It looks like we've had some web page compromises on this server within the last 15 minutes.
At first glance, it looks similar to what we faced on Blizzard back in March. http://www.charlottezweb.com/forums/index.php?topic=1447.0
I'll update this thread as we proceed.
As of now, we're investigating the cause so we can patch it prior to searching/replacing the code if possible.
I'm was going to go through and change all my passwords. Is it okay to do it, or should we wait just in case they get back in?
Quote from: Mark on May 19, 2010, 07:01:59 PM
I'm was going to go through and changing all my passwords. Is it okay to do it, or should we wait just in case they get back in?
You can but if there's a thought that passwords were compromised, we may run a script to generate new ones for everyone anyway. If you saw files being changed in realtime, then there's something running right now that we need to find and kill first. So you might want to wait until we have more news on that.
Okay, I'll hold off. Thanks Jason.
I'm waiting.... too
Thanks Jason.
I was looking at this...
http://www.kisaso.com/technology/hacked-by-ghost61-my-blog-got-hacked/
I placed some folders 777 a few months ago to try some mods... but i think i placed them back to 755 again...
This is what appeared to my forum
(http://img685.imageshack.us/img685/5805/47164346.gif)
(http://yfrog.com/j147164346g)
Steve, I got the same "message" on my forum as well.
We believe the script has been isolated and killed.
Working on next steps now.
I have replaced the index.php from the backup file. Do i have to do something more?
Just checked and both sites I have on that server were affected.
Thanks for getting on this Jason.
Quote from: Steve on May 19, 2010, 07:20:46 PM
I have replaced the index.php from the backup file. Do i have to do something more?
I only saw evidence of index files being tampered with, but I'm sure once Jason is done he'll let us know what else to do.
Quote from: Mark on May 19, 2010, 07:22:35 PM
Quote from: Steve on May 19, 2010, 07:20:46 PM
I have replaced the index.php from the backup file. Do i have to do something more?
I only saw evidence of index files being tampered with, but I'm sure once Jason is done he'll let us know what else to do.
Correct, I don't want to advise until I know with certainty of what's needed.
An email has just been set to our Tsunami customer listing alerting them to this thread.
Be aware that if you have any subdirectories with index.html or index.php files in them, you'll likely have to replace them, too. I've just replaced a whole bunch of files.
Thanks, Jason.
I was just about to start trouble shooting on my own when the email came through. I'll hold off doing anything for now.
I thought it was something stupid. I did earlier as I was changing permissions on a couple folders. Guess not (at least I hope not).
Quote from: JPDeni on May 19, 2010, 07:56:52 PM
Be aware that if you have any subdirectories with index.html or index.php files in them, you'll likely have to replace them, too. I've just replaced a whole bunch of files.
If you want to proactively replace files, feel free. However, we're scanning all files server wide to compile a list of everything impacted. If there's an easier (automated) restore route, we'll do it if possible.
I'm so used to having to do things myself that I expect to have to. I still have to get used to the wonderful service we have here. :)
This is the same person who hacked mine. Do I need to replace the index.php from a new package from SMF? I don't have any modifications on my site at all. And did they attack the server or the forum itself?
Quote from: rebelsgirl on May 19, 2010, 08:08:34 PM
This is the same person who hacked mine. Do I need to replace the index.php from a new package from SMF? I don't have any modifications on my site at all. And did they attack the server or the forum itself?
We're still looking into this. I would just wait or if you have a backup of your files, you can replace just the impacted files. Otherwise, we'll attempt to do this for you once our investigation is complete.
I have backups, but I'll hold of until you give the final report. I don't want to go mucking about without a definitive cause.
Looks like the earlier cause was accurate and stopped at this time. We also have a list of all impacted files complete now.
If you want to do your own file restores, feel free -- that will be fatest. We are looking into a way to restore just those files from backups without having to do full account restores so it may take us some additional time -- especially if we end up having to do it manually.
I replaced my index outside the forum and the one inside. Looks like everything is ok for now. You're going to regenerate new passwords for us?
Everyone must be trying to restore their files, I can not connect with FTP. :(
Error: Connection timed out
Error: Could not connect to server
Loads are high -- we're in the midst of doing automated file (not account) restores. We've completed about 10 sites so far and it's going well.
Quote from: rebelsgirl on May 19, 2010, 08:48:45 PM
I replaced my index outside the forum and the one inside. Looks like everything is ok for now. You're going to regenerate new passwords for us?
Only if necessary. I don't have a judgement on that just yet.
Thanks Jason! Everything back to normal.
Jason, we seem to be back too.
Any updates on the need to change passwords?
All file restores are done. If you still have any issues, please post, email or open a ticket so we can look.
Not sure on the passwords yet. Checking into that now.
Quote from: Jason on May 19, 2010, 10:08:31 PM
Not sure on the passwords yet. Checking into that now.
We don't believe this to be necessary at this time, however it never hurts if you want to take that extra step.
Thanks Jason for the update!
We appreciate all that you do! :)
Thanks! :)
Now on to the next task of the day -- baby delivery...
How exciting! Congrats to you and Mrs. Jason! ;)
Quote from: Jason on May 19, 2010, 10:51:08 PM
Now on to the next task of the day -- baby delivery...
I didn't even know you were a mid-wife!
:)
All the best
Thanks everyone :)