May 19, 2010 :: Tsunami compromise

Jason · May 19, 2010, 06:54:15 PM

It looks like we've had some web page compromises on this server within the last 15 minutes.

At first glance, it looks similar to what we faced on Blizzard back in March. http://www.charlottezweb.com/forums/index.php?topic=1447.0

I'll update this thread as we proceed.

As of now, we're investigating the cause so we can patch it prior to searching/replacing the code if possible.

Mark · May 19, 2010, 07:01:59 PM

I'm was going to go through and change all my passwords. Is it okay to do it, or should we wait just in case they get back in?

Jason · May 19, 2010, 07:03:42 PM

Quote from: Mark on May 19, 2010, 07:01:59 PM
I'm was going to go through and changing all my passwords. Is it okay to do it, or should we wait just in case they get back in?

You can but if there's a thought that passwords were compromised, we may run a script to generate new ones for everyone anyway. If you saw files being changed in realtime, then there's something running right now that we need to find and kill first. So you might want to wait until we have more news on that.

Mark · May 19, 2010, 07:04:20 PM

Okay, I'll hold off. Thanks Jason.

Steve · May 19, 2010, 07:05:28 PM

I'm waiting.... too

^ChYmAiL^GTX · May 19, 2010, 07:10:06 PM

Thanks Jason.

I was looking at this...

http://www.kisaso.com/technology/hacked-by-ghost61-my-blog-got-hacked/

I placed some folders 777 a few months ago to try some mods... but i think i placed them back to 755 again...

Steve · May 19, 2010, 07:12:03 PM

This is what appeared to my forum

Pam · May 19, 2010, 07:15:01 PM

Steve, I got the same "message" on my forum as well.

Jason · May 19, 2010, 07:16:15 PM

We believe the script has been isolated and killed.

Working on next steps now.

Steve · May 19, 2010, 07:20:46 PM

I have replaced the index.php from the backup file. Do i have to do something more?

weekend camper · May 19, 2010, 07:21:24 PM

Just checked and both sites I have on that server were affected.

Thanks for getting on this Jason.

Mark · May 19, 2010, 07:22:35 PM

Quote from: Steve on May 19, 2010, 07:20:46 PM
I have replaced the index.php from the backup file. Do i have to do something more?

I only saw evidence of index files being tampered with, but I'm sure once Jason is done he'll let us know what else to do.

Jason · May 19, 2010, 07:24:54 PM

Quote from: Mark on May 19, 2010, 07:22:35 PM
Quote from: Steve on May 19, 2010, 07:20:46 PM
I have replaced the index.php from the backup file. Do i have to do something more?

I only saw evidence of index files being tampered with, but I'm sure once Jason is done he'll let us know what else to do.

Correct, I don't want to advise until I know with certainty of what's needed.

Jason · May 19, 2010, 07:48:28 PM

An email has just been set to our Tsunami customer listing alerting them to this thread.

JPDeni · May 19, 2010, 07:56:52 PM

Be aware that if you have any subdirectories with index.html or index.php files in them, you'll likely have to replace them, too. I've just replaced a whole bunch of files.