was just a very annoying attack that caused our site to do strange things.

Thanks for your patience and understanding.

All the best,
Keith
"You can't waltz in here, use my toaster, and start spouting universal truths without qualification."

na
naquada
Posts: 78
Joined: Wed Jan 27, 2010 9:41 pm
Platform: Mac
Contact:

Fri Feb 24, 2012 12:30 pm Post

getting hacked is a nightmare.. i've had a few sites attacked... sadly thing is once you're hacked and you clean up... they seem to find another way in...

majority of attacks lay 'reinstall code' down somewhere in the site, which also tends to provide them with a backdoor shell to get in again and reinstall...

hopefully you've nipped it in the bud and got rid... i missed the forum in the time it was down ;)

mb
mbbntu
Posts: 929
Joined: Wed Aug 01, 2007 9:44 am
Platform: Mac + iOS
Location: Cambridge, UK.

Fri Feb 24, 2012 1:05 pm Post

All very worrying -- in the sense that anyone "breaking and entering", wherever it is, creates worry, even if they don't actually succeed in stealing anything tangible. What they actually steal is a sense of security.

I'd noticed the slowdowns, and thought it was just Dreamhost having trouble again. Oh well, I hope everything is OK, and that everyone chez Scrivener is not too stressed as a result.

Best, Martin.

Hu
Hugh
Posts: 2425
Joined: Thu Mar 08, 2007 12:05 pm
Platform: Mac
Location: UK

Fri Feb 24, 2012 2:13 pm Post

Thanks Keith, and well done and thanks to Ioa.
I was beginning to go L&L cold-turkey.
H

User avatar
vic-k
Posts: 7073
Joined: Fri Apr 27, 2007 8:23 am
Platform: Mac + Windows
Location: Protesting in the nude, outside ex Red Lion TESCO Store

Fri Feb 24, 2012 2:55 pm Post

OHH! HAPPY DAYS ARE HERE AGAIN!
TRA LALA LA LA LAA LALA TRA LA LALA
TRA LALA LA LA LAA LALA TRA LA LALA
HAPPY DAYS ARE HERE AGAAAAIN!...oops sorry

User avatar
Sin
Posts: 801
Joined: Wed Mar 02, 2011 4:05 am
Platform: Mac
Location: Georgia

Fri Feb 24, 2012 3:14 pm Post

You folks are good with your know-hows and doo-dads.

User avatar
garpu
Posts: 1899
Joined: Mon Oct 25, 2010 9:38 pm
Platform: Linux

Fri Feb 24, 2012 3:33 pm Post

Ugh. Glad everything's back to (mostly) normal.

Csound and L&L's sites hacked in the same day? I'm thinking it's a conspiracy from Steam to keep me from getting anything actually done.

User avatar
KB
Site Admin
Posts: 20112
Joined: Tue Jun 13, 2006 11:23 pm
Platform: Mac
Location: Truro, Cornwall
Contact:

Fri Feb 24, 2012 4:20 pm Post

I should add that the site and forum being back up so quickly is entirely down to Ioa, who is now getting some well earned rest after I-don't-know-how-many-hours of trawling through site code.

Thanks Ioa!
"You can't waltz in here, use my toaster, and start spouting universal truths without qualification."

User avatar
vic-k
Posts: 7073
Joined: Fri Apr 27, 2007 8:23 am
Platform: Mac + Windows
Location: Protesting in the nude, outside ex Red Lion TESCO Store

Fri Feb 24, 2012 5:20 pm Post

Kevin wrote:
"after I-don't-know-how-many-hours of trawling through site code."



serves him right for being a brain on legs