Site Sabotaged. Post Mortem in progress - Printable Version
+- IRIX Network Forums (//forums.irixnet.org)
+-- Forum: Site-Related (//forums.irixnet.org/forum-39.html)
+--- Forum: Site Discussion (//forums.irixnet.org/forum-29.html)
+--- Thread: Site Sabotaged. Post Mortem in progress (/thread-3298.html)
+- IRIX Network Forums (//forums.irixnet.org)
+-- Forum: Site-Related (//forums.irixnet.org/forum-39.html)
+--- Forum: Site Discussion (//forums.irixnet.org/forum-29.html)
+--- Thread: Site Sabotaged. Post Mortem in progress (/thread-3298.html)
Pages:
1
2
Site Sabotaged. Post Mortem in progress - Raion - 12-18-2021
It appears that somebody decided to try to sabotage the site. Thankfully I was able to restore it relatively quickly from a backup but I have no idea how long it was down.
Due to the nature of this I'm going to require some time to figure this out and I have no idea whether or not they're going to attack again.
I already have a good idea of who the culprit was. I'm not going to say their name but seriously: Fuck you.
RE: Site Sabotaged. Post Mortem in progress - Raion - 12-18-2021
So the way in which they tried to take down the site was not particularly clever. They used a vulnerability in a plug-in that I had left inadvertently enabled even though we no longer use it, which allowed for HTML tags.
Without going into too much detail they use this to insert an arbitrarily long string which crashed the database. They also attempted to use it to install an IP logger on the index page. This failed miserably, as the parser validation caught it.
Because of this I have cleaned up the plugins no longer in use and rolled back the database to this afternoon, two hours or so ago. I didn't see any real post during that time so if there is anything missing let me know but I don't think there should be.
I've also cleaned up and validated most of the system files to make sure that nothing else was touched.
I'm not going to give the culprit the time of day or even name him but his attempt at leaving a breadcrumb to try to turn me against one of the competitors that we have was pretty insidious of him and I'm not amused at it. It's a good thing that I didn't jump to conclusions and actually checked my logging.
With that said if anybody has any questions or concerns regarding the recent down time, or has any information that could lead to future problems by all means let us know or pass it anonymously to staff@irixnet.org if you're afraid of reprisal.
RE: Site Sabotaged. Post Mortem in progress - commodorejohn - 12-18-2021
Two questions:
A. This was unrelated to the issue the other day where the cert for the forums was coming up as invalid?
B. Any danger of passwords getting compromised, or was this just a crash-for-the-lulz incident?
RE: Site Sabotaged. Post Mortem in progress - Raion - 12-18-2021
A. That was caused by a python failure -- see the thread on that.
B. No. I have his logs here and he didn't even try to read the (hashed) password data. Salted and such makes it difficult to attack.
RE: Site Sabotaged. Post Mortem in progress - crimsonVGX - 12-18-2021
Thank you VERY MUCH for your thorough (& swift) actions - many kudos and plaudits should go your direction, sir....
RE: Site Sabotaged. Post Mortem in progress - Mark_G - 12-19-2021
Very nice work. And thanks for keeping this site up.
RE: Site Sabotaged. Post Mortem in progress - Raion - 12-19-2021
I'm disappointed someone actually thinks taking us (or anyone else) for that matter offline would make things better. No. Not at all.
RE: Site Sabotaged. Post Mortem in progress - commodorejohn - 12-19-2021
(12-18-2021, 10:33 PM)Raion Wrote: B. No. I have his logs here and he didn't even try to read the (hashed) password data. Salted and such makes it difficult to attack.Figured as much, but thanks for the confirmation.
RE: Site Sabotaged. Post Mortem in progress - kaigan - 12-20-2021
Raion: It sounds like you have things well under control, but let me know if you need any assistance on this. I wish I could have responded to this sooner, but I was off on a security engagement for my job.
RE: Site Sabotaged. Post Mortem in progress - defaultrouteuk - 12-20-2021
Good lad. It's hard to express how much your time means or costs without sounding like a total narcissist so we won't go there. However, the time and cost you lost putting whatever was f00k3d back into service was more than nothing and that's appreciated!
Hopefully Santa will bring you something nice...or naughty if you wish hard enough.