Page 1 of 2

SDS server compromised???

PostPosted: Thu 02 Jun 2016 18:12
by Tesuji
Hi guys!

I am a bit puzzled right now. It seems the server hosting the SDS webpage (=>http://www.starfiredesign.com/starfire)
has been compromised... Or isn't it?

I see some vandalism on the newsblog in Turkish language. And strangely my cursor became blue, which I would assume indicates my machine became hacked too...

Is it just me, or has anyone else seen this???

Worried greetings :-/

Harri

Re: SDS server compromised???

PostPosted: Fri 03 Jun 2016 08:52
by Cralis
The server is not compromised, it looks like someone hacked the news database that we used for the front page. Fortunately, it is separate from the database for the forum and I've taken that part of the page offline until I figure out what happened.

Re: SDS server compromised???

PostPosted: Fri 03 Jun 2016 15:11
by Cralis
Looks like this topic is getting a lot of attention.

It looks like the group that defaced our page did a brute force password hack on the front page news and downloads admin account. I have talked to Krenshala and we are going to rewrite the code to lock out the account if the password fails three times. Then we'll clean up the database and move on.

This does NOT affect the forum. They are entirely different databases (for this reason). It does look like they attempted to brute force the forum's admin account but phpbb already has a lockout coded. In any case, I've changed all the passwords and made them more than 30 characters long.

Bear with us. We're working on it.

Re: SDS server compromised???

PostPosted: Fri 03 Jun 2016 18:42
by Tesuji
Thanks for the information on this matter!

I did not mean to stir panic or something with the chosen subject line... :oops:
After having seen lots of security breaches in internet projects in the last years, I may have become rather thin-skinned. :?
Good to hear your into it!

Running a check on the files in the download section may also be a good precaution, in case the were manipulated.

Crossing fingers 8-)

Re: SDS server compromised???

PostPosted: Fri 03 Jun 2016 18:56
by Cralis
Tesuji wrote:Thanks for the information on this matter!

I did not mean to stir panic or something with the chosen subject line... :oops:
After having seen lots of security breaches in internet projects in the last years, I may have become rather thin-skinned. :?
Good to hear your into it!


I appreciate that you pointed it out. Admittedly, since I intend to rewrite that part of the site soon, I've been ignoring it.

Running a check on the files in the download section may also be a good precaution, in case the were manipulated.


They can change the url but without ftp access they cannot change the files. Either way, I have a backup and I'll reload the entire directory. But first, we need to fix the login so they cannot change stuff while we are fixing it.

It's interesting, they run mirrors on sites they deface. It's like bragging rights or something. I didn't think we'd be worth the trouble...

One thing I'm considering is removing the news from the front page and either directing to our announcements or our Facebook page. Analytics says that few people visit the front page anymore. What do ya'll think?

Re: SDS server compromised???

PostPosted: Fri 03 Jun 2016 19:42
by Xveers
Cralis wrote:
One thing I'm considering is removing the news from the front page and either directing to our announcements or our Facebook page. Analytics says that few people visit the front page anymore. What do ya'll think?


To be honest I usually link straight in to the forums >.>

Re: SDS server compromised???

PostPosted: Fri 03 Jun 2016 22:02
by Cralis
Just so everyone is aware, we are changing stuff on the website. You will see that the news is missing and the downloads page is completely gone.

If you find any page that is giving mysql errors, please post here or email me and let me know. We quarantined the database and those pages cannot connect, but we don't want to give out any information.

If you see anything else suspicious, please ask!

We are going to take the opportunity to recreate everything using the stuff we've learned over the last six years, update the site, etc.

Thank you for your patience :)

Re: SDS server compromised???

PostPosted: Sat 04 Jun 2016 00:55
by aramis
Cralis wrote: In any case, I've changed all the passwords and made them more than 30 characters long.

Bear with us. We're working on it.


You might want to check and see what the actual supported password length is. I know (from the online docs) that standard the encryption length is 128 bits; if it's also truncating the hash to 1 encryption word long, anything past the 16th is meaningless. I can't tell from a quick google for the API whether it's truncating or not.

I'm minded of the days of my college era, when I found out that the VMS password system allowed you to use any length password, but only checked the first 8 characters for accessing your account. (As in, if your password was XYZZY123abc, you could get in with XYZZY123FU or XYZZY123)

Re: SDS server compromised???

PostPosted: Sat 04 Jun 2016 01:01
by Cralis
Ah good point, will check on that.

Re: SDS server compromised???

PostPosted: Fri 17 Jun 2016 23:42
by SCC
Tesuji wrote:And strangely my cursor became blue, which I would assume indicates my machine became hacked too...

Sorry for the late reply, but this doesn't mean your computer is being hacked, a VERY rarely used property is to set the cursor while it's over a section, sort of like how it changes to the normal text selection tool when over text.