Sciencemadness Discussion Board
Not logged in [Login ]
Go To Bottom

Printable Version  
 Pages:  1    3  ..  7
Author: Subject: The Forum Has Been Hacked
Texium
Administrator
********




Posts: 3778
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline

Mood: Triturated

thumbdown.gif posted on 11-8-2014 at 22:16
The Forum Has Been Hacked


Just now, in a thread in beginnings, HeYBrO noticed that some members' locations mysteriously changed to "/root/." Here is a list of affected members:
bobm4360
elementcollector1
Oscilllator
Manifest
Tdep
DubaiAmateurRocketry
Mr_Magnesium
TheChemiKid
gdflp
HeYBrO
numos
careysub

No idea why this happened, could just be the effect of some routine software tweaking, but I thought it would be good to let everybody know just in case it's caused by someone or something malicious.

EDIT: We now know that the forum has definitely been hacked. If any of your account information has been changed, change your password before your account becomes compromised.

[Edited on 8-12-2014 by zts16]




Come check out the Official Sciencemadness Wiki
They're not really active right now, but here's my YouTube channel and my blog.
View user's profile Visit user's homepage View All Posts By User
Texium
Administrator
********




Posts: 3778
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline

Mood: Triturated

[*] posted on 11-8-2014 at 22:29


Just noticed that all of their birthdays have changed to 1-1-1980

Also, now we know that Mr_Magnesium has been taken over by someone else, as he's posting crap about acetone peroxide with horrible grammar which doesn't seem like him: https://www.sciencemadness.org/whisper/viewthread.php?tid=32... and he was one of the ones affected. Both happened around the same time, so it may possible be related, although it could be a coincidence.

[Edited on 8-12-2014 by zts16]




Come check out the Official Sciencemadness Wiki
They're not really active right now, but here's my YouTube channel and my blog.
View user's profile Visit user's homepage View All Posts By User
Manifest
Script Kiddie Asshole
***




Posts: 229
Registered: 7-12-2012
Member Is Offline

Mood: No Mood

[*] posted on 11-8-2014 at 22:32


Good work Columbo.


[Edited on 12-8-2014 by Manifest]
View user's profile Visit user's homepage View All Posts By User
Texium
Administrator
********




Posts: 3778
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline

Mood: Triturated

[*] posted on 11-8-2014 at 22:34


Look man, I know it's probably nothing. I just wanted to point it out, just in case.



Come check out the Official Sciencemadness Wiki
They're not really active right now, but here's my YouTube channel and my blog.
View user's profile Visit user's homepage View All Posts By User
Manifest
Script Kiddie Asshole
***




Posts: 229
Registered: 7-12-2012
Member Is Offline

Mood: No Mood

[*] posted on 11-8-2014 at 22:36


I'm just joking, you need to take me less seriously.
View user's profile Visit user's homepage View All Posts By User
Texium
Administrator
********




Posts: 3778
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline

Mood: Triturated

[*] posted on 11-8-2014 at 22:42


Sorry Manifest, but it's rather hard to detect joking and sarcasm on a forum, particularly since it's late at night for me right now and I should probably be going to sleep.



Come check out the Official Sciencemadness Wiki
They're not really active right now, but here's my YouTube channel and my blog.
View user's profile Visit user's homepage View All Posts By User
Manifest
Script Kiddie Asshole
***




Posts: 229
Registered: 7-12-2012
Member Is Offline

Mood: No Mood

[*] posted on 11-8-2014 at 22:45


His posts are being deleted...
View user's profile Visit user's homepage View All Posts By User
Texium
Administrator
********




Posts: 3778
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline

Mood: Triturated

[*] posted on 11-8-2014 at 22:48


Err, yeah... His recent posts seemed to have disappeared. The older ones are still there. But at the same time, it makes me wonder, since the list hasn't changed other than for his two accounts, so it looks a bit like he's actually just pretending to be hacked...



Come check out the Official Sciencemadness Wiki
They're not really active right now, but here's my YouTube channel and my blog.
View user's profile Visit user's homepage View All Posts By User
Manifest
Script Kiddie Asshole
***




Posts: 229
Registered: 7-12-2012
Member Is Offline

Mood: No Mood

[*] posted on 11-8-2014 at 22:49


No, he made a post on his alternate account saying Brain Force was compromised.
View user's profile Visit user's homepage View All Posts By User
Texium
Administrator
********




Posts: 3778
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline

Mood: Triturated

[*] posted on 11-8-2014 at 22:52


Yes, and that one also appeared with the /root/ and the post disappeared, but since earlier when I posted the list of affected usernames, the only two that were added were his two accounts, making it seem like he might have done it himself just to screw with us.



Come check out the Official Sciencemadness Wiki
They're not really active right now, but here's my YouTube channel and my blog.
View user's profile Visit user's homepage View All Posts By User
Manifest
Script Kiddie Asshole
***




Posts: 229
Registered: 7-12-2012
Member Is Offline

Mood: No Mood

[*] posted on 11-8-2014 at 23:00


Polverone is online now, hopefully he'll give us an explanation, this is scaring me
View user's profile Visit user's homepage View All Posts By User
Tdep
International Hazard
*****




Posts: 504
Registered: 31-1-2013
Location: Laser broken since Feb 2020 lol
Member Is Offline

Mood: *PhD Crisis Time*

[*] posted on 11-8-2014 at 23:01


Woah, I just got older!

Hope he hasn't changed every record, I don't want to be suddenly 30!
View user's profile View All Posts By User
Polverone
Now celebrating 18 years of madness
*********




Posts: 3164
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline

Mood: Waiting for spring

[*] posted on 12-8-2014 at 01:08


I don't think this is as dire as I originally believed. Affected user accounts, as listed in the first message in this thread, have been frozen for now (email addresses altered and passwords disabled). More information to follow.



PGP Key and corresponding e-mail address
View user's profile Visit user's homepage View All Posts By User
APO
International Hazard
*****




Posts: 627
Registered: 28-12-2012
Location: China Lake
Member Is Offline

Mood: Refluxing

[*] posted on 12-8-2014 at 01:59


Hey, some members things where it says "Location: /root/" are just disappearing. I'm scared now. I think you should freeze all password and email address changes for awhile except for those who need a reset.

[Edited on 12-8-2014 by APO]




"Damn it George! I told you not to drop me!"
View user's profile View All Posts By User
legitaccountdontdelete
Harmless
*




Posts: 1
Registered: 12-8-2014
Location: not in /root/ that's for fucking sure.
Member Is Offline

Mood: No Mood

[*] posted on 12-8-2014 at 02:24


Polverone what do you think it is?
View user's profile View All Posts By User
Polverone
Now celebrating 18 years of madness
*********




Posts: 3164
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline

Mood: Waiting for spring

[*] posted on 12-8-2014 at 03:03


Yes, all the users with '/root/' as their location have been compromised -- perhaps a few others. A rootkit scan on the server didn't show anything, ssh access logs didn't show anything, and there were no new script files installed. Further, if an attacker really did have root access, why bother with non-moderator accounts? Why tip your hand when you could just access the database directly and bypass all forum passwords? The most likely explanation seems to be that the attacker doesn't really have root access but just guessed weak passwords on some ordinary user accounts.

Examination of the the forum logs and web server logs did reveal an interesting connection.

A bunch of server access was referred from http://5.175.164.221 (I have delayed posting until I could locally archive what was there). In case that site is offline by the time you read this, it contains/contained a melange of pictures and videos of homemade pyrotechnics, lists of common passwords, and scripts for hacking.

By cross-referencing the server access logs and the IP addresses on user posts, I can tell that the following accounts used IP addresses at least once that were also used by the mysterious person(s) referred-by-5.175.164.221:

Bert
bobm4360
Burner
careysub
Crypto
DubaiAmateurRocketry
Eisenstein
elementcollector1
gdflp
Leetage
leu
Magpie
Mailinmypocket
Manifest
Mercedesbenzene
mnick12
Mr_Magnesium
numos
Oscilllator
Praxichys
Pyro
Pyrocystis Lunula
S.C. Wack
Tdep
TheChemiKid
woelen
Xenoid

This includes a number of accounts that were already reported as compromised but also some that weren't. What do the members on this list have in common? Use of public proxies? If your name is on this list and your account isn't already frozen, I suggest changing your password and making it strong.

For the technically inclined, here's a line from a web server log file that shows what I am talking about :

Code:
::1:80 66.87.66.61 - - [12/Aug/2014:00:11:07 -0700] "GET /talk/misc.php?action=login HTTP/1.1" 200 3429 "http://5.175.164.221/https.html" "Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SPH-L710 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"


I cross-matched the IP address 66.87.66.61 with a prior posting from a registered member. I scripted the cross-referencing for all unique IP addresses that showed up with a 5.175.164.221 referrer.

At this point I'm guessing that the attack came from a juvenile member or members of our own forum here.

In order to begin unfreezing compromised user accounts I am going to need to restore a database backup locally, to find what email addresses were before the attacker reset them, then I will make contact with the affected members via email to get their access restored. I am also going to interview a couple of affected members about their passwords before I actually begin unfreezing, to make sure they really were relatively easy to guess. If affected accounts had passwords like 2Qc..6f0eb1a913a4adP338, I'm going to have to reconsider my password-guessing assumption.




PGP Key and corresponding e-mail address
View user's profile Visit user's homepage View All Posts By User
APO
International Hazard
*****




Posts: 627
Registered: 28-12-2012
Location: China Lake
Member Is Offline

Mood: Refluxing

[*] posted on 12-8-2014 at 03:52


Just an idea, freeze the accounts of anyone who registered today and disable new member registering until we/you figure out the problem.



"Damn it George! I told you not to drop me!"
View user's profile View All Posts By User
Texium
Administrator
********




Posts: 3778
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline

Mood: Triturated

[*] posted on 12-8-2014 at 06:48


Well then, it does appear that I was right about Brain&Force faking being hacked, as neither of his accounts are on that list of people who really were.



Come check out the Official Sciencemadness Wiki
They're not really active right now, but here's my YouTube channel and my blog.
View user's profile Visit user's homepage View All Posts By User
Texium
Administrator
********




Posts: 3778
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline

Mood: Triturated

[*] posted on 12-8-2014 at 08:53


Sorry, Brain&Force... I saw your tweets. It just seemed to me at first like the timing was a bit too perfect, and you weren't on Polverone's list.
Oh, and also, did the weird acetone peroxide thread where the issue was first noticed get deleted, or did it just "mysteriously disappear?"




Come check out the Official Sciencemadness Wiki
They're not really active right now, but here's my YouTube channel and my blog.
View user's profile Visit user's homepage View All Posts By User
Texium
Administrator
********




Posts: 3778
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline

Mood: Triturated

[*] posted on 12-8-2014 at 09:14


DJF90's location changed to /dev/null and birthday to 1-1-1980
Also, Kapitan's location is /dev/urandom but birthday is none.

[Edited on 8-12-2014 by zts16]




Come check out the Official Sciencemadness Wiki
They're not really active right now, but here's my YouTube channel and my blog.
View user's profile Visit user's homepage View All Posts By User
plante1999
International Hazard
*****




Posts: 1937
Registered: 27-12-2010
Member Is Offline

Mood: Mad as a hatter

[*] posted on 12-8-2014 at 09:24


I am compromised, please block my account
View user's profile View All Posts By User
The Volatile Chemist
International Hazard
*****




Posts: 1973
Registered: 22-3-2014
Location: 'Stil' in the lab...
Member Is Offline

Mood: Copious

[*] posted on 12-8-2014 at 09:50


So I talked to B&F, and he said his password had upper and lowercase, numbers, etc. It's my theory this is just brute force of members someone hates.



View user's profile Visit user's homepage View All Posts By User
The Volatile Chemist
International Hazard
*****




Posts: 1973
Registered: 22-3-2014
Location: 'Stil' in the lab...
Member Is Offline

Mood: Copious

[*] posted on 12-8-2014 at 09:54


Quote: Originally posted by plante1999  
I am compromised, please block my account

Oh no! Some of the best members are compromised! Wait, does anyone know when they first saw the /root/ thing? I could have sworn seeing it 3 months ago (In someone's location) and thinking it was some form of a linux user's joke. They could have been waiting a while to amass a bunch of accounts to do something.
but lol to legitaccountdontdelete's account location. I wonder if he's the hacker :) Check his IP Prov.

careysub now has the slashroot for her (or his) location, I noticed she had been visited by the 5. guy in the past. Of course Töilet Plünger's down too.
And Zyklon-A has the best location... :)

On a side note, this is possibly a would be spamming accnt. : http://www.sciencemadness.org/talk/member.php?action=viewpro...

[Edited on 8-12-2014 by The Volatile Chemist]

[Edited on 8-12-2014 by The Volatile Chemist]

[Edited on 8-12-2014 by The Volatile Chemist]

[Edited on 8-12-2014 by The Volatile Chemist]

[Edited on 8-12-2014 by The Volatile Chemist]




View user's profile Visit user's homepage View All Posts By User
Texium
Administrator
********




Posts: 3778
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline

Mood: Triturated

[*] posted on 12-8-2014 at 10:06


Last night was the first time I saw it, in the acetone peroxide thread that no longer exists. HeYBrO originally pointed out the /root/ thing. Then we realized that Mr_Magnesium, who started the thread, normally doesn't post crap like that, which led us to believe that the /root/ accounts were hacked. Curiously, every member who posted in that thread except for me and arkoma were compromised, although there are plenty of others that are too that didn't post there.



Come check out the Official Sciencemadness Wiki
They're not really active right now, but here's my YouTube channel and my blog.
View user's profile Visit user's homepage View All Posts By User
Zyklon-A
International Hazard
*****




Posts: 1547
Registered: 26-11-2013
Member Is Offline

Mood: Fluorine radical

[*] posted on 12-8-2014 at 10:12


Weird. I haven't been online in a few days (except yesterday) and didn't see that topic.
This sucks, was Mr_Magnesium the first to be compromised?
I think I remember seeing the "/root/" thing some months ago too, although I can't be sure.




View user's profile View All Posts By User
 Pages:  1    3  ..  7

  Go To Top