Site News and Information => Announcements => Topic started by: Susan on February 28, 2015, 08:27:07 PM Return to Full Version
Title: We had a system compromise today, however all user information is secure
Post by: Susan on February 28, 2015, 08:27:07 PM
Post by: Susan on February 28, 2015, 08:27:07 PM
I received a pm from one of the global moderators at 5:45pm today.
I checked the forums and the person was indeed flagged as a senior admin. After demoting and banning the account, I switched the forum to maintenance mode and then shut down the web server totally, until I could do a complete audit of the system to see what had occurred and to ensure that it could not happen again.
Here's what happened.
The hacker first accessed the server from the 178.150.145.4 ip at 4:45:48pm CST today. The IP resolves to 4.145.150.178.triolan.net. Triolan.net is a Ukranian ISP. As an additional verification all accesses to the server were made in Russian.
The hacker first accessed the phpmyadmin which is a control panel which allows you to manage databases. Using an unknown exploit he gained access to the system.
Once in the hacker browsed the database system to verify the layout then took a closer look at a wordpress installation.
He installed two backdoors, one as a index.php in a directory called shop, and two others in various directories on the site, both were named lal.php. He then used his primary back door to install a redirector for a online pharmacy.
Once he got finished he created an account on the forums and stupidly proceeded to make it an admin account was was spotted right away by an a VM a forum moderator who contacted me.
I was notified of the intrusion. The first thing I did after shutting down the web server to check for recent accesses from that ip which showed requests to phpmyadmin which only I should be accessing. So I password protected the directory containing the phpmyadmin.
I then checked for operating system updates, but found that we are current with all upgrades and security updates. So this likely is a 0 day exploit of which there are limited defenses against. The directory password protection will make it impossible for him to get to the phpmyadmin software to exploit in the future.
I then checked the web server logs and copied all accesses from the hackers ip. Then I compiled a list of all file modifications that occurred from the time of the hackers first access. Using both of these I carefully checked every file access made by the hacker. These files were either restored to original unmodified versions or removed from the system totally.
I have manually reviewed every single access of the server by this person and at no point did he download any databases; so your user information is secure. That being said I have instructed the staff to change their passwords, as a standard security precaution. There is absolutely no financial information stored on the server, and even if it had been the hacker did not attempt to find any, much-less to download it.
He made changes to a newforums database which I simply deleted as it is not used anyway, and to one record controlling how many links are permissible on comments in the wp_options database on the wordpress.
I have removed the backdoors and all modified files.
We are secure once again, and I apologize that this occurred. We have not had a successful hacker penetration against the site since 2003-2005. That is an exceptional security record.
If you have any concerns the safest course of action is to preemptively change your password and account information anywhere that shares the same information as here.
You did a great job notifying me so quickly today V M! Everyone give her a round of applause!
Quote from: V M on February 28, 2015, 05:45:36 PM
Hi Susan
Who is this? Just joined today and claiming to be an Admin? https://www.susans.org/forums/index.php?action=profile;u=40672
I checked the forums and the person was indeed flagged as a senior admin. After demoting and banning the account, I switched the forum to maintenance mode and then shut down the web server totally, until I could do a complete audit of the system to see what had occurred and to ensure that it could not happen again.
Here's what happened.
The hacker first accessed the server from the 178.150.145.4 ip at 4:45:48pm CST today. The IP resolves to 4.145.150.178.triolan.net. Triolan.net is a Ukranian ISP. As an additional verification all accesses to the server were made in Russian.
The hacker first accessed the phpmyadmin which is a control panel which allows you to manage databases. Using an unknown exploit he gained access to the system.
Once in the hacker browsed the database system to verify the layout then took a closer look at a wordpress installation.
He installed two backdoors, one as a index.php in a directory called shop, and two others in various directories on the site, both were named lal.php. He then used his primary back door to install a redirector for a online pharmacy.
Once he got finished he created an account on the forums and stupidly proceeded to make it an admin account was was spotted right away by an a VM a forum moderator who contacted me.
I was notified of the intrusion. The first thing I did after shutting down the web server to check for recent accesses from that ip which showed requests to phpmyadmin which only I should be accessing. So I password protected the directory containing the phpmyadmin.
I then checked for operating system updates, but found that we are current with all upgrades and security updates. So this likely is a 0 day exploit of which there are limited defenses against. The directory password protection will make it impossible for him to get to the phpmyadmin software to exploit in the future.
I then checked the web server logs and copied all accesses from the hackers ip. Then I compiled a list of all file modifications that occurred from the time of the hackers first access. Using both of these I carefully checked every file access made by the hacker. These files were either restored to original unmodified versions or removed from the system totally.
I have manually reviewed every single access of the server by this person and at no point did he download any databases; so your user information is secure. That being said I have instructed the staff to change their passwords, as a standard security precaution. There is absolutely no financial information stored on the server, and even if it had been the hacker did not attempt to find any, much-less to download it.
He made changes to a newforums database which I simply deleted as it is not used anyway, and to one record controlling how many links are permissible on comments in the wp_options database on the wordpress.
I have removed the backdoors and all modified files.
We are secure once again, and I apologize that this occurred. We have not had a successful hacker penetration against the site since 2003-2005. That is an exceptional security record.
If you have any concerns the safest course of action is to preemptively change your password and account information anywhere that shares the same information as here.
You did a great job notifying me so quickly today V M! Everyone give her a round of applause!
Title: Re: We had a system compromise today, however all user information is secure
Post by: Ms Grace on February 28, 2015, 08:35:32 PM
Post by: Ms Grace on February 28, 2015, 08:35:32 PM
Applause all around. I'm really glad you understand how to deal with this kind of thing Susan, it would have left me baffled.
Title: Re: We had a system compromise today, however all user information is secure
Post by: Sunderland on February 28, 2015, 08:35:54 PM
Post by: Sunderland on February 28, 2015, 08:35:54 PM
*applauds V M and Susan*
Great work! Very thorough. I'm impressed. :)
Great work! Very thorough. I'm impressed. :)
Title: Re: We had a system compromise today, however all user information is secure
Post by: Mariah on February 28, 2015, 09:20:28 PM
Post by: Mariah on February 28, 2015, 09:20:28 PM
Thank You VM and Susan for catching and dealing with this so quickly.
Mariah
Mariah
Title: Re: We had a system compromise today, however all user information is secure
Post by: Tysilio on February 28, 2015, 09:40:24 PM
Post by: Tysilio on February 28, 2015, 09:40:24 PM
Great catch, and well handled, including the transparency and disclosure.
Standing ovation!
Standing ovation!
Title: Re: We had a system compromise today, however all user information is secure
Post by: V M on March 01, 2015, 01:40:26 AM
Post by: V M on March 01, 2015, 01:40:26 AM
Thank you Susan and everyone who responded
I do my best to help out where and when I can
Hugs
I do my best to help out where and when I can
Hugs
Title: Re: We had a system compromise today, however all user information is secure
Post by: Jessie Ann on March 01, 2015, 01:55:29 AM
Post by: Jessie Ann on March 01, 2015, 01:55:29 AM
Having had some experience in dealing with the hackers of the world all I can say is wow!! Great catch and response. As I used to say, thank goodness they make dumb mistakes. Thank you for letting us know how on the ball VM was. Big hugs to you girl!!!
And big hugs to you Susan. For not only catching the problem and securing the system, but for having a place where someone like me can learn and grow as I embark on this long overdue journey. I think I've got a serious case of cyber crush with this site. ;D
And big hugs to you Susan. For not only catching the problem and securing the system, but for having a place where someone like me can learn and grow as I embark on this long overdue journey. I think I've got a serious case of cyber crush with this site. ;D
Title: Re: We had a system compromise today, however all user information is secure
Post by: Rudy King on March 01, 2015, 03:23:00 AM
Post by: Rudy King on March 01, 2015, 03:23:00 AM
I'd guess a script kiddie?
Title: Re: We had a system compromise today, however all user information is secure
Post by: CollieLass on March 01, 2015, 03:30:55 AM
Post by: CollieLass on March 01, 2015, 03:30:55 AM
Thank you VM and Susan for your attentive diligence in protecting our privacy and safety. :police:
Deb.
Deb.
Title: Re: We had a system compromise today, however all user information is secure
Post by: suzifrommd on March 01, 2015, 05:06:06 AM
Post by: suzifrommd on March 01, 2015, 05:06:06 AM
I'm amazed at how quickly you were able to find and and stop the hole and to repair all damage. You would be worth a fortune in the commercial world. Thanks for using your skills for us instead.
Title: Re: We had a system compromise today, however all user information is secure
Post by: Ayden on March 01, 2015, 10:37:15 AM
Post by: Ayden on March 01, 2015, 10:37:15 AM
Thank you both for the fast response. I'm amazed at how quickly it was taken care of. Hat off!
Title: Re: We had a system compromise today, however all user information is secure
Post by: Sally29 on March 10, 2015, 08:30:25 AM
Post by: Sally29 on March 10, 2015, 08:30:25 AM
triolan.net is a well known bad ISP associated with brute force attacks, spammers, etc. Triolan IP address ranges are listed in many International blocklists, such as Sapmhaus, projecthoneypot, etc.
For example, if you check AS13188 on blocklist.de https://www.blocklist.de/en/search.html?as=13188 you'll see triolan.net listed 170 times in just the past 14 days, for everything from forum spam to brute force attacks.
May I respectfully suggest you look into installing a server firewall solution, preferably one that dynamically queries such blocklists. Such a server firewall would have stopped this attack before it started, and will offer susans.org protection from such attacks in future, including zero day exploits, script injections etc.
Sally.
For example, if you check AS13188 on blocklist.de https://www.blocklist.de/en/search.html?as=13188 you'll see triolan.net listed 170 times in just the past 14 days, for everything from forum spam to brute force attacks.
May I respectfully suggest you look into installing a server firewall solution, preferably one that dynamically queries such blocklists. Such a server firewall would have stopped this attack before it started, and will offer susans.org protection from such attacks in future, including zero day exploits, script injections etc.
Sally.
Title: Re: We had a system compromise today, however all user information is secure
Post by: Susan on March 10, 2015, 08:31:44 PM
Post by: Susan on March 10, 2015, 08:31:44 PM
I already firewalled them. I also took a few other steps...
Title: Re: We had a system compromise today, however all user information is secure
Post by: Devlyn on March 10, 2015, 08:36:07 PM
Post by: Devlyn on March 10, 2015, 08:36:07 PM
Quote from: Susan on March 10, 2015, 08:31:44 PM
I already firewalled them. I also took a few other steps...
...and target practice! :laugh: