Haxxored

[Ralle]

Hey guys,

Last night was tough. About an hour before I had planned to go to bed, Shar Dundred messaged me about the site returning a 404 File not Found when visiting it. I was shocked and checked it out myself. Yep, the site was gone. I logged onto the server and confirmed that the site was removed. Speechless I logged onto my home server and confirmed that I had a backup. It was only five hours old. But simply recovering the data would not protect us against what happened. It might as well happen again.
In the database I found plug-in which would give an attacker a backdoor. On disk I found a script that did the same. I removed these and started recovering from backup. I also found that multiple admin accounts had new passwords so those were reset. But I still hadn't found the security hole. Ash showed me a website where you can find exploits. We found one for an addon we use and how to protect against it. The company that develops this add-on is not in business any more but there were instructions on how to patch it.
I'm glad I set up backup on The new server, it's only a few days old. I have updated my backup script to back up files every four hours instead of every 24. We lost five hours worth of pastebin entries, resource images, custom avatars and custom profile pictures. This is almost nothing, whew. The rest of the site is stored in a different location and was not affected.
This is while also part of the reason why I want to move to XenForo. It is maintained and generally more secure than our current setup. I know there are still many things I need to change for it to be in all aspects as good or better than this.
The site was down for maybe 20 minutes but it took a few hours to get all the pastebin entries back.
I have written a script that monitors the the web server for code changes. If any file is changed, added or removed I will get an email immediately. This should help with monitoring if something happens.

Ralle

 

[Roland]

I think this is the second time that this site was hacked..

 

[Rheiko]

I've been waiting for your explanation regarding that thing on notice board. Hang in there, hive! We're about to move to a safer location soon!

 

[APproject]

Ah, crap. Very sad and also good news, considering it could have turned out much worse. I suppose the only way to have more protection is to move to Hive 2?

 

[Ralle]

Well, a security hole was patched, so right now I am not aware of any issues. The site is safe AFAIK. But this is indeed the second time (I am aware of) that we have been hacked. Both times it has been because of an add-on we're using called vBSEO. That is the one that gives us pretty URLs and other SEO stuff. Removing it would break all links, so I don't see that as much of an option. The source code for vBSEO is unreadable. So it's scary to have unmaintained code on the site that even I am unable to maintain.
But the site is safe for now. But in the long run it's better to be on something more recent and readable. But no matter what, the most important thing is backing up and we're good at that .
I would feel more comfortable with moving to Hive 2 as it's in many ways simpler and more readable code.

 

[Moy]

This what I'm actually thinking because of the new beta site, someone will hack. But good thing it was fixed lightning-fast. Good job Ralle! I adore you so much more.

 

[terrio]

personaly, think wasting 5 hours is beter than removing any leftovers from cialis and viagra spam botters getting the admin accounts, they can be pain in the arse to recover if it that happens

 

[Almia]

I was shocked when this was posted on FB. good thing it was fixed quickly.

Good job Ralle. Hope we can relocate to the new site as fast as possible.

 

[Rex.]

Who the heck wants to hack Hive?

 

[Roland]

Reason: Ralle's No-Shave beard..

[17-01-09] :icemanbo: IcemanBo: they only wanted to hack your webcam to seeyour beard

 

[Squiggy]

At least, only five hours were gone as opposed to a full day cycle.
I can't even think of a reason as to why anyone would hack a wacraft 3 related forum unless he's mentally challenged, especially since it's purely done with an evil intent of deleting/modifying data for no logical reason.
While we're still on vB, may I suggest to delete the vbseo footer message stating the version number since only knowing that makes finding exploits way easier?
I'm well aware the source code states to not remove the text but vBSEO is dead anyways so there's no reason to not do it (or just remove the version number).
This at least keeps the lowest and most unskilled scriptkiddies away.
Yay for continuous backups and delocalized data storage I guess...

 

[Chaosy]

my rep is safe.

 

[Cherrymage]

I just don't understand why would anyone want to hack the Hive...
Will they benefit from it aside from getting some fun?

Or... are they trying to hijack the site and insert malicious stuffs like ransomwares to get some money?

 

[APproject]

I can't even think of a reason as to why anyone would hack a wacraft 3 related forum unless he's mentally challenged

Because they can, I suppose. They must be feeling powerful and in charge, some primitive instincts driving their behaviour. They spent some time learning how to do it and they won't let it go wasted.

 

[pyf]

Who the heck wants to hack Hive?

And moreover, why *delete* things ? And why try to lock admins out, if all the attacker wants is to destroy the site's resources ?

Looks like mindless vandalism to me.

Great work on mitigating this issue, Ralle.
Hope we can all move to a safer (and easier to manage) place soon.

 

[The Dark Wizard]

Just another reason to look forward to that import to xenforo.

 

[Valenvai]

I wish I could offer more than moral support.
I am happy to hear you managed to stabilize things.

As for why would someone hit HiveWorkshop is beyond me but as some previous poster said, looks like vandalism.
It's sad that some people don't seem to respect an interesting and helpful site like this.

My best wishes to everyone!

 

[pyf]

Just another reason to look forward to that import to xenforo.

Except imho the new site will not be bulletproof, too. Because no site is. Admins will trade an old bunch of problems for another, mostly different bunch of problems. But those issues will hopefully be easier to manage.

Security is a comfortable illusion. Even Ralle's current fix looks like an unsupported (thus unofficial) patch/hack to me. This is why I say the issue with vBSEO was *mitigated*, not solved. But I trust it works "good enough" for the time being.

That being said, I understand the Hive had only two major problems since more than 10 years. And it recovered both times. We obviously have great admins here.

 

[Ardenian]

Shocking and so close before the moving..

Is our personal data secured/affected ( mail, IP addresses and stuff) ?

 

[Chaosy]

On another note, I was playing on a WoW private server back in the day.
Some rather famous guy (on the server) got perm banned for whatever and ddosed the server demanding his ban to be lifted.

If this is somewhat similar, Roland is the main suspect. He want his rep and infractions back.

 

[Ralle]

Shocking and so close before the moving..

Is our personal data secured/affected ( mail, IP addresses and stuff) ?

To be completely and utterly honest? The attacker had access to the server and the database. He could have a complete copy if he wanted to. Does he? I really think not. Why would he remove the entire site while value data? That seems counter intuitive to me at least.

On another note, I was playing on a WoW private server back in the day.
Some rather famous guy (on the server) got perm banned for whatever and ddosed the server demanding his ban to be lifted.

If this is somewhat similar, Roland is the main suspect. He want his rep and infractions back.

You know. I have a suspect and it's not Roland. It's probably not even a person. The exploit requires an account. I believe the suspect was the account being used for the purpose.

 

[Arad MNK]

So basically we just got hacked and recovered?

 

[Ardenian]

If this is somewhat similar, Roland is the main suspect. He want his rep and infractions back.

I don't think it is a good idea to start throwing accusations around.

To be completely and utterly honest? The attacker had access to the server and the database. He could have a complete copy if he wanted to. Does he? I really think not. Why would he remove the entire site while value data? That seems counter intuitive to me at least.

That's unpleasent, let's hope you are right.

 

[Chaosy]

It was not a serious post..
(though the story about the private server is true)

I guess it was a mistake to joke around in a serious thread -.-

 

[TriggerHappy]

What else was affected?

You sure your database wasn't dumped?

Shouldn't we all be changing our passwords now (especially if you share this password across sites, which I don't)?

EDIT: Based on the details it seems like some noob just found a public exploit and ran a public payload (not created by him) to access the site.

Still possible for a DB dump though.

 

[Chaosy]

Shouldn't we all be changing our passwords now (especially if you share this password across sites, which I don't)?

They need your username too though.
And even if they do find it you can restore pretty much anything/everything anyway.

Many sites got things like sms protect and authenticators and god knows what. In addition to the normal reset password by clicking a link in your email.

 

[TriggerHappy]

They need your username too though.
And even if they do find it you can restore pretty much anything/everything anyway.

And the database doesn't contain our usernames? lol

If there was a DB dump they would have all of our usernames and passwords.

Yes our passwords are hashed but vBulletin uses MD5 which might as well not be using a hash.

 

[Chaosy]

On other sites, I mean.

They can log into this account and do whatever, I don't care it can be fixed and restored. So I wont be paranoid.

 

[TriggerHappy]

On other sites, I mean.

They can log into this account and do whatever, I don't care it can be fixed and restored. So I wont be paranoid.

It's very common for people to share usernames / passwords across sites.

Even if they didn't know your username they could search passwords by your IP and find which sites you visit based on your IP address. No-matter how you spin it, it's a security risk. I am fine (and likely so is the rest of THW) but you never know.

EDIT: I suggest people run their emails through https://haveibeenpwned.com/

 

[Squiggy]

Yes you should all change passwords and emails as soon as possible.

 

[Silva]

Here's a guy with free time.. let's hack a site about a game that's over 10 years old.

 

[Kam]

To those wondering "why" I don't think it's a coincidence that this occurred after the announcement of a Wc3 revival by Blizzard. The Hive is the largest English speaking Wc3 forum.

 

[RED BARON]

Hmm good thing we have a good site owner, with proper site management and backups. Always the best defense against any ill intending idiots. As for passwords I never run the same on any other site..unless I don't care about it and have just made a throwaway one.

 

[Landmine]

A common motive for hackers is simply to cause chaos; they see a possible opening and begin to exploit it. I wouldn't waste time theorizing why THW was on the receiving end as someone could have simply seen that the site uses an aged engine/plugin and knew of a related exploit (if Ralle could so easily find a fix, would it not be just as easy to determine the vulnerability).
If you wish to be safe, change your passwords because this still boils down to a security breach. As far as I'm concerned, personal data is known to be compromised and I'm not going to assume the motives of a guy bored enough to hack websites in their spare time.

And thanks be to Ralle for being so on top of things. Sucks to hear you missed out on sleep to deal with the breach.

 

[A Void]

It's certainly not a coincidence, good to know that things were resolved.

 

[pyf]

For those interested in daily attacks on websites, please see Malekal's Honeypot stats. Makes you feel dizzy.

Admins might want to set up such a Honeypot, in order to check whether it was an isolated successful hack caused by a rogue individual, or not. If he really wants to take us down, he will try to come back again and again.

 

[Chaosy]

It's very common for people to share usernames / passwords across sites.

I don't got the same username everywhere, I switch between three or so.
However I use the same password for all of them, stupid as it may be, but I never forget a password that way.

Maybe that's just silly me though.

 

[Kazeon]

The site was down hours ago right?

 

[TriggerHappy]

The site was down hours ago right?

For some people, yes.

http://www.hiveworkshop.com/forums/...wntime-outages-220671/index2.html#post2816780

 

[pyf]

We need someone with a very particular set of skills, acquired over a very long career. Skills that would make him a nightmare for people like them script kiddies. Because the Hive was taken from us.
...
...
No, not Mr Neeson.

 

[EloTheMan]

Only way I see one benefiting from hacking a site like Hive is to get access to all email addresses and passwords and then sell those out to phishers, spammers or identity related crime organisations.

Or changing the donation addresses to his own if he is a small fry.

Hopefully its just a ruse with no major motive other than self accomplishment. Good thing no major damage has been done and Ralle fixing things pretty quickly.

 

[1)ark_NiTe]

Thank God Ralle for backups! Good work.

 

[Mr. Gameplay Knowledge]

@Ralle,
Welp,i know that the site is a big part of your life.
So i hope that u slove all problems in hive 2.

 

[Kanadaj]

Well, a security hole was patched, so right now I am not aware of any issues. The site is safe AFAIK.

And yet, as any and all other sysadmins, you wouldn't bet your money either that you are right about that