Tuesday September 6, 2007 shortly after 2:00 PM our beloved Tendo city met with a violent attack by an hacker in egypt. He ruined permissions, deleted forums, and deleted files from the server.
I wish to thank all the dedicated crises response teams within the TovenNet network. Within just hours the site was restored to working order. The database has been rolled back to yesterday, and site, and server security tightened. The only ill effect is that we lost a days worth of posts.
Threw careful examination of server logs, and the hackers own email address which he gracefully left us, we have determined the hackers identity and will be reporting it to the proper authorities.
Please email
admin if the site experiences any problems.
Thank You....
Etoven
Site Owner: Tcforums.com
Edenmaster I'm afraid the earth worker racers suffered massive casualties.
Sorry....
So my questions is did you figure out what they did? If so, have you "fixed" this entryway, or would that require some major upgrade?
Dark Jaguar Wrote:So my questions is did you figure out what they did? If so, have you "fixed" this entryway, or would that require some major upgrade?
We haven't figured out exactly how they did it, but we do know that they compromised Ryan's account and gained access with his credentials.
We took all the usual precautions, we banned the hackers last known IP on all TovenNet and TendoCity servers (at the tcp/ip request level), reset all major passwords, and contacted the proper authorities with the information we gathered from the server logs.
That's all I have for now, I'll keep you posted with any updates.
Rest assured all your personal information on TendoCity is MD5 Hash encrypted and was not stolen. We think the hacker was able to log in as Ryan some how with out having to supply accurate credentials.
Tendocity is under attack from terrorists?!
That's terrible and all but...really...who took the time to hack a website that ten people know about...?
Ah, my poor little Earthworkers...Well, fortunately, they're cheap :D
Were still investigating means by which the hacker obtained account information but we have some important clues which led to a working theory, that's all I can say for now, until I confirm, I'll spill all the details when I have more.
All I can say for now is that TendoCity Admin's may have inadvertently sent the hacker their passwords, so for now I am asking that all admins/mods change there passwords so he can not make another attempt at chaos using your forum privileges.
We have taken steps so he well not be able to retrieve the new passwords.
Thanks...
Etoven
DJ did have that weird imposter a few weeks back. Possible relation?
Fucking gypsies !
How the fuck and why the fuck did he do it to TC?
I actually explained what I was able to find about that person that took over when I was gone those two weeks to ABF. If you want you can ask him for the details.
Anyway, I doubt this is the same person, and I already changed my password after that one incident so that couldn't be it anyway.
etoven, while I love your energy I think it's time to stop talking like a corporate entity for a bit as we'd like juicy DETAILS.
Basically, say "I" instead of "we" unless you really do have multiple people working with ya right now (which I only say because if you have actually started something with people, you never told us!). Also, what have you been investigating? Inquiring minds want to know! Basically I just want to know if I can come up with anything to help you, and that means details. For example, do you think they got our passwords AFTER hacking or that they got the passwords TO hack the site, and either way, how'd you find that out?
I actually do have multiple people that are part of the TovenNet network working on this DJ, and I would be a corporate entity when I get around to filling the paperwork.
My crises response team consisted of a Level 2 Network Team Leader who manages the Dedicated server and farm that TendoCity runs on, and several other network analysts who pulled an all night-er working on this, so please don't cut them short.
Here is my latest update, this is all the information I have...
Apparently threw a PHP backdoor vulnerability the hacker was running a Phishing scam on TendoCity servers, not just to hack us, but he was also impersonating several banks as well. We don't know how he hijacked Ryan's account, his and other passwords are MD5 encrypted and hashed against itself. We think he may have gained access to Tendo Citys directory tree threw a vulnerability in PHP where he reciently was able to upload several malicious scripts. The scripts he uploaded have been desabled by removing permissions on the files. This will not let them run but allow us to still examine the files as we continue the investigation.
His IP address has been banned from the server at the server request level. The server should no longer be able to accept TCP/IP or UDP packets from him of any kind.
That's all I have for now, you all will be the first to know if anymore information develops.
Man, it's like a real-life Swordfish going on over here!
Oh I wasn't selling them short or anything. You were just talking "funny" and I was wondering how much of that was humor and how much was actually real.
MD5 encription isn't really the strongest. It only makes one "pass" and all and I've heard there are some hacks for it out there as it is.
Is this a vulnerability in PHP scripting language itself or just a vulnerability in TC's specific site scripts? If it's the latter, all the more reason to see if we can't get the latest version of our forum software set up. While that IP address is banned, it is only a temporary fix, but I'm sure you're aware of that. Really though if the guy doesn't travel much or isn't that motivated to keep bothering us, we're probably safe.
Thanks for the update!
damn. I thought it was the start of an elaborate joke. I mean... death to Israel? who actually says that?
hephaestus Wrote:damn. I thought it was the start of an elaborate joke. I mean... death to Israel? who actually says that?
...what...?
Ahh the little bastard deleted everything in my folder on the FTP! It's gonna take me MINUTES to put that stuff back in there!
Hmm, I'm not sure if I even remember the FTP password... not that it should be mentioned on the forum. :)
Eden/ bra! fo reel, dirka-dirka was talkin shit about Israel and killing Bush. Dont they know yet that WE want him dead too?
Hey my bro my, wanna sign this petition to stop animal testing of office supplies?
Update: Provided Ryan can find the necessary shit...
I will be updating the forum software as soon as I get paid on Thursday.
Hopefully the update won't be as devastating as the hacker.
I'm still unclear as to what the hacker attempted to achieve by hacking a website that 10 people know about...
Simple. The hacker wants to be "bad" without getting too much attention from "the man", thus negating any image of being "bad" but rather "petty".
And he was stealing money from bank customers....
You don't...think our Egyptian friend had anything to with <a href="http://tcforums.com/forums/showthread.php?t=4647">this</a> do you?
Yeah, I'd imagine the purpose would be the 'using server as dummy to do other bad stuff elsewhere' thing, not 'taking down a forum with 10 members'. :)
EdenMaster Wrote:You don't...think our Egyptian friend had anything to with this do you?
He was impersinating Bank Of America but I'm shure a lot of people are...
etoven Wrote:He was impersinating Bank Of America but I'm shure a lot of people are...
Perhaps, but the coincidence is striking.
I'd recieved the mail another couple of times, same basic idea but differently worded. The second time, while still obviously a scam, was at least more professional LOOKING than the first.
I wouldn't doubt it.
What coincidence exactly? I'm not sure I see the connection.
Yeah, there's a lot of identify-theft spam like that out there...
It's possible there is no connection.
There are just similarities is all.
I mean I don't see anything. One's a web page hack (that didn't seem to turn us into an advertisement at all) and the other is a spam e-mail.
Dark Jaguar Wrote:I mean I don't see anything. One's a web page hack (that didn't seem to turn us into an advertisement at all) and the other is a spam e-mail.
The connection is that our hacker was using it to (according to etoven) steal money from bank customers and impersonate Bank of America, the same as the spam I recieved.
Oh yeah, I thought that sounded a little weird actually. So etoven what sort of thing were they trying to do? Were they setting up special software on our server so if the scam was traced it would link back to us?