URGENT: Probable database breach

[Ronin Storm]

IMPORTANT, URGENT, AND FOR ATTENTION ALL.

As of perhaps two hours ago, I believe that some, possibly all, user accounts on THN Games have been compromised. This may have been isolated to administrators and junior administrators only but I think it is very unwise to assume this.

As of this moment, please assume that the following details have been compromised:

username
password
email

Passwords are handled by vBulletin's mechanism and appear to be salted and the salt doesn't initially appear to have been compromised. However, the salts are quite simple so assume that with a bit of horsepower it'd be pretty easy to break your passwords.

Hence, assume that any email/username and password combination that matches THN is now breached and should be changed immediately.

FYI, the attack looks like a SQL injection attack directly against the shoutbox.

Sorry all. This sucks.

Further information as it's available.

 

[Ronin Storm]

Side note: it's probably pointless changing your password here just now. The hole is still open at this moment and the only way I can see to close it will also take the board offline.

Damage is done. Need the message out there first. Possible board burnage incoming, pending further better solutions.

 

[Pingue]

Thanks for the info - yeah it sucks, but at least everyone knows! At least gives me a motive to change my passwords (been meaning to for months now!)



edit: Happy to help if there's anything I can do, though I doubt it

 

[Haven]

I've disabled the shoutbox.

 

[Ronin Storm]

I've disabled the shoutbox.

Further to that, the code and mechanism that ran the shoutbox have been removed and deleted so that attack vector is now closed. As a side effect, I've reverted all users to the base style so there's not some weird blank box at the top of the page. Events and online users have, as a result, reverted to the bottom of the page.

 

[Ronin Storm]

So, at this point, I'd recommend changing your password here. With that attack vector removed, it's no guarantee, but at least you'll not be pwned the same way. :/

http://games.thehavennet.org.uk/profile.php?do=editpassword

 

[Ronin Storm]

Right, so, likely steps from here, now the initial breach is closed (though you're changing your passwords everywhere, aren't you?)...

1. We wait and make sure everyone's got the message. They'll get a day or two, maybe 'til the weekend.
2. We evaluate our options.
3. We (most likely) purge this vBulletin board and start again with something secure and sufficient.

I know that Haven and I differ on exactly what next looks like (not insurmountably, clearly). I favour cheap, simple and minimal; needs only. I think Haven favours something better featured, more interesting, wider support for integration. I think I said phpBB and he may have muttered Drupal.

Feel free to pile in with your suggestions here. Suffice to say, though this was a shoutbox breach not a vB breach per sé, we believe that vBulletin has had its day.

 

[Ki!ler-Mk1]

Now I know you guys, and I know you wouldn't use deceit, however is it possible to view this unsubstantiated event as a ruse in order to shift to a new system? Pushing an agenda this quickly would imply that this event is real, indeed I do not disbelieve. But where is the evidence, and how do you know this has even happened. I presume there was a log of the database dump (or whatever happened, 5 mins on wikipedia an expert does not make)?

(tldr this does not say 'prove it')

Anyway my only suggestion is the ability to "like" other posts, i've noticed that some boards even have flags under each post that other users can select in addition, such as 'funny' 'nsfw(bit late after the post)' 'like' 'dislike'. Simply like would be sufficient, and there are SO many replies on this board and others where people only want to say "i like this and want to acknowledge this fact".

 

[Ronin Storm]

In short:

vBulletin emails the admin email address on error. I have received around 100 error emails detailing what SQL was run when the error occurred and the script that was responsible for running it. These point to the shoutbox and clearly show a SQL injection attack.

Unfortunately, the side effect of the SQL injection attack creates rows in the shoutbox user table. That points to there being around 18000 users on this board, which there isn't. Rather, there's less than 2000 ever subscribed. So, that indicates ~16000 injection attack attempts, many of which I assume to be successful.

I can see, for sure, that the attack has focused on email, username and password fields of the user table for admins. I must assume that ordinary user accounts have been similarly hit, and that it's happenstance that I haven't seen an error for the salt field. As a result, with adequate processing on the part of the attackers, I must assume that all passwords for all users are compromised.

The reason for giving up on vBulletin focuses on two things:

First, we're a long way behind on security fixes for it as we've not had an active subscription with vBulletin for a long time. Thus patching other potential vulnerabilities is troublesome.

Second, I/we don't much like the way vBulletin has been developed over the past two years, which is why we have no subscription.

Given that, we can't make this board properly secure. Hence the intent to move.

 

[Pingue]

My 2c:

Having run an active phpbb forum for pushing on 5 years now (albeit with a bit smaller userbase), I'd actively recommend it - theming etc is all easy, and updating etc is fairly simple. Furthermore, it's incredibly simple to modify, there's been a number of small changes I've made over the years, and the code is explanatory enough be able to dive in and edit things.

Happy to help out here / figure out what changes we've made to our install over the years to make it better!

 

[Ronin Storm]

Thanks Pingue.

My suggestion on our dev list was phpBB on account of it being straight forward but I'm trying not to make this all about my want/need to keep things low impact and simple for me to implement and maintain. I think the majority of the damage is done and though account attacks here potentially open this board instance to trashing, we can wait a handful of days to implement something new if that's what it takes to get a decent consensus on what we'll do next.

Certainly, I personally feel that all we need is a simple set of forums (maybe just three: Chat, Games, Admin) and a shoutbox (yes, a safer one!). Then we can build from there. As we can't safely port user accounts, I don't even intend to bring any posts to a new platform. I'd like to leave this board on read-only archive duty for a bit so important old posts can be manually ported (I'd be sad to lose my DOTA posts, for example).

Speaking of which, time to go rescue those...

 

[Razaak]

Now I know you guys, and I know you wouldn't use deceit, however is it possible to view this unsubstantiated event as a ruse in order to shift to a new system?

Err, no, and frankly that's a disgraceful accusation, no matter how many pretty words you wrap around it. I honestly can't get my head around what you were thinking to post that. Seriously...?

Ahem, back on topic... Thanks for the heads up Ronin, good to see you've got our backs and I for one trust you and Haven to make the best decision for the board's future. It's your hard work that goes into providing this site, we're just camping out in your garden

 

[BiG D]

Now I know you guys, and I know you wouldn't use deceit, however is it possible to view this unsubstantiated event as a ruse in order to shift to a new system?

Instead of just, you know, shifting to a new system without the hassle?? I bet you have some cracking theories about the moon landing.

 

[BiG D]

And of course, everyone thank Ronin and Haven for spending the time to deal with this quickly and transparently.

 

[KillCrazy]

Yes, you guys deserve many thanks for handling this situation. Seems there is no shortage of malicious twonks on the interwebs.

Thanks Haven and Ronin

 

[Zooggy]

Ahey,

he may have muttered Drupal.

I'd like you both to know that I'm user #3 of a Portuguese boardgame and RPG community, and we use Drupal. And there were many, many, many times I've wanted to roast it with a flame thrower.

Please, please, please don't go to Drupal!

Cheers,
J.

 

[Panda with issues...]

Good to keep shoutbox functionality, I'd miss that.

Are there any other posts that people might want rescuing? The WoW lot must have a bunch. They might want to get on that.

 

[Ki!ler-Mk1]

Err, no, and frankly that's a disgraceful accusation, no matter how many pretty words you wrap around it. I honestly can't get my head around what you were thinking to post that. Seriously...?

I bet you have some cracking theories about the moon landing.

Leave me alone both of you, I said nothing wrong.


Please make sure the new board still has the ability to place anyone on ignore.

 

[Ki!ler-Mk1]

Removed.

 

[Pingue]

*ahem* Back on topic, I have no idea how easy it would be to do a static export of the forum database as an archive (ie dump everything down to raw html). I'd guess it wouldn't be too hard, but have no idea how vbulletin arranges things!

(As you'd probably want to do this for some of the dota/wow/whatever posts, I'd hope it would be easy to just extend that to the rest of the board)