ipb Report post Posted June 1, 2006 WHAT OCCURRED At 6:49 am (CST), we were hacked by someone with a Russian IP address. As many of you noted, he was able to insert a pair of iframes into a few skins. I was notified at 9.37 am (approximately 90 minutes after he inserted the iframes) and closed the forum until it could be cleared up. He was also able to access everyone's cookie login information. He did NOT access PMs or other personal information, just the skins and the cookie logins. He has, however, returned at least three times since the initial attack - but not at all since we have implemented security measures. WHAT WE HAVE DONE We have given the forum a fresh install, and have added additional security measures to the forum, as well as applied a recent security update that fixes this specific problem. The IP in question has been banned, as has the individual and their email address. We have also reported this incident to Invision, in case it was a new hack. It turned out to not be a new one, but it's recently been very active. WHAT WE ARE DOING We are actively looking into ways to additional measures to prevent unauthorized access to the web-based administrative controls. WHAT YOU NEED TO DO While we use a double encryption scheme on the passwords, and your password was not actually accessed, it is still VERY important that you change your password immediately and destroy your old cookies from bpal.org (manually or by clicking this link). You should be changing your password frequently, at least every 2-4 months, and use strong passwords. We will be conducting a "password changing" audit later this month to ensure that everyone has changed their password. Individuals who do not change their password by approximately mid-July will eventually lose access to the forum. FAQs Q: How did they find us? A: Our logs indicate that he found us using a simply search engine query - just as you may search for information to travel, spoilers, restaurants, etc, the hacker was searching for a specific kind of forum and version. Q: Does he now have my password? A: It's entirely possible, depending on the sophistication of the hacker. While our passwords have a special scheme that is not standard for most bulletin boards, it does rely on an encryption scheme that was recently broken. The hacker would have to know exactly how we encrypt our passwords, have the list of encrypted passwords and any added information, have a decrypting programs for each method of encryption, and know how and where to undo the special multiplication and string smooshing (taking "c" and "at" to create "cat") that is done to our passwords. Considering the number of things that could have been done and wasn't, I don't believe that this particular hacker is that sophisticated. It would still be a good idea to change your password if you use that password elsewhere with that email address, and we are requiring everyone to change their password. Q: What does you mean when you by "a broken encryption scheme"? A: There are decryption programs where you put in an encrypted passphrase and it returns the original password. For instance, if your password was "dog" and the encryption method was to reverse the phrase and add a 5 at the end of the phrase, your encryped password would be "god5". If someone entered in "god5" in a decryption program for that method, the program would tell them that the original word was "dog". Q: What does this mean for other sites I use that password on? A: He does not have your username, only the email address you registered with. The worst case scenario is that he has your email address and the password you used on the forum, in which case the only sites that could be affected are the ones that use those email addresses with your password. Change your password at all sites with this email address and password, and you will be fine. The best case scenario is that all he can do is attempt to use your account to login to the forum and try to hack it again. If you use Paypal or eBay with the same email address and password, I strongly recommend you change your passwords there as well -- it is ALWAYS better to be safe than to be sorry. Q: Was that a virus or what? A: On our end, it was not technically a virus, or a trojan -- after gaining administrative access to the forum (but not our server), he installed an advertisement/malicious spyware in one of the skins. I use Firefox, have a variety of pop up/pop under blockers (one of which blocks all iframes from domains other than the one you want to be on), and use skin that was not affected, so I did not get a chance to see what exactly they were doing outside of what they did to the forum. BUT, the redirection may have been a trojan. If you have any additional questions, please ask them in this topic. Share this post Link to post Share on other sites