CH Hacked, Fought Back

[{CH}ArticleBot]

You may have noticed we had some troubles the last few days, with our forums going down and accounts being unaccessible. The simple reason for this is: we were hacked. Exploiting a weakness in Joomla after our update, some childish idiots who probably thought deleting forum accounts on a small fan website was really funny, managed to wreak havoc on our little home. It could even be an automated hack, created to exploit the weakness in any website it could find. Thanks to the sterling efforts of our admin Pol, however, we have now been restored to normal function.

As a small editor's note: we admire the efforts of hacking groups like "Anonymous", or hackers who try to discover flaws in software security so that these flaws can be corrected. Such individuals work to protect the safeties and freedoms of ordinary people in the digital world. On the other hand, people who target sites like ours, I mean - what's the point? We're just a small gaming website, not even remotely harmful. Hacking a site like ours is just juvenile. So this is my advice to whoever out there may feel this applies to them: grow up, get a life and leave us alone.
Read full article...

[GreatEmerald]

Woah. That's unfortunate. Was anything leaked? Is the vulnerability already fixed? Things like that is why I'm trying to move my own website from Joomla to Jekyll, sigh...

I suppose this shows time and again how important it is to keep backups. So good job at doing that.

Also, sorry for not being very active at the moment, what with theses and all!

[ywhtptgtfo]

Forum accounts are probably stored in an SQL database. Even the site does regular DB backup's, it should be fine. What's worse is if the credentials are stored unencrypted. You probably want to double check on that, since it is quite common for people to use identical user/password pairs on multiple sites.

[cjlee]

Well... not to sound dismissive of our forum administrators and moderators' efforts, but this is really a very small site in the big scheme of things. I don't think there is some major plot. Or even a self conscious effort by some human hacker. Probably an automated hack, exploring all the weaknesses of every site on the web hoping to find some credit card numbers that they can use.

There is no way this site can hold valuable information. I very much doubt that even if they got in and downloaded every bit of information on Celestialheavens, they can find a single sixteen digit string of numbers.

[Kalah]

Well we know that the first hack was done manually by some Turkish individual(s) who deleted a couple of news stories (which I manually recreated), so ... Apparently, this software weakness was so obvious that the hack wasn't even particularly difficult.

[Pol]

We did a lot of fixes after first attempt. Also there was important update of WHM. But memcache stayed in new configuration and that's probably major mistake. Originally I wanted to arrange some time frame with our hoster, so I could check after update but that didn't happened as they said that they place us into queue and it will happen when they will get to it.

Joomla is very popular, so it's often target of hacking attempts, regardless that, well secured Joomla just stays secure. If that wouldn't be true all Joomla sites would be hacked weekly or more often and CMS would collapse.

Unfortunately today world is more complicated and CMS is just in the first line. You have LAMP (and sure session management) and in our case WHM. So there are two more layers, where if error happens you have big trouble.

-------------------------------------------------
And now something more official:
-------------------------------------------------

Dear members!

If you experienced problems login to site you weren't alone. And we're deeply sorry for the inconvenience.


Exactly one day after update happened two things.


For one, main site refused to log you in, as session mechanism breaks. I don't know what exactly happened, as before it was flying like an eagle but it died. This is now resolved and memcache was completely disabled - even if we intend to get some caching mechanism back at some future point. It won't be memcache, because there's was that other thing.

...

A few minuts after log spits out that 165 members were deleted, it took six minutes and then stopped. Time coincidence is high, so my best guess is that they manipulated session table in memcache and got a short access to our system. Whatever they exactly did it was bad enough. We use bridge, which sync everything from the main site to the forum, so all deletion was instantly transferred to forums. There the action was logged, which is the only good point in the story.


The account recovery is still running and I will write here when it will be done.


The good security measure is to change your password, although no passwords are stored in the database, given enough cpu power, any hash can be cracked.

[Pol]

Woah. That's unfortunate. Was anything leaked?

No idea, logs are clean. I assumed that they manipulated session table and used vulnerability in some Joomla component. Most likely something generic like mod_user or alike but I don't have time to play cat and mouse to simulate that.

As memcache is off they cannot do it again.

Actually there are weekly fixes. So keeping site like that to run requires constant attention. This world is dynamic.

I easy see why Jekyll is better for you, as generator of static pages. You can go with if you have small site like portfolio pages or blog.

[overall]

Hack i don't know how much "hacking" there's required some of my old guild mates just use some program to get in their old forum...
hmm...i'm still hoping that someone hacks to my email and pays all my bills...
Speaking of StuxNet while ago i watch this documentary Zero Days... at that time some people said it's a "beautiful code" i remember wondering how these people find beauty in some numbers and letters x) "21st century standards of beauty" i guess...
but ok documentary there wasn't so much to talk actual StuxNet so its bit filled with these discussions of national security issues...
worth to watch for anyone who's interested to know what this back years "piece of art" was...