Guiz, we've been hacked Options

[Raijinili]

GET OFF THE SITE IT'S NOT SAFE

go to irc.psigenix.net channel #lcn for now. mibbit link: http://chat.mibbit.com/#lcn@irc.psigenix.net

Edit: I think I fixed it. More details in topic.

This post has been edited by Raijinili: Mar 9 2012, 09:18 PM

[Raijinili]

What happened?
- Random links to Russian sites have been popping up in certain browsers. This was traced to a mass March 6th edit of all PHP files.

What else happened?
- I dunno. Sysadmin was not part of my job description.
- Seriously, though. I don't know. Passwords may have been compromised. The security of that is dependent on our forum software, which is years out of date.
- I'm still trying to see if they added any backdoors so that this can happen again.
- Security may have been compromised long ago, and March 6 was just the date they decided to do something about it. We weren't the only Dreamhost customer that was hit on that date: http://danhilltech.tumblr.com/post/1808586...press-dreamhost

What we do?
- I've cleaned up the code that was doing it. There may have been more code added to specific files. I have no basis of comparison and would have to manually search through .php files for that.
- I'm emailing Dreamhost for more information.
- I'm going to have to change the passwords for the forum database.
- I must emphasize again that I'm basically just the cleverest chimp on a keyboard around here. I don't actually have any expertise about this.

What you do?
- You should change your password (http://strongpasswordgenerator.com/). You should NOT change your password to something you use elsewhere: we don't know how the breach happened or if it can happen again, or if it's still open.
- You should also change any password of anything you use with the same password.
- You should scan for viruses and other malware, especially if you were ever redirected to any other site while trying to go to LCN.
- Um, don't post private information on this site. And think about what private information you may have had here (e.g. private messages containing passwords or something). They may have downloaded anything and everything.

This was the code added to the top of every PHP file:
http://pastebin.com/gXfHRTbn

That was base64 encoded PHP script, probably to prevent server searches from turning up the links. Here is the base64 decoded:
http://pastebin.com/vXfaqbS4

[Raijinili]

Just removed the ability for IPB to drop tables. Tell me if something goes wrong.

[Raijinili]

Having to manually change the DB password in several places. Tell me if you find broken pages.

[DustyHaru]

When I check my profile page I see:

IPB WARNING [2] mysql_connect() [function.mysql-connect]: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) (Line: 802 of /sources/action_public/profile.php)" at the top.

Using Revolution if that means anything.

This post has been edited by DustyHaru: Mar 10 2012, 03:26 PM

[Raijinili]

fixed in a bad way

Edit: Just changed the way some variables work. Tell me if that broke anything.

This post has been edited by Raijinili: Mar 10 2012, 10:33 PM

[Raijinili]

Oh yeah. I should email all members.

Edit: Oh yeah. Forgot to remember to sign the email.

[DavidSchinkel]

Hey, are you going update PSP faces with the Special Edition ones?

[loool]

I just receive an email saying we got hacked. !!! D:

[SyphonVectorman]

Well this sucks; checking my old e-mail and I see this. Thanks for the heads-up though.

[Raijinili]

Removed some powers/adminship from some inactive members (or until they change their password):
- Marionette
- Malice
- Ledah