Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Administrator david's Avatar
    Join Date
    Nov 2011
    Location
    Australia
    Posts
    752
    Post Thanks / Like
    Mentioned
    66 Post(s)

    Update: Website Hacked

    Hi all,

    As you probably know, the website was hacked earlier this month. I've been working on fixing this up over the past couple of weeks, and can now report back with an update.

    What Happened

    A zero-day exploit for vBulletin was recently discovered. This affected any forums where the /install/upgrade.php file was left in place after an installation or upgrade. The exploit enables a remote attacker to silently create a new administrator account, with full access to the forums control panel. Pretty nasty stuff.

    When last upgrading this website, I made the mistake of deleting /install/install.php, but not doing a full clean-up of the directory. This opened up a vulnerability which was exploited to create three new admin accounts over the course of a few days. One of these accounts then installed a PHP backdoor, and used this remote shell to manipulate files on the server, and deface the website.

    How It Was Fixed

    As soon as I discovered the site had been compromised, I took it offline and changed the passwords for important logins. Then I restored the site from backups to a new server (this is where daily backups really come in handy).

    It took quite a while to get rid of the infected files, clean up the malicious administrator accounts, and check for any further vulnerabilities. The same attack was actually repeated while I was in the process of applying security patches! But I finally got it all cleaned up, and the site went live again roughly 24 hours after the homepage was defaced.

    Since then I have been working with the security team at CodeGuard and analysing the logs to confirm further details of the incident, and find what can be done to prevent similar attacks in the future.

    How It Affects You
    There's no way to know for sure what the attacker(s) did while the site was compromised. The particular vulnerability which was exploited has affected many other vBulletin forums recently. So far I have not found any indication that this was a targeted attack against MMWA in particular.

    The safest way to approach this is to assume a worst-case scenario. The attacker had direct access to the filesystem, and full admin privileges on the forums. This means they could potentially access everything on the site, including:
    • Private messages
    • Order history on the Gigs site
    • Email addresses
    • Hashed passwords


    All passwords were salted and hashed, so there is a low risk of plaintext passwords being recovered. But this is still possible, especially if you used a weak password which might be vulnerable to a dictionary attack.
    If you used this password on any other websites besides MMWA Forums, I recommend you change it immediately!

    What Happens Next
    Later today I will be resetting the password on all accounts as a routine precaution. You should receive an email with your username, and a link to set a new password.

    I've implemented much more rigorous logging and backup procedures since this attack. Notifications have been set up so that any suspicious activity will be noticed immediately. While I already had regular backups in place, the recovery process took longer than expected. This is something I'll be much more prepared for after the experience of last week.

    I'm also looking into more secure hosting solutions. Up until recently I was using shared hosting, with a number of domains on the same filesystem. As the site continues to grow and gains a higher profile, I think it's worth investing in infrastructure which will be both secure and scalable moving forward in the medium term. Most likely I will be moving the blog and forums to separate hosting providers, with a specialty in WordPress and vBulletin respectively.

    Conclusion
    The purpose of this post is to be transparent about what's happened, and exactly what information may have been compromised. While websites are hacked all the time, I realise you've trusted me with certain information by participating in this community, and I do feel a personal obligation to protect that information. I'm sorry that your trust has been let down on this occasion. It's the first major security breach I've had to handle in my time as a webmaster, so it's been very much an education for me in best practices, backups, and security in general. I can assure you I'm doing my best to prevent anything like this happening again.

    Please let me know if you have any questions or comments about what's happened. And thank you for your continue support of this community!

    Cheers,
    David
    This post represents my own views, and does not necessarily reflect the views or beliefs of my employer.

    My Websites:

    Making Money With Android Blog
    | Forums | Wiki | Live IRC Chat | My Apps on Google Play

    Ad Networks I Use: (use these referral links to get a bonus!)
    Supersonic ($120 bonus) | MobileCore ($100 bonus) | StartApp ($25 bonus) | AppNext | AppBrain | AppFlood

  2. Likes Fisherman liked this post
  3. #2
    Member
    Join Date
    Dec 2011
    Posts
    260
    Post Thanks / Like
    Mentioned
    4 Post(s)
    May I ask, how did you find out they hacked the site?

  4. #3
    Senior Member
    Join Date
    Apr 2012
    Posts
    1,920
    Post Thanks / Like
    Mentioned
    69 Post(s)
    @Martin - from what I remember they've changed the front page and everything.

  5. #4
    Administrator david's Avatar
    Join Date
    Nov 2011
    Location
    Australia
    Posts
    752
    Post Thanks / Like
    Mentioned
    66 Post(s)
    Quote Originally Posted by Martin View Post
    May I ask, how did you find out they hacked the site?
    One morning I woke up and checked the site, only to find the homepage had been replaced with a "Hacked" message. That's when I first realised that something was wrong.

    Unfortunately two admin accounts had already been created a couple of days earlier. Due to the nature of the exploit used, I never got any notification of this activity (whereas I normally get notifications about new registrations, possible spam, etc.) If I had been manually checking for new admin accounts on a regular basis, it's possible that some of this could have been avoided. Which is why I've now ramped up the logging and notifications, and will be doing manual reviews to make sure anything like this is caught much earlier in the future.
    This post represents my own views, and does not necessarily reflect the views or beliefs of my employer.

    My Websites:

    Making Money With Android Blog
    | Forums | Wiki | Live IRC Chat | My Apps on Google Play

    Ad Networks I Use: (use these referral links to get a bonus!)
    Supersonic ($120 bonus) | MobileCore ($100 bonus) | StartApp ($25 bonus) | AppNext | AppBrain | AppFlood

  6. #5
    Senior Member
    Join Date
    Apr 2012
    Posts
    1,920
    Post Thanks / Like
    Mentioned
    69 Post(s)
    That means people who registered or even logged in AFTER the day of the hack might have their passwords recorded - not only hashes! Have you checked if they modified the forum scripts for that? Unless they've only got access to the forum admin panel and not the filesystem?

  7. #6
    Senior Member
    Join Date
    Mar 2013
    Posts
    1,871
    Post Thanks / Like
    Mentioned
    101 Post(s)
    Quote Originally Posted by david View Post
    One morning I woke up and checked the site, only to find the homepage had been replaced with a "Hacked" message. That's when I first realised that something was wrong.
    Would love to see a screen shot of that message. I did see the unavailable message that you had put up. Cloudflare was still serving the older cached version of the forum.

  8. #7
    Administrator david's Avatar
    Join Date
    Nov 2011
    Location
    Australia
    Posts
    752
    Post Thanks / Like
    Mentioned
    66 Post(s)
    Quote Originally Posted by Magnesus View Post
    That means people who registered or even logged in AFTER the day of the hack might have their passwords recorded - not only hashes! Have you checked if they modified the forum scripts for that? Unless they've only got access to the forum admin panel and not the filesystem?
    Good point. They did install a modification to the forum scripts, which provided a PHP-based backdoor with filesystem & shell access. A similar backdoor was also copied to a few different locations on the filesystem.

    Apart from this, I've found no indication of anything else being modified in the forum software. vBulletin does log admin actions, which provides an extra level of checking. And I've compared the active plugins to a clean vBulletin install to remove the compromised component there.

    However the web host does not log shell commands or database queries directly. So there is no way to tell exactly what information (if any) was accessed using these methods. The Apache logs aren't really much to go off.
    This post represents my own views, and does not necessarily reflect the views or beliefs of my employer.

    My Websites:

    Making Money With Android Blog
    | Forums | Wiki | Live IRC Chat | My Apps on Google Play

    Ad Networks I Use: (use these referral links to get a bonus!)
    Supersonic ($120 bonus) | MobileCore ($100 bonus) | StartApp ($25 bonus) | AppNext | AppBrain | AppFlood

  9. Thanks Magnesus thanked for this post
  10. #8
    Administrator david's Avatar
    Join Date
    Nov 2011
    Location
    Australia
    Posts
    752
    Post Thanks / Like
    Mentioned
    66 Post(s)
    Quote Originally Posted by javaexp View Post
    Would love to see a screen shot of that message. I did see the unavailable message that you had put up. Cloudflare was still serving the older cached version of the forum.
    Ah, good old Cloudflare. They're great for keeping the site running - but actually made it harder to sift through the logs on this occasion, thanks to the lack of mod_cloudflare on my host's Apache installation

    Here's a screenshot of what the site looked like before it was taken down:
    Hacked By The Waledac.jpg

    And it seems this site wasn't the only target, according to HACK DB | Hacker.
    This post represents my own views, and does not necessarily reflect the views or beliefs of my employer.

    My Websites:

    Making Money With Android Blog
    | Forums | Wiki | Live IRC Chat | My Apps on Google Play

    Ad Networks I Use: (use these referral links to get a bonus!)
    Supersonic ($120 bonus) | MobileCore ($100 bonus) | StartApp ($25 bonus) | AppNext | AppBrain | AppFlood

  11. Thanks sweet man, javaexp thanked for this post
  12. #9
    Member
    Join Date
    Dec 2011
    Posts
    260
    Post Thanks / Like
    Mentioned
    4 Post(s)
    I Had one of my sites hacked a few years back. Also a deface, I don't think they ever really got on the server it just turned out I had a sql injection leak in one of my pages. It does not necessary mean they have downloaded the data, but it could.

  13. Likes sweet man, david liked this post
    Thanks sweet man thanked for this post
  14. #10
    Newbie
    Join Date
    Oct 2013
    Posts
    1
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Just registered to say it takes decency to be upfront with your users. Respect.

  15. Likes david liked this post
    Thanks sweet man, david thanked for this post
Page 1 of 2 12 LastLast

LinkBacks (?)

  1. 2013-09-26, 06:24 AM

Similar Threads

  1. Best way to communicate between App and Website
    By Rick Stranberg in forum Android Development
    Replies: 7
    Last Post: 2013-09-28, 01:59 PM
  2. Connecting Website data with app
    By Amaryder in forum Android Development
    Replies: 8
    Last Post: 2013-08-15, 05:42 PM
  3. I can't open airpush website
    By lovexia in forum Advertising Networks
    Replies: 8
    Last Post: 2013-06-28, 09:22 PM
  4. Replies: 0
    Last Post: 2013-02-02, 07:43 AM
  5. Has anyone tried the tutorials in the "Android Developers" website?
    By michailangelo in forum Android Development
    Replies: 7
    Last Post: 2012-04-19, 01:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •