Glad to finally see the Forum back! Can someone give a forensic update of what happened?!

I was starting to get the shakes [some kind of withdrawal symptoms].....better now.

Peter - thank you.

We will explain what happened, but perhaps without too many details as we are still running a live investigation into the perpetrators.

As per Magda's announcement, we would ask every member to change their password. Thank you.

Quote:Welcome back every one! Well we sure missed you and the forum but we hope to be back to normal operations now. The forum was hacked but thanks to the fantastic work of DPF member and techie extraordinaire and damn fine human being Peter Presland and our hosts it looks like everything has been restored intact. There has been a forum upgrade during this process as well. Working in different time zones in different languages with different companies and with visiting family and grand children to entertain has meant that it took longer than we planned but it has been thoroughly tested and checked and we decided it was ready to go live. We would also ask that you keep an eye on things and let us know if you notice any thing odd or strange. Odd files, behavior or strange member names on line for example. Just in case we missed some thing. But we are pretty confident we got it all. Please feel free to post all those things you saw the last week and were not able to do so. There is so much to catch up on.

I bet others too find new appreciation for this gathering place.
I missed this place.
Thanks to all.
Thanks to the mods and our host.
Sincerely
Jim

NB - for about 15 minutes an hour ago, the Forum was not accessible...don't know what was going on.

Summary
Administrator access was gained through a documented vulnerability in the vBulletin-Facebook/Ajax connect facility. vBulletin had issued a patch but it had't been applied. The site is now running on the latest stable release of v4.2 incorporating all security patches applied to date.

What they did
Privileged access facilitated the creation of 3 new administrator accounts - each using a different IP address. Following a clearly fraudulent application for legitimate membership, one of these accounts was quickly spotted and deleted because of its odd name. The other two were named respectively 'Admin' and 'Administrator' and were active long enough to run at least 2 rogue php scripts. Among other things, the result was the installation of a powerful php pseudo-shell with the same file system privileges as the dedicated Apache web-server user. This enabled the hackers to delete the previous day's backup, but fortunately not before a copy had been saved off-site (the one eventually used to restore the site). They also uploaded their 'trophy' page which confirmed the hack to those who make it their business to monitor the web for such things - for both good and bad reasons.

Also uploaded was a doctored and slightly-renamed vB php script and a whole raft of legitimately named - but illegitimate in content - .gz files replacing the regular ones. It is not clear what the precise capabilities of all these files and scripts are (yet), but its safe to say they are extensive - let your imagination loose on the possibilities.

In any event, the hack became obvious fairly quickly and a global htaccess block was put on the site immediately.

Extensive checking of the latest possible backup database was carried out; it was eventually restored to a newly-created and differently named database with different credentials; The old vBulletin system was deleted in its entirety and a brand new u-t-d one installed.

All this means that there are bound to be glitches in previously taken-for-granted facilities (for example the Facebook connect facility is currently disabled and may remain so as a matter of policy).

Please advise of anything that appears odd or different from what you are used to.

Whilst there can be no guarantees in such matters - other than the inevitability of further hacking attempts - the site seems to be OK again and lessons have been learned.

Thanks for that detailed forensic analysis Peter. Any idea who 'done it'? [Did they leave any clues? hints?] As I remember their hack trophy page said something like Moroccan Liberation Front...or along those lines. Were there other vBulletin victims by the same group or person or entity?

Once when I tried to change my email, I was told my email was 'banned'. I haven't tried again...yet. Thanks greatly for the hard work you did!!! Bravo!

Peter Lemkin Wrote:Thanks for that detailed forensic analysis Peter. Any idea who 'done it'? [Did they leave any clues? hints?] As I remember their hack trophy page said something like Moroccan Liberation Front...or along those lines. Were there other vBulletin victims by the same group or person or entity?

Best not to go into too much detail publicly.

The original exploit was by a Moroccan IP address and the trophy page was ostensibly in support of the Palestinian cause, which is sad considering the robust support for that cause here. However I think it unlikely that DPF was targeted for any reason other than that a vulnerability was discovered by people who search for such things globally and systematically. You will find several thousand similar hacks listed by various sites with a suitable Google search. Its also possible that the access credentials were then passed on (for a consideration or whatever - maybe even automatically through the trophy page) because a US IP address was also heavily involved after the initial hack.

We do know quite a bit more but best to stay mum while continuing to dig.

Peter Lemkin Wrote:Once when I tried to change my email, I was told my email was 'banned'. I haven't tried again...yet. Thanks greatly for the hard work you did!!! Bravo!

It IS possible they began interfering with high volume user accounts. If so, any such changes that were recognized as legitimate by the vB software (ie regular Administrator actions) and done before both the backup we used to restore the site and implementation of the htaccess block would remain in the database. I think it highly unlikely that any such possible changes contain viruses or other nasties though - but you can NEVER be 100% about these things. The entire database was been checked using vB tools and was reported clean.

That's why it would be good to hear of any other such anomalies.

Peter Lemkin Wrote:Any idea who 'done it'? [Did they leave any clues? hints?] As I remember their hack trophy page said something like Moroccan Liberation Front...or along those lines. Were there other vBulletin victims by the same group or person or entity?

No it was the People's Liberation Front of Morocco.

Magda Hassan Wrote:

Peter Lemkin Wrote:Any idea who 'done it'? [Did they leave any clues? hints?] As I remember their hack trophy page said something like Moroccan Liberation Front...or along those lines. Were there other vBulletin victims by the same group or person or entity?

No it was the People's Liberation Front of Morocco.

Magda, Peter, others in the know, I understand perfectly your wish to hold some information close to your chests for now [or forever]. I guess my wish was to know if it was the BIG BOYS or just some black hackers out for a 'lark'. The support for the Palestinians on the hack page tends to make it look either an indiscriminate hack of opportunity or a false-flag hack. I realize you might not know or have clues, and further if you do you might not care to share publicly. :htf::

Magda Hassan Wrote:

Peter Lemkin Wrote:Any idea who 'done it'? [Did they leave any clues? hints?] As I remember their hack trophy page said something like Moroccan Liberation Front...or along those lines. Were there other vBulletin victims by the same group or person or entity?

No it was the People's Liberation Front of Morocco.

Lol, we ARE in a Monty Python skit. I've suspected it for years.