We were hacked...

Qube · January 23, 2023, 23:22:28

Hi Guys,

Some twat hacked the site and replaced the whole thing with their own junk.

I've restored the site to yesterdays backup and hopefully we'll not get hacked immediately. If we do then I'll have to look at changing the sites forum software.

Rest assured we're not going anywhere

Derron · January 23, 2023, 23:27:54

3 things to check:
- forum software update (there was only one CVE in newer versions ... but this only affected already authenticated admins ... so hmm)
- check the server for scripts/backdoors (you might have restored them from yesterday - maybe the had some software automatically injecting stuff and now just executed the defacement/auto-redirect)
- check addons of the forum for updates

btw: KnownBB - SMF Hosting in the footers, both are no longer working weblinks

bye
Ron

Hardcoal · January 24, 2023, 11:19:32

I must say

Its kinda of weird that after like a year i didnt post, approximately at the time i made a post this site got hacked..
can their be any connection?

markcwm · January 24, 2023, 15:54:52

Thanks Qube, it's good to have Syntaxbomb around, even though I don't use it much now.

By the way is there any html type backup of Syntaxbomb around the internet somewhere such as Github? I would like a copy of the Blitzmax forums.

Hacking is not cool kids.

Xerra · January 24, 2023, 18:08:17

Quote from: Qube on January 23, 2023, 23:22:28
Some twat hacked the site and replaced the whole thing with their own junk.

Wait, what? You replaced the site after it got hacked and yet you still kept Derron?

See, there's this little thing in life called opportunity, right? ;-)

RemiD · January 24, 2023, 19:27:37

how can a forum be hacked ?

get the password of the hosting server somehow ?

get the password of the admin ?

exploit of a weakness in the forum source code ?

Naughty Alien · January 25, 2023, 06:02:46

..whats the purpose or use of such hack?? To attract bunch of die hard blitz coders to some origami show? ..meh

Derron · January 25, 2023, 06:41:39

There is no dude lurking around and "hacking" and then saying "oohh let me redirect it to hmmmm this page here".

They simply crawl websites with tools. Automatically "pen testing" urls and check what happens.
Forums often have a "identifyable" piece of code in it. With that piece of html code or simply stuff like "footers" of pages they identify the used forum software and the - important - version of the forum software.
With information like this they can individually try to exploit known vulnerabilities.

Depending on the vulnerability they can gain admin rights for the forum or the ability to write to the server. Admin rights for the forum does not necessarily mean they can change server files - exception is if the forum has a kind of inbuilt theme/file manager, "console" or the ability to add modules/addons offering exactly this. So if it allows the admin to add whatever text into something which is then executed (means altering the theme/skin of a forum including eg. PHP-code) then it is possible to alter what the server will display / add redirects / add remote controls ...

If there is no vulnerability known for the forum software and it's used modules (2 are listed in the footer) it might also be that Qube is running some management software on the server (listening to a different port than 443 or 80 - or a subdomain). Such things are also scanned by tools as the management software has vulnerabilities too. Plesk, CPanel, ... they all are worthy targets.

TLDR: most of the time it is automated what happened here: trying to come in, doing something (defacement, redirect, dropping of stuff into html files...)

bye
Ron

Pakz · January 27, 2023, 05:34:00

I had just placed a topic about that Aseprite ai plugin. For a moment there I thought maybe a artist might had taken it down with the site 🤔 I had mentioned in the post that using ai assets might cause blowback.
But reading about it. Bots going on 24 hours a day checking for ways to get in and try to do their thing! ChatGPT is also already being used to create viruses and hacking tools according to the media.

Qube · January 30, 2023, 14:43:45

It happened again

- I think I best put the latest version of SMF on here and redo all the plugins with their latest version too. A lot of them I have to manually add in as the package manager expects code to be untouched which of course other plugins have already modified.

In the short term I've tightened the screws a little so with a bit of luck it'll give me time to do it all afresh.

lucidapogee · January 30, 2023, 19:59:17

It's always best to have the tightest security as possible.
Did it just seem like a random brute force attack?

Xerra · January 30, 2023, 21:50:42

Did we make derron disappear this time?

Asking for a friend ... ;-)

Adam Novagen · January 31, 2023, 02:09:41

Dammit, I had just written an in-depth post in the OS thread, too... Wonder if I can pull it out of my browser cache. Wonder what they've got against us indie coders, eh?

Quote from: Xerra on January 30, 2023, 21:50:42
Did we make derron disappear this time?

Asking for a friend ... ;-)

Nah, not possible. He's like the old "removed Herobrine" bullet points in classic Minecraft update notes

Wouldn't want him gone anyway, people don't realize that what seems rude to much of the English-speaking world is just normal and serious-minded in Germany.

EDIT:

Quote from: Adam Novagen on January 31, 2023, 02:09:41
Wonder if I can pull it out of my browser cache.

Turns out the answer is yes.