Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Forums hacked - Please re-register

Started by Jamie Huskisson , Sep 25 2004 02:57 PM

Next
»

Please log in to reply

68 replies to this topic

#1 Jamie Huskisson

Retired P2L Staff

Members
3,648 posts

Gender:Male
Location:Nottingham, UK

Posted 25 September 2004 - 02:57 PM

So i woke up this morning, jigged out the shower, sat down on my computer, put the p2l forums up on my browser... what did i see?? the general discussions wiped, all members gone, and faken with 8.3 million posts

turns out someone used a flaw in the 1.3 coding of invison board to execute sql commands on the forum database.

Unfortunatly after around 4-5 of trying to find ways to recover the data, we found no way of getting it back

Now:
- All members will have to re-register, and re-validate accounts
- please DO NOT register in other peoples nicknames or i'll personally slap you with a fish
- also if your having problems logging back in, CLEAR YOUR COOKIES AND IT WILL WORK

i'm very very sorry for the inconvience.. but tried all we could

I'd also like to add i just spent about 2 hours sorting out this forum and upgrading it to 1.3.1 so this won't happen again

Back to top

#2 _TySoft_

Guests

Posted 25 September 2004 - 04:31 PM

An IP from Vietnam exploited an SQL injection vulnerability in the old version of IPB the forum was using.

Both sets of backups (a weekly full backup, ran this morning and a nightly SQL backup) were too *new* to be of use. Only other thing we have is an old backup from Jan.

Some real lessons learned, no doubt.

Back to top

#3 Blitz

Jedi In Training

Twodded Staff
307 posts

Location:California
Interests:Php, html, css, etc, band, trumpet, anime, my dog, TV, computers, video games, sleeping, marching band, sleeping, jazz, sleeping, metal, sleeping, classic rock, sleeping, music, jazz band, did I mention sleeping?, kicking the hell out of kids that won't take the time to spell or use proper grammar, my website, etc.

Posted 25 September 2004 - 04:35 PM

Just wondering, but IPB had an ssi.php vulnerability they released a patch for. The same thing happened on another forum I was working on as a modifier, so I was wondering if you updated the ssi.php when they released it or not. It could be why.

Back to top

#4 _TySoft_

Guests

Posted 25 September 2004 - 04:36 PM

Just wondering, but IPB had an ssi.php vulnerability they released a patch for. The same thing happened on another forum I was working on as a modifier, so I was wondering if you updated the ssi.php when they released it or not. It could be why.

No, it was not updated. In addition to ssi.php, there were other vulnerabilities (with calendar, etc) under the old 1.3.0.

ssi.php is now deleted, not used here anyway.

Back to top

#5 Jamie Huskisson

Retired P2L Staff

Members
3,648 posts

Gender:Male
Location:Nottingham, UK

Posted 25 September 2004 - 04:37 PM

that file has been removed as its useless to us

we where using version 1.3 of the ipb and it had 4 different ways of executing SQL through the url

and now we are on 1.3.1 with no ways of getting in

Back to top

#6 Faken

Pimpmaster G

Admin
5,966 posts

Gender:Male
Location:Montreal, Canada

Posted 25 September 2004 - 04:55 PM

I apologize to everyone that had an account that was killed... Some asshole for the shits and giggles decided to kill the forum database, and only additional security measures installed by Server Seed saved the database from being completely wiped. We have patched the exploits so this does not happen again. Everyone will have to re-register their accounts. I am very sorry, and this entire episode has just been pure hell for all of us.

Special thanks to Jay and Tysoft who have worked for 6+ hours straight on fixing this mess. <3

Faken

Back to top

#7 shao

Original P2L Programmer

Members
49 posts

Gender:Male
Location:Canada

Posted 25 September 2004 - 05:12 PM

Luckily only a few tables were affected.

Back to top

#8 Gio

Jedi In Training

Members
317 posts

Posted 25 September 2004 - 06:55 PM

Luckily only a few tables were affected.

VERY LUCKY, had the user had alittle more smarts he probably could have wiped the forum clean. Pretty ghey that some one would do that to p2l though.

Back to top

#9 ronson

Banned For Being Purple

Twodded Staff
480 posts

Gender:Male
Location:North Yorkshire, UK
Interests:Rugby, Programming, Building Computers, Networking, Web Design and...........BINGE DRINKING!!!!!!.

Posted 25 September 2004 - 08:18 PM

well ive got a conspiracy theory here

Maybeeeeee cannarism did it because we all gave him a hard time about signatures or was just a random attack, you could most likelly make a program to search for that vunrability

Back to top

#10 JamesPickens

Retired P2L Staff

Members
512 posts

Gender:Male
Location:Orlando, Florida

Posted 25 September 2004 - 08:32 PM

thanks jay for taking time from ur site to get forum back up bro =)

Back to top

#11 Jaymz

Retired P2L Staff

Members
4,104 posts

Posted 25 September 2004 - 08:40 PM

well ive got a conspiracy theory here

Maybeeeeee cannarism did it because we all gave him a hard time about signatures or was just a random attack, you could most likelly make a program to search for that vunrability

Lets not lay blame... Cannarism might feel bad (unless you're kidding, I can never tell)...

Back to top

#12 JamesPickens

Retired P2L Staff

Members
512 posts

Gender:Male
Location:Orlando, Florida

Posted 25 September 2004 - 09:05 PM

erm who was cannarism =\ but i dont believe the random attack thing.

Back to top

#13 Gio

Jedi In Training

Members
317 posts

Posted 25 September 2004 - 09:06 PM

well ive got a conspiracy theory here

Maybeeeeee cannarism did it because we all gave him a hard time about signatures or was just a random attack, you could most likelly make a program to search for that vunrability

If you havent been reading any of tysofts or jays posts. The user used sql injection flaws through url's. Yes this is possible.

Back to top

#14 Faken

Pimpmaster G

Admin
5,966 posts

Gender:Male
Location:Montreal, Canada

Posted 25 September 2004 - 09:18 PM

This was a random attack... someone probably just googled for forums with the 1.3 version number and poopped in the URL into their script. Either way, it's patched and won't happen again.

Faken

Back to top

#15 Jaymz

Retired P2L Staff

Members
4,104 posts

Posted 25 September 2004 - 09:44 PM

Thats good news

Back to top

#16 Gio

Jedi In Training

Members
317 posts

Posted 25 September 2004 - 10:03 PM

I should certainly hope not!

Back to top

#17 Plumpen

Young Padawan

Members
219 posts

Location:Melbourne

Posted 25 September 2004 - 10:54 PM

Very unfortunate. Well, at least I have a lower member number now at the expense of 25 ish posts which is fortunately nothing.

Thanks for getting the forums back up though. Greatly appreciated.

Back to top

#18 becksman2

Young Padawan

Members
2 posts

Location:Cyberjaya, Malaysia
Interests:webdesign, programming, basketball, business

Posted 26 September 2004 - 12:54 AM

waaaa

( why... why?!!! damn those lame vietnamese loosers who hacked our beloved forum... another september tragedy.... :lol:

Back to top

#19 Unreal

like.. TOTally cool!

Members
241 posts

Posted 26 September 2004 - 03:48 AM

Few me was getting scared there :lol:

I noticed it at like 5am in the morning yesterday.. and then like 7 hours later i regitserd but couldnt log in.. anyway its all fine now.. Ty for fixing guys

Back to top

#20 Jamie Huskisson

Retired P2L Staff

Members
3,648 posts

Gender:Male
Location:Nottingham, UK

Posted 26 September 2004 - 05:44 AM

VERY LUCKY, had the user had alittle more smarts he probably could have wiped the forum clean. Pretty ghey that some one would do that to p2l though.

he tried to wipe the forum clean, but as tysoft said the mod_security hes installed detected the constant SQL injections and blocked them before he could go any further