Service restored

[miskie]

So what was up with this downtime? Just some moron hacker?

 

 

here is the latest, copied from http://society.miskie.net/index.php?showtopic=1119 read the whole thread to get the jist of it.

 

I just went to war with that client --especially since I discovered that 2 weeks before that it was HIS account that was hax0r3d first.

 

He spent his time blaming me, told me fixing everyones data is my job as webhost (which it isnt) and, then he made made off like a thief in the night.

 

he laid out his plan in his secret moderators forum.. that basically he was going to move his site to his buddies webserver because he didnt like how long it took me to respond to his PMs -- I told him up front it would be a couple of days, but I guess he needed hourly reports... secret forum.. meh.. I was the webhost after all.. Anyone who thinks they keep secrets from me is mistaken. thats just plain fact.. Everyone who has hosting from someone else is part of a toltalitarian regime.. I just try to be a benign dictator.

 

I told him I would archive his data for 30 days while he tried this guy out.

 

Anyway afterward I discovered these two facts...

 

A ) he was the first hacked because of his stupid username/password choice.

 

B ) In his need to whisk his forum away as quickly as possible, I didnt have the chance to finish manually picking through the data for backdoors. There is a backdoor buried in his data with his new host right now, unless he finally took my advice to find it.

 

and his clients are wondering why the forum is behaving badly.. PhpBB needs about 50 layers of forum armor to make it less hackable.. its crap. period. If the new host isnt as armed as I am (which I doubt, most of what I have I manually applied -- default server installs simply dont put in the extras I have) So, people are having their posts vanish, they are getting applied to wrong topic, etc etc.. all the signs of malicios mischief.

 

He refused to answer any of My IMs explaining the issue, that he is still comprtimised,and that there is an exploit running on his box. So, I went irrational.. I made my case at an ezboard forum he has, that he was wrong to blame me for what was ultimatly his mistake, and then I listed both the username and password he was using on my server as the reason he was nailed.

 

That got his attention, and got me ba-zanned at both the real forum as well as the ezboard.. -- as I expected. But, IF he made the mistake of using that comprimised username and password again, Im sure he will change it now -- Sometimes you need to go to extremes to protect somebodies ass.

 

I also figured if I kept my mouth shut about those passwords, It wouldnt be long before I am blamed for a vengence hack, since I know that trojan is waiting. now it all has to be changed, without me knowing anything about it. He is safer, and so am I.

 

He broke the Cardinal rule -- 'Thou Shalt Not Piss off T3h miskie'

 

I finally sent him a letter, asking to chat with him to close this book with civility... Well, I made the offer.

 

BTW, the forum in question is http://www.vftwforum.com -- the Anti American Idol site.. Frankly, I love it but, their king doesnt take advice too well.

[Lucandrake]

So do we change our passwords? HuH!? I'm lost..

[Robert]

So it was caused by webmasters who didn't take the most basic precautions. Huh.

 

I saw Miskie's posts. What is he talking about?

Just ignore him. As most of the people here have learned, he's just trying to push buttons. Hopefully he'll learn that he's just embarrassing himself by attacking people in a public forum and that no one could damage his reputation as much as he is damaging his own currently.

 

Here the post referred to: http://www.vftwforum.com/phpBB2/viewtopic.php?t=907

[Mooney]

Awesome! Couldn't wait to get back on. For me, the down time sucked even MORE because DSpot, a forum hosted by 1emu, also went down. I had no where to go!

I thought you been to 1pornnation all the time?

Psssh. You wish. I have better things to do than visit porn sites.

[miskie]

So do we change our passwords? HuH!? I'm lost..

 

 

you might want to, but my sugestion is that everyone with FTP access into the forum change their passwords. there seems to be no operating trojans within 1emulation or any of the satellites.

 

So it was caused by webmasters who didn't take the most basic precautions. Huh.

 

I saw Miskie's posts. What is he talking about?

Just ignore him. As most of the people here have learned, he's just trying to push buttons. Hopefully he'll learn that he's just embarrassing himself by attacking people in a public forum and that no one could damage his reputation as much as he is damaging his own currently.

 

Here the post referred to: http://www.vftwforum.com/phpBB2/viewtopic.php?t=907

 

 

Thats correct -- this webmaster used a version of his own sitename and a persons name as passwords -- for example, if I owned the website http://miskies-hot-chix.com and my made my login miskie, and my password hot-chix -- It was that stupid. And it seemed nothing I could do could get the stubborn ass to budge.. well, I forced his hand, now he has to change it all. and, since I can know nothing about any of the changes (since im even IP banned) once his site is hacked -- its PhpBB-- its coming.. they can't blame me for doing out of vengance.

[GodPigeon]

YYESSS WERE BACKKKKKK!!!! Happy to see all is well and unchanged here at 1emu. While at 2emu, someone tried to Flame kGo, So i had to "Attack" Him in the name of 1Emulation

So in the return of 1Emulation, im gonna do something i promised to do as a newbie to someone who picked on me

 

 

GoRDoOnE attacked someboddy with a Large Trout (219 str) and took off 155!

someboddy has 0 HP left!

--------------------------------------------------------------------------------------------

someboddy is now dead, therefore cannot counterattack!!!!

You gain 1 frag(s) (0 stolen).

--------------------------------------------------------------------------------------------

You gain: 57 EXP points!!!!

GoRDoOnE Wins

 

kGo Bytches

 

no hard feelings someboddy

[Robert]

once his site is hacked -- its PhpBB-- its coming.. they can't blame me for doing out of vengance.

I've seen so many phpBB sites wiped out from hacker's attentions (although mostly last year),

certainly if I was to have a forum it wouldn't be that brand.

 

I note the site is called Vote For The Worst - they'll be able to vote for themselves soon enough I imagine.

[miskie]

once his site is hacked -- its PhpBB-- its coming.. they can't blame me for doing out of vengance.

I've seen so many phpBB sites wiped out from hacker's attentions (although mostly last year),

certainly if I was to have a forum it wouldn't be that brand.

 

I note the site is called Vote For The Worst - they'll be able to vote for themselves soon enough I imagine.

 

 

the only reason its survived so far is because of the blankets of server security Ive thrown on top of it.. One of my sets of hack-protection rules has pages of exploits to check for specifically on phpBB -- when I first got him as a client I advised against it, but since his buddy had a skin good to go, he refused. I have stopped many attacks on that forum each day, one day, someone spent about 4 hours banging it at about 3 hits persecond from a series of rotating IPs -- it was a sight to behold.

 

but his forum, and the server, stood tall. All I had was reams of log data from it.

 

since he as already angried the blood of the hacker natives, they will learn soon that most of those layers of security have vanished. Im sure in a few days, the site will redirtect to a web-page somewhere in russia or china once it gets tagged. But, Im IP banned -- so, its not going to be me in those logs, thats for sure.

[Lucandrake]

Well just laugh at him when karma bites him in the ass.

[miskie]

Well just laugh at him when karma bites him in the ass.

 

 

Im prett sure it will -- It kinda did when he tried to take his data and run, and he lost an entire days worth of posts.

 

Then he and his new admin apparantly couldnt fix it. And they blamed me Or so it seems, since he was all pissed off and wouldnt share why publically.. After I locked the door behind them I fixed the data. took one MySQL command to do it.

 

BTW, this self-corruption is a phpBB trademark - the forum is craptacular.

 

So, in short, within 24 hours, they lost a day worth of posts, had many other posts vanish, or endup posting wrong (wrong thread, wrong user etc) and people locked out of their own accounts who needed manual resetting.

 

Im sure they blame me -- SO, I got myself totally banned -- screamed the truth about their forum in the most obtuse way I could, so when it all starts to come totally unraveled, I can have nothing to do with it.. everyone including the owner should have changed logins and passwords, and most of the clients should have as well.

 

I know when the ship is sinking, and I know when to run.

 

IF the transition went smoothly, I would have said/done none of this.. but as I watched the bricks fall one by one I knew I needed to do something totally erm, UnMiskie...

 

If any of you see any other gems in that forum, dont be afraid to amuse me by posting them

[CJ Jackson]

Even the good guys can get banned from forums.

[miskie]

ehh, maybe so, maybe not..

 

I think that whole episode went wrong -- the server was hacked, And I spent a few days putting it back together. I was tired, waaay tired from salvaging data, reinstalling a server and putting everyones stuff back who was affected. I think both the admin of VFTW and I were busy pushing each others buttons.

 

When he went after me telling me the server hack was my fault, I got angry.. And when I discovered in the logs that the server hack was his fault, I got really, really angry.

 

You see, when I identified the first three affected sites, all of them were getting logged into at the same time, kinda a chicken and egg scenario -- one of them had to be first, so I figured I would find the original leak. after I went back far enough in the logs, I found that what the hacker did was he got into VFTW first, then from there found other weak logins and passwords. He/she then abandoned VFTW and logged into the three affected sites 'cleanly' -- meaning right login, right password, first time. Which, of course, raises no alarms, except that the hacker logged into all three of them at the same time, every time. BUt, a computer isnt going to notice that, it only picks up on mistakes. So, I blew up.

 

I was tired, hungry and feeling sick from the lack of sleep, and I let my emotions get the beter of me.

 

And for that I apologise, And wish them well..

 

There is still the matter of the back door in his site - It's a renamed copy of Php Shell -- its an old old tool that basically allows the user to fire off shell commands from a php interface. the file is in there, but has been renamed to something else -- I dont remember what. This is what the hacker did to his site and the three others affected, the names were something that made the file look like part of the software used. the one giveaway is the date.What I would sugggest to VFTW at this point is deleting all the control files from that site, and replacing them with clean copies. Leave the database intact. that should catch that program., and result in minimal downtime.

 

Ive picked though all remaning hostees and have found no other instances.

[Robert]

As a matter of curiosity, about how many sites are on this server?

[miskie]

As a matter of curiosity, about how many sites are on this server?

 

 

on this particular box, 27 clients and 30 domains.. when you add in subdomains (http://something.domain.com) the hosted sites increases to about 75 or so.