Jump to content

Broken - Fixed

Troy Spiral
 Share

Recommended Posts

Troy Spiral Contributor

Troy Spiral (13)

Posted
Posted

Our recent "hacker" stuff should be all fixed now.

According to IPS (company that hosts our site) this is an old problem that used to be common but doesnt happen much anymore and is a fairly simple fix.

The "hackers" werent even really people, just a web-bot that surfs and surfs and surfs until it finds whatever security hole problem we had. Doesnt even change anything unless they bother to manually come and mess things up (which they didnt luckily)

So anyhow everything is restored, no password/security issues. All the security fixes and what-not for our version of IPB (the board software itself) is up to date.

We'll continue to monitor things just in case but im told there shouldnt be anything to worry about at this point.

Hey we went like 5 years without getting some crap like this. Guess we were due. :animier:

(There is a whole damn NEW version of IPB but thats like a solid 30 hours of work probably to get it setup , and the new features arent too impressive i dont think, at least not yet.)

Link to comment
Share on other sites
Msterbeau Collaborator

Msterbeau

Posted
Posted (edited)

Yeah... it's cool when things woork out in the end.

Yeah. Still... I (we) appreciate having your expertise around here. Better that you warn us about the worst case scenario then being complacent and ultimately screwed if someone got our info.

I decided after an obvious scam comment on my MySpace account from a friend that something may well have been compromised here... so I'm changing all my passwords.

EDIT: Thanks Troy!!!

Edited by Msterbeau
Link to comment
Share on other sites
Onyx Newbie

Onyx

Posted
Posted

For getting things back up yes.

For leaving such security holes open, no.

It might be 30 bucks to upgrade but it's money well spent if it plugs the holes. Or you could try a free forum solution.

Sure it would be money well spent, but taking a look at the donations post, looks like monthly expenses are $75 and donations this month total $50 and the month is almost over. Considering Troy had been paying for the board out of his pocket when he could ill afford it, and I have a feeling still does cover what the donations fall short of, that's probably not been an option.

Link to comment
Share on other sites
Scary Guy Veteran

Scary Guy

Posted
Posted

So, if you look at it with a positive light, we could thank the 'hacker' for doing what it did. Cause it found a hole in the security system that was overlooked. Does that make sense? I dunno, I'm tired.

No you're actually correct. If a robot (not even a real hacker, just a script hitting a list of sites looking for security holes to exploit to broadcast the message) can hack the site then I think there are probably some major issues to deal with.

Simple tips on how not to get hacked.

1. upgrade your software to the latest reversion and/or plug your security holes with patches where needed.

2. use complicated alpha numeric passwords of AT LEAST 8 characters with non dictionary words preferably.

3. use different passwords for different things (like you don't want your DGN password to be the one for your bank account).

4. read over your site code and configuration files to look for any holes that might be open and close them.

5. check your server logs for recent activity. Even if something looks like nothing it could still be something important.

Again, don't get me wrong I'm happy you got the site up in a speedy amount of time (probably from a recent backup which is a good thing). However I don't see praising the administrative staff for letting it happen in the first place. Preventative measures can be and should have been taken. I'm happy we've gone 5 years without incident but that's pretty much because no hacker has decided to bother with us. I don't know if that's a good or a bad thing, we should be so popular people try to fuck with us daily IMO.

Link to comment
Share on other sites
Onyx Newbie

Onyx

Posted
Posted

No you're actually correct. If a robot (not even a real hacker, just a script hitting a list of sites looking for security holes to exploit to broadcast the message) can hack the site then I think there are probably some major issues to deal with.

Simple tips on how not to get hacked.

1. upgrade your software to the latest reversion and/or plug your security holes with patches where needed.

2. use complicated alpha numeric passwords of AT LEAST 8 characters with non dictionary words preferably.

3. use different passwords for different things (like you don't want your DGN password to be the one for your bank account).

4. read over your site code and configuration files to look for any holes that might be open and close them.

5. check your server logs for recent activity. Even if something looks like nothing it could still be something important.

Again, don't get me wrong I'm happy you got the site up in a speedy amount of time (probably from a recent backup which is a good thing). However I don't see praising the administrative staff for letting it happen in the first place. Preventative measures can be and should have been taken. I'm happy we've gone 5 years without incident but that's pretty much because no hacker has decided to bother with us. I don't know if that's a good or a bad thing, we should be so popular people try to fuck with us daily IMO.

I believe Troy is handling all the code and configuration himself. I would help if I could but I don't have the knowledge.

Thanks for taking the time to post this information.

Link to comment
Share on other sites
Troy Spiral Contributor

Troy Spiral (13)

Posted
  • Author
Posted

The admins have to take "responsibility" for a site getting hacked, but good luck on making any site "hack-proof" especially if you haven't hand-coded all peices of the site yourself. Theres no end to the possible ways particularly devious asshats could fuck with any given site.

Theres endless discusion / guidelines about how to minimize security risks on the various admin sites/forums.

You can minimize the ease with which it happens, but you cant ever have total immunity. If they want to do it bad enough, and have the motivation and time its going to happen.

Link to comment
Share on other sites
Troy Spiral Contributor

Troy Spiral (13)

Posted
  • Author
Posted

The admins have to take "responsibility" for a site getting hacked, but good luck on making any site "hack-proof" especially if you haven't hand-coded all peices of the site yourself. Theres no end to the possible ways particularly devious asshats could fuck with any given site.

Theres endless discusion / guidelines about how to minimize security risks on the various admin sites/forums.

You can minimize the ease with which it happens, but you cant ever have total immunity. If they want to do it bad enough, and have the motivation and time its going to happen.

Link to comment
Share on other sites
DarkVampire Newbie

DarkVampire

Posted
Posted

Its something to be expected on the internet, no matter how "hack proof" it supposedly is. Where there is a will, there will be a way. People who do these things do it because they get off on it. Jerk offs like this need to make better use of their time.

Link to comment
Share on other sites
Scary Guy Veteran

Scary Guy

Posted
Posted

Jerk offs like this need to make better use of their time.

Actually I think he used his time quite well considering he used a scripted bot to do it that just goes to as many sites as it can, probably runs through a list of exploits trying to hack the site, and then I'm guessing sends the results to a file for him to read as he pleases. So x lines of code gets him a hell of a lot of hacked sites. Minimize the number of "known" exploits and you can minimize the number of successful hacks on the site.

My site runs OpenBSD 4.0 (which is the latest version). It's completely free and a pain in the ass to use but is widely accepted as the most secure OS and has only had one patch update in its entire history of existence for an operating system flaw (note that this is the operating system and not third party applications I'm talking about). The apache webserver runs in a jailed chroot environment so that the computer is secure (so if they hack the site the computer is not compromised). I'm relearning everything by hand because I want my server to be as secure as possible. I apply all security updates and patches as soon as I find out about them.

Now I accept that Troy and the other admins have real lives to tend to and can't baby the server all the time. But I'm willing to bet this exploit is nothing new and they could at least apply an update once in a while.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Forum Statistics

    38.9k
    Total Topics
    820.3k
    Total Posts

  • Who's Online   0 Members, 0 Anonymous, 72 Guests (See full list)

    • There are no registered users currently online
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept