PDA

View Full Version : Hacking Troubles



Cory
2016-Aug-25, 11:15 PM
A few days ago some odd things started happening in the forum. Here's basically what:

- A hacker gained access to an admin account, likely with an automated system. Not sure how, but I've made it significantly harder to do again. And if it does, it won't be as bad.

- VBulletin, in its infinite wisdom, lets you do just about whatever you want with an admin account by default. This includes uploading custom files to the server and overriding just about anything you want. I've removed these capabilities from the admins. I will be as responsive as possible if the admins have requests for plugins or anything else that I've disabled.

- The last roughly two days of posts have been removed. I had to revert to an older copy of the database to save some data and make it as secure as possible. If anything especially valuable was lost, I can retrieve it manually.

- There's a new url for the forum now, forum.cosmoquest.org. This is because I've moved the forum to its own server. We were planning to do this in a few weeks, but things had to be pushed forward some. This gave us a fresh copy of the forum, which should make things better all around now that it's not directly tied to the cosmoquest site.

- As far as I can see, NO information was stolen from users. The hacker didn't have database access. No tools were used to gather user info.

- The purpose of the hack: 1, to add a few files to the server that would use it in a DDOS attack. This was stopped. 2, once I had fixed most of the issues (I thought I found all of them at the time), the hacker noticed, and wanted to make a big show before I fixed the issue. Making a God user, etc.

I sincerely apologize for the lack of info for the last few days. 1, I didn't want to send out emails to 150000 users, most of which wouldn't care. 2, I didn't want to say anything incorrect. I wasn't sure how fixable this was, or when I'd be done. Honestly at first I thought it would just take a day.


Summary: Everything should be good now. I had to start fresh with the forum, so if something doesn't work, say so in this thread or at https://forum.cosmoquest.org/showthread.php?147000-Report-problems-for-the-Build-Team. If you have any questions or concerns, I'll happily answer them.

LookingSkyward
2016-Aug-25, 11:25 PM
Thanks Cory, for both the fixes and the information.
Truly appreciated!

dave

The Backroad Astronomer
2016-Aug-25, 11:30 PM
Nice to be back.
Freaked out, got paranoid got talked down at international skeptics.
Thanks Cory.

antoniseb
2016-Aug-25, 11:31 PM
Nice work on a job I hope to never need to do myself.
Thanks more than words can convey.

The Backroad Astronomer
2016-Aug-25, 11:41 PM
Now if next time if you want to make some extra money there a few posts I would like deleted. :-)

NorthernDevo
2016-Aug-25, 11:43 PM
Superb work, Cory! I was shocked when Cosmoquest went black (or white, in this case) and was quite nervous hoping everything would be OK. Glad to see you got everything fixed!

Cory
2016-Aug-25, 11:49 PM
Nice work on a job I hope to never need to do myself.
Thanks more than words can convey.

You're welcome. astrotimer's sweet cash will fill in what your words can't. :)

Solfe
2016-Aug-26, 12:11 AM
Thank you!

pzkpfw
2016-Aug-26, 12:20 AM
That's a heck of a lot of work. Thanks.

Jens
2016-Aug-26, 12:39 AM
Thanks for the update and for the hard work.

Nowhere Man
2016-Aug-26, 12:47 AM
Thanks, Cory! :clap: :clap: :clap: :clap: :clap: :clap: :clap:

Although, as you can see, some of the simley images are missing.

Fred

DukePaul
2016-Aug-26, 01:01 AM
"People sleep peacefully in their beds only because rough men stand ready to do violence on their behalf" From George Orwell I think. Thanks.

Solfe
2016-Aug-26, 01:07 AM
Thanks to Cory, we call go back to arguing if AI's are a threat to jobs (https://forum.cosmoquest.org/showthread.php?162025-AI-threat-to-jobs).

Jim
2016-Aug-26, 01:29 AM
"People sleep peacefully in their beds only because rough men stand ready to do violence on their behalf" From George Orwell I think. Thanks.

I thought it was Jack Nicholson.


Thanks to Cory, we call go back to arguing if AI's are a threat to jobs (https://forum.cosmoquest.org/showthread.php?162025-AI-threat-to-jobs).

They're not with Cory on the job.

John Mendenhall
2016-Aug-26, 02:09 AM
Good work in a tough situation. Been there. Thanks, Cory.

schlaugh
2016-Aug-26, 02:25 AM
I thought it was Jack Nicholson.


Apparently not even Jack - or Cory - but a writer in 1993.

https://en.wikiquote.org/wiki/List_of_misquotations


"We sleep safely in our beds because rough men stand ready in the night to visit violence on those who would harm us." [Edmund Burke, 1729 - 1797]Alternative: "People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf."

Alternative: "We sleep soundly in our beds because rough men stand ready in the night to visit violence on those who would do us harm."

Commonly misattributed to George Orwell without citation. Sometimes also misattributed to Winston Churchill without citation.

Actual source: Quote Investigator found the earliest known appearance in a 1993 Washington Times essay by Richard Grenier: "As George Orwell pointed out, people sleep peacefully in their beds at night only because rough men stand ready to do violence on their behalf." The absence of quotation marks indicates that Grenier was using his own words to convey his interpretation of Orwell's opinion, as seen in citations below.

In his 1945 "Notes on Nationalism", Orwell wrote that pacifists cannot accept the statement "Those who 'abjure' violence can do so only because others are committing violence on their behalf.", despite it being "grossly obvious.""Notes on Nationalism"

In an essay on Rudyard Kipling, Orwell cited Kipling's phrase "making mock of uniforms that guard you while you sleep" (Kipling, Tommy), and further noted that Kipling's "grasp of function, of who protects whom, is very sound. He sees clearly that men can be highly civilized only while other men, inevitably less civilized, are there to guard and feed them." (1942)

Similar phrase: "I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very freedom that I provide, then questions the manner in which I provide it." Aaron Sorkin (A Few Good Men)

And thank you Cory....I was having withdrawal.

CJSF
2016-Aug-26, 02:45 AM
Great work, Cory! I was really worried when it all went down. Yay!

CJSF

Trebuchet
2016-Aug-26, 03:00 AM
Thanks Cory, for both the fixes and the information.
Truly appreciated!

dave

Seconded! Or thirded, or fourthed, or whatever. Good job.

starcanuck64
2016-Aug-26, 05:08 AM
Couple of big thumbs up!

Noclevername
2016-Aug-26, 06:04 AM
Thank you very much Cory, and thanks also for keeping us informed about it. We appreciate it!

parallaxicality
2016-Aug-26, 07:32 AM
Thank you so much Cory!

I've never understood hackers. It saddens me that people with skills more marketable than I will ever have use them to break windows and spray-paint walls.

Robert Tulip
2016-Aug-26, 07:36 AM
1993.

1793

galacsi
2016-Aug-26, 10:03 AM
Thank you Cory for your work and for the information. This hacker could be a disgrunted and banned guy.

Swift
2016-Aug-26, 02:16 PM
Thanks, Cory! :clap: :clap: :clap: :clap: :clap: :clap: :clap:

Although, as you can see, some of the simley images are missing.

Fred
Two things I've noticed that are not working.

One, as Nowhere Man noted, a lot of the smilies are not working.

Second, all the internal links are broken. So for example, the links in The Advice for ATM Advocates (or in my own signature) to the rules no longer point to the rules, since the forum address has changed. I suspect this cannot be fixed in-mass, and will have to be fixed individually, which will take some time.

lemming
2016-Aug-26, 03:56 PM
I hope we didn't lose so many posts that I'm back in that wretched moderation gaol.

If someone became banned during the two days that were lost, would that person be unbanned now?

PetersCreek
2016-Aug-26, 05:03 PM
I sincerely apologize for the lack of info for the last few days. 1, I didn't want to send out emails to 150000 users, most of which wouldn't care. 2, I didn't want to say anything incorrect. I wasn't sure how fixable this was, or when I'd be done. Honestly at first I thought it would just take a day.

Another thank you for the hard work. I don't think I would trade my weeks of fiscal year closeout stress for the past couple of days you had. I appreciated seeing the announcement on the CQ blog. It was the first place I went for information with the forum went down.

Swift
2016-Aug-26, 05:28 PM
Another broke thing: all the custom titles, including those for ToSeek and Peterscreek, are still missing.

I'm not trying to be negative.... just trying to get a working list. If there isn't a universal fix for broken links, I'll probably end of fixing those myself.

mkline55
2016-Aug-26, 05:33 PM
What? So my new ATM thread that irrefutably explained the theory of everything might be gone forever? Maybe I should have kept notes . . .

DukePaul
2016-Aug-26, 05:49 PM
Hopefully the hacker didn't access that Majestic archive we have on old Nazi anti-gravity drives and secret moon bases. Best keep that information to ourselves.

Swift
2016-Aug-26, 05:50 PM
What? So my new ATM thread that irrefutably explained the theory of everything might be gone forever? Maybe I should have kept notes . . .
Yes, the answer was 42. Unfortunately, the question was in the missing posts.

But thanks for all the fishes.

Lurking Nerd
2016-Aug-26, 05:50 PM
What? So my new ATM thread that irrefutably explained the theory of everything might be gone forever? Maybe I should have kept notes . . .

Ahh, the real reason the board was down. The world isn't ready for that information so the Illuminati wiped it out. And since Cory didn't mention this at all shows they he is in their pay. Q.E.D.

Seriously, awesome job Cory and thanks for getting the board back up as quick as you did.

PetersCreek
2016-Aug-26, 05:51 PM
Another broke thing: all the custom titles, including those for ToSeek and Peterscreek, are still missing.

It looks like titles and avatars were just dumped from the profiles, so I'm not a sure a global fix is to be had. I had fixed my own before the forum went down but since Cory reverted to an earlier save point, it makes sense that my change was lost. I'm back in all my glory now.

bknight
2016-Aug-26, 09:57 PM
Nice to be back.
Freaked out, got paranoid got talked down at international skeptics.
Thanks Cory.
You were of course wearing the prescribed tin-foil hat?

Nowhere Man
2016-Aug-26, 10:00 PM
One, as Nowhere Man noted, a lot of the smilies are not working.
It's OK, they're back now. :rimshot:

ETA: The old URL works again, too.

Fred

ShinAce
2016-Aug-27, 11:10 PM
It appears that image thumbnails and their links are also gone. Check any RickJ post in astrophotography.

BigDon
2016-Aug-28, 04:58 PM
Wait, I wasn't just being paranoid?

(Thank you Cory.)

Jeff Root
2016-Aug-28, 05:05 PM
Could the lost posts from the thread "Middle point of massive objects"
in Space/Astronomy Questions and Answers be restored? There were
about a dozen of them, for about 32 posts in total in the thread. Some
of them were replies to me, which didn't contain any technical info but
were really meaningful to me for the short time they were up.

Thank you!

-- Jeff, in Minneapolis

Extravoice
2016-Aug-28, 10:55 PM
Hi Admins,

It appears that Tapatalk for iPhone access is still not working.
Attempts to log-in result in a "Log In Failed" message with a lengthy message listing version numbers.
I'll transcribe the gory details if needed.

Clicking the Home button shows some threads that are five or more days old, and clicking on them results in an "invalid thread" message.

CJSF
2016-Aug-29, 02:38 AM
It's (essentially) the same for Tapatalk on Android, still. I assume it's the same root reason. I expect they'll sort it out once everything else is settled and verified (and safe).

CJSF

Noclevername
2016-Aug-29, 07:06 AM
Wait, I wasn't just being paranoid?

Not just that, no.

Jim
2016-Aug-29, 11:27 AM
Wait, I wasn't just being paranoid?

Just because someone's chasing you doesn't mean you're not paranoid.

CJSF
2016-Aug-29, 12:45 PM
It's (essentially) the same for Tapatalk on Android, still. I assume it's the same root reason. I expect they'll sort it out once everything else is settled and verified (and safe).

CJSF

Seems to working now on Android! Thanks!

CJSF

Jens
2016-Aug-29, 01:06 PM
It works on iOS too. [emoji4]

Extravoice
2016-Aug-29, 08:01 PM
Yup, thanks!


Sent from my iPhone using Tapatalk

Trebuchet
2016-Aug-29, 09:05 PM
Tapatalk is not working for me at the moment.

starcanuck64
2016-Aug-30, 03:31 AM
Just because someone's chasing you doesn't mean you're not paranoid.

Or, "I know I'm paranoid, but am I paranoid enough!"

Trebuchet
2016-Aug-30, 05:01 PM
Since the return of the forum, I not only can't post pictures but at least one I posted earlier is no longer visible.

Swift
2016-Aug-30, 05:11 PM
Yes, even ones locally stored in my CQ albums are just blanks.

The Backroad Astronomer
2016-Aug-30, 05:59 PM
Same with my own pictures just gone at least I have stored in other places.

Trebuchet
2016-Aug-30, 07:20 PM
Glad it's not just me. I started a separate thread about it as well.

Swift
2016-Aug-30, 07:30 PM
This is a test

https://www.nasa.gov/favicon.ico

This is an image stored remotely (nasa.gov) and inserted with the IMG tag. That seems to be working. The problem seems to be locally stored images and attachments.

Swift
2016-Aug-30, 07:32 PM
This is a test of a locally stored image, inserted as an attachment.

Swift
2016-Aug-30, 07:34 PM
This is a locally stored image, inserted with an IMG tag

https://forum.cosmoquest.org/attachment.php?attachmentid=21354&d=1456408193

Nope

Fiery Phoenix
2016-Aug-30, 07:51 PM
I assume this is the reason the forum went offline for over 24 hours last week? I thought that was super weird.

Glad to hear it's all sorted out, though. Thank you, Cory.

Trebuchet
2016-Aug-31, 03:00 PM
This is a test of a locally stored image, inserted as an attachment.

For that one, I get a gray bar with a paperclip and the words "attached thumbnails". None of which is clickable.

Torsten
2016-Sep-02, 11:12 PM
I used to regularly link to images I stored at a third party site, but recently had started to put them here as a matter of convenience. A few days ago I noticed the same issue with locally stored images as noted by Trebuchet and Swift. But at that time I was able to see a list of the posts that had contained the locally stored images. Now I can't seem to find that list either. Sigh.

The Backroad Astronomer
2016-Nov-01, 04:03 AM
Did we get hacked again today.

slang
2016-Nov-01, 06:11 AM
No, there was some trouble at the Amazon hosting, Pamela and cory had it fixed real quick. Well, I have no idea how long the server had been down, but they responded very quickly anyway.

01101001
2016-Nov-01, 06:34 AM
Well, I have no idea how long the server had been down, [....]

I do.


Mon Oct 31 00:00:02 UTC 2016 New day
Mon Oct 31 16:26:09 UTC 2016 Unable to connect to remote host.
Mon Oct 31 16:32:09 UTC 2016 Unable to connect to remote host.
[...]
Mon Oct 31 21:08:09 UTC 2016 Unable to connect to remote host.
Mon Oct 31 21:14:09 UTC 2016 Unable to connect to remote host.
Tue Nov 1 00:17:01 UTC 2016 New day

Almost 5 hours.

slang
2016-Nov-01, 07:31 AM
I do.
Almost 5 hours.

Ouch... Good bot! :) Thanks. Monitoring and signalling now includes this (new) server so hopefully any future downtime will be shorter.

The Backroad Astronomer
2016-Nov-01, 07:53 AM
thanks, just wondering

Chappy
2016-Nov-08, 08:02 PM
Hey folks

I just received an email stating that someone tried to sign up to CosmoQuest Chatroom (the forum I believe) using my email address and the usual "If this was you, simply click the following link and your account will be activated:" blah, blah, blah. Legit email.

Now unless this was generated by the bot as part of the fix & cleanup being done, or whether user data was actually compromised, I do not know. The only thing I DO know, is that the email address I've used and been able to keep clean for almost 20 years, may be compromised...I sure hope not.
Are we sure that no member data was compromised?

Dave

Swift
2016-Nov-08, 08:36 PM
Chappy,

The e-mail has nothing to do with the hack and is perfectly benign. There is a discussion here (https://forum.cosmoquest.org/showthread.php?162912-CosmoQuest-Chatroom).

CJSF
2016-Nov-10, 02:43 PM
OK, what about the "reset password" e-mail I just saw in my spam folder, with the link text that says it's from cosmoquest.org but when rolled-over says it's from sendgrid.net?

CJSF

CJSF
2016-Nov-10, 08:50 PM
OK, what about the "reset password" e-mail I just saw in my spam folder, with the link text that says it's from cosmoquest.org but when rolled-over says it's from sendgrid.net?

CJSF

Has anyone else had this e-mail? I'd normally ignore anything that comes into my spam folder, but I wanted to make sure this wasn't legit and of the earlier mentioned reboot of the Cosmoquest site (sans forum).

CJSF

slang
2016-Nov-10, 10:55 PM
OK, what about the "reset password" e-mail I just saw in my spam folder, with the link text that says it's from cosmoquest.org but when rolled-over says it's from sendgrid.net?

CJSF

Did you (try to) request a new password somewhere in the last month? If not you, someone else may have tried to get into your Cosmoquest account.

sendgrid.net is a service used by several large websites, AFAIK it facilitates sending large amounts of legit email, not spam. It was used by Cosmoquest before for sending out several types of email notifications, including reported posts to moderators. I had a message in my spambox allegedly from Cosmoquest, a gmail account, but also sent through sendgrid. This may have been the message cory said would be sent, here (https://forum.cosmoquest.org/showthread.php?162912-CosmoQuest-Chatroom&p=2376785#post2376785), but I'm not sure.

Launch window
2018-Sep-17, 11:23 AM
Hi guys im not sure what end this was, mine or yours but the login in did not automatically hide the user password with * * * , also the word 'password' in the login window appeared as real text.