| Pages:
1
2
3
..
7 |
Texium
Administrator
Posts: 4580
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline
Mood: PhD candidate!
|
|
The Forum Has Been Hacked
Just now, in a thread in beginnings, HeYBrO noticed that some members' locations mysteriously changed to "/root/." Here is a list of affected members:
bobm4360
elementcollector1
Oscilllator
Manifest
Tdep
DubaiAmateurRocketry
Mr_Magnesium
TheChemiKid
gdflp
HeYBrO
numos
careysub
No idea why this happened, could just be the effect of some routine software tweaking, but I thought it would be good to let everybody know just in
case it's caused by someone or something malicious.
EDIT: We now know that the forum has definitely been hacked. If any of your account information has been changed, change your
password before your account becomes compromised.
[Edited on 8-12-2014 by zts16]
|
|
|
Texium
Administrator
Posts: 4580
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline
Mood: PhD candidate!
|
|
Just noticed that all of their birthdays have changed to 1-1-1980
Also, now we know that Mr_Magnesium has been taken over by someone else, as he's posting crap about acetone peroxide with horrible grammar which
doesn't seem like him: https://www.sciencemadness.org/whisper/viewthread.php?tid=32... and he was one of the ones affected. Both happened around the same time, so it may
possible be related, although it could be a coincidence.
[Edited on 8-12-2014 by zts16]
|
|
|
Manifest
Script Kiddie Asshole
Posts: 229
Registered: 7-12-2012
Member Is Offline
Mood: No Mood
|
|
Good work Columbo.
[Edited on 12-8-2014 by Manifest]
|
|
|
Texium
Administrator
Posts: 4580
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline
Mood: PhD candidate!
|
|
Look man, I know it's probably nothing. I just wanted to point it out, just in case.
|
|
|
Manifest
Script Kiddie Asshole
Posts: 229
Registered: 7-12-2012
Member Is Offline
Mood: No Mood
|
|
I'm just joking, you need to take me less seriously.
|
|
|
Texium
Administrator
Posts: 4580
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline
Mood: PhD candidate!
|
|
Sorry Manifest, but it's rather hard to detect joking and sarcasm on a forum, particularly since it's late at night for me right now and I should
probably be going to sleep.
|
|
|
Manifest
Script Kiddie Asshole
Posts: 229
Registered: 7-12-2012
Member Is Offline
Mood: No Mood
|
|
His posts are being deleted...
|
|
|
Texium
Administrator
Posts: 4580
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline
Mood: PhD candidate!
|
|
Err, yeah... His recent posts seemed to have disappeared. The older ones are still there. But at the same time, it makes me wonder, since the list
hasn't changed other than for his two accounts, so it looks a bit like he's actually just pretending to be hacked...
|
|
|
Manifest
Script Kiddie Asshole
Posts: 229
Registered: 7-12-2012
Member Is Offline
Mood: No Mood
|
|
No, he made a post on his alternate account saying Brain Force was compromised.
|
|
|
Texium
Administrator
Posts: 4580
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline
Mood: PhD candidate!
|
|
Yes, and that one also appeared with the /root/ and the post disappeared, but since earlier when I posted the list of affected usernames, the only two
that were added were his two accounts, making it seem like he might have done it himself just to screw with us.
|
|
|
Manifest
Script Kiddie Asshole
Posts: 229
Registered: 7-12-2012
Member Is Offline
Mood: No Mood
|
|
Polverone is online now, hopefully he'll give us an explanation, this is scaring me
|
|
|
Tdep
National Hazard
Posts: 519
Registered: 31-1-2013
Location: Laser broken since Feb 2020 lol
Member Is Offline
Mood: PhD is done! It isn't good but it's over lol
|
|
Woah, I just got older!
Hope he hasn't changed every record, I don't want to be suddenly 30!
|
|
|
Polverone
Now celebrating 21 years of madness
Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline
Mood: Waiting for spring
|
|
I don't think this is as dire as I originally believed. Affected user accounts, as listed in the first message in this thread, have been frozen for
now (email addresses altered and passwords disabled). More information to follow.
PGP Key and corresponding e-mail address
|
|
|
APO
National Hazard
Posts: 627
Registered: 28-12-2012
Location: China Lake
Member Is Offline
Mood: Refluxing
|
|
Hey, some members things where it says "Location: /root/" are just disappearing. I'm scared now. I think you should freeze all password and email
address changes for awhile except for those who need a reset.
[Edited on 12-8-2014 by APO]
"Damn it George! I told you not to drop me!"
|
|
|
legitaccountdontdelete
Harmless
Posts: 1
Registered: 12-8-2014
Location: not in /root/ that's for fucking sure.
Member Is Offline
Mood: No Mood
|
|
Polverone what do you think it is?
|
|
|
Polverone
Now celebrating 21 years of madness
Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline
Mood: Waiting for spring
|
|
Yes, all the users with '/root/' as their location have been compromised -- perhaps a few others. A rootkit scan on the server didn't show anything,
ssh access logs didn't show anything, and there were no new script files installed. Further, if an attacker really did have root access, why bother
with non-moderator accounts? Why tip your hand when you could just access the database directly and bypass all forum passwords? The most likely
explanation seems to be that the attacker doesn't really have root access but just guessed weak passwords on some ordinary user accounts.
Examination of the the forum logs and web server logs did reveal an interesting connection.
A bunch of server access was referred from http://5.175.164.221 (I have delayed posting until I could locally archive what was there). In case that
site is offline by the time you read this, it contains/contained a melange of pictures and videos of homemade pyrotechnics, lists of common passwords,
and scripts for hacking.
By cross-referencing the server access logs and the IP addresses on user posts, I can tell that the following accounts used IP addresses at least once
that were also used by the mysterious person(s) referred-by-5.175.164.221:
Bert
bobm4360
Burner
careysub
Crypto
DubaiAmateurRocketry
Eisenstein
elementcollector1
gdflp
Leetage
leu
Magpie
Mailinmypocket
Manifest
Mercedesbenzene
mnick12
Mr_Magnesium
numos
Oscilllator
Praxichys
Pyro
Pyrocystis Lunula
S.C. Wack
Tdep
TheChemiKid
woelen
Xenoid
This includes a number of accounts that were already reported as compromised but also some that weren't. What do the members on this list have in
common? Use of public proxies? If your name is on this list and your account isn't already frozen, I suggest changing your password and making it
strong.
For the technically inclined, here's a line from a web server log file that shows what I am talking about :
| Code: | ::1:80 66.87.66.61 - - [12/Aug/2014:00:11:07 -0700] "GET /talk/misc.php?action=login HTTP/1.1" 200 3429 "http://5.175.164.221/https.html" "Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SPH-L710 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"
|
I cross-matched the IP address 66.87.66.61 with a prior posting from a registered member. I scripted the cross-referencing for all unique IP addresses
that showed up with a 5.175.164.221 referrer.
At this point I'm guessing that the attack came from a juvenile member or members of our own forum here.
In order to begin unfreezing compromised user accounts I am going to need to restore a database backup locally, to find what email addresses were
before the attacker reset them, then I will make contact with the affected members via email to get their access restored. I am also going to
interview a couple of affected members about their passwords before I actually begin unfreezing, to make sure they really were relatively easy to
guess. If affected accounts had passwords like 2Qc..6f0eb1a913a4adP338, I'm going to have to reconsider my password-guessing assumption.
PGP Key and corresponding e-mail address
|
|
|
APO
National Hazard
Posts: 627
Registered: 28-12-2012
Location: China Lake
Member Is Offline
Mood: Refluxing
|
|
Just an idea, freeze the accounts of anyone who registered today and disable new member registering until we/you figure out the problem.
"Damn it George! I told you not to drop me!"
|
|
|
Texium
Administrator
Posts: 4580
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline
Mood: PhD candidate!
|
|
Well then, it does appear that I was right about Brain&Force faking being hacked, as neither of his accounts are on that list of people who really
were.
|
|
|
Texium
Administrator
Posts: 4580
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline
Mood: PhD candidate!
|
|
Sorry, Brain&Force... I saw your tweets. It just seemed to me at first like the timing was a bit too perfect, and you weren't on Polverone's list.
Oh, and also, did the weird acetone peroxide thread where the issue was first noticed get deleted, or did it just "mysteriously disappear?"
|
|
|
Texium
Administrator
Posts: 4580
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline
Mood: PhD candidate!
|
|
DJF90's location changed to /dev/null and birthday to 1-1-1980
Also, Kapitan's location is /dev/urandom but birthday is none.
[Edited on 8-12-2014 by zts16]
|
|
|
plante1999
International Hazard
Posts: 1936
Registered: 27-12-2010
Member Is Offline
Mood: Mad as a hatter
|
|
I am compromised, please block my account
|
|
|
The Volatile Chemist
International Hazard
Posts: 1981
Registered: 22-3-2014
Location: 'Stil' in the lab...
Member Is Offline
Mood: Copious
|
|
So I talked to B&F, and he said his password had upper and lowercase, numbers, etc. It's my theory this is just brute force of members someone
hates.
|
|
|
The Volatile Chemist
International Hazard
Posts: 1981
Registered: 22-3-2014
Location: 'Stil' in the lab...
Member Is Offline
Mood: Copious
|
|
Oh no! Some of the best members are compromised! Wait, does anyone know when they first saw the /root/ thing? I could have sworn seeing it 3 months
ago (In someone's location) and thinking it was some form of a linux user's joke. They could have been waiting a while to amass a bunch of accounts to
do something.
but lol to legitaccountdontdelete's account location. I wonder if he's the hacker  Check his IP Prov.
careysub now has the slashroot for her (or his) location, I noticed she had been visited by the 5. guy in the past. Of course Töilet Plünger's down
too.
And Zyklon-A has the best location...
On a side note, this is possibly a would be spamming accnt. : http://www.sciencemadness.org/talk/member.php?action=viewpro...
[Edited on 8-12-2014 by The Volatile Chemist]
[Edited on 8-12-2014 by The Volatile Chemist]
[Edited on 8-12-2014 by The Volatile Chemist]
[Edited on 8-12-2014 by The Volatile Chemist]
[Edited on 8-12-2014 by The Volatile Chemist]
|
|
|
Texium
Administrator
Posts: 4580
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline
Mood: PhD candidate!
|
|
Last night was the first time I saw it, in the acetone peroxide thread that no longer exists. HeYBrO originally pointed out the /root/ thing. Then we
realized that Mr_Magnesium, who started the thread, normally doesn't post crap like that, which led us to believe that the /root/ accounts were
hacked. Curiously, every member who posted in that thread except for me and arkoma were compromised, although there are plenty of others that are too
that didn't post there.
|
|
|
Zyklon-A
International Hazard
Posts: 1547
Registered: 26-11-2013
Member Is Offline
Mood: Fluorine radical
|
|
Weird. I haven't been online in a few days (except yesterday) and didn't see that topic.
This sucks, was Mr_Magnesium the first to be compromised?
I think I remember seeing the "/root/" thing some months ago too, although I can't be sure.
|
|
|
| Pages:
1
2
3
..
7 |
![[*]](images/xpblue/default_icon.gif){kind=icon}
