Radified Community Forums
http://radified.com/cgi-bin/yabb2/YaBB.pl
Rad Community Non-Technical Discussion Boards >> YaBB Forum Software + Rad Web Site >> Hacked Again?!
http://radified.com/cgi-bin/yabb2/YaBB.pl?num=1390020991

Message started by NightOwl on Jan 17th, 2014 at 10:56pm

Title: Hacked Again?!
Post by NightOwl on Jan 17th, 2014 at 10:56pm
To all

It is Friday, 1/17/2014 at around 8:30 pm Pacific Std Time.

I am seeing the same issues with the website as noted yesterday--i.e.:


Quote:
This morning I noticed the browser (Chrome--I thought it did not do JavaScripts?) said > "Waiting for site > vacance-petit-prix.com"

And the forum is sluggish and unresponsive.

I recommend folks might want to stop posting until this is figured out--or at least copy and paste your posts to WordPad and save them on your system so you can go back and re-post them if you want later.

[edit]2/1/2014--it's about two weeks since the forum was hacked--looks like the problem has been removed, and we have been without incident since mid-January.  So, folks should be able to post without worry--at least for now! 

So, no saving copies of your posts for re-posting because they might be lost--we're not anticipating any ongoing problems based on current status--NightOwl[/edit]

There is a *Print* function that will bring up a text version of the thread--you can copy that and paste it to Word and you will have the entire thread saved in the order the posts were made.  One will have to manually recreate the thread later, but it can be done

Title: Re: Hacked Again?!
Post by NightOwl on Jan 18th, 2014 at 1:26am
To All

Well, it's approx. 11:15 pm and I no longer see any of the delays that were happening earlier in the evening.

I've tried IE8, FireFox, and Chrome--and none show any problems--so don't know what to think right now!  The *Waiting for site > vacance-petit-prix.com* no longer shows at the bottom of the Chrome browser screen--that message was occurring when the site was stalling.

Title: Re: Hacked Again?!
Post by Dan Goodell on Jan 18th, 2014 at 2:09am

NightOwl wrote on Jan 17th, 2014 at 10:56pm:
I am seeing the same issues with the website as noted yesterday [...] And the forum is sluggish and unresponsive.


I just tried it with Chrome and scripting turned on, but didn't see any problems.




Quote:
I recommend folks might want to stop posting until this is figured out--or at least copy and paste your posts to WordPad and save them on your system so you can go back and re-post them if you want later.

There is a *Print* function that will bring up a text version of the thread--you can copy that and paste it to Word and you will have the entire thread saved in the order the posts were made.One will have to manually recreate the thread later, but it can be done 


I take it you moderators have ftp access to radified.com/cgi-bin/yabb2, right?  If so, can you just make copies of a couple of the subfolders in yabb2?

It's been years since I ran a couple forums myself but I used the same YaBB software (albeit an older version than what Rad's running now).  IIRC there should be a couple folders called something like "Messages" and "Boards" or something like that.  Those were the two folders I used to keep judiciously backed up.

All the scripts and css stuff should be in other folders and would be the targets of any hacking attack (because Messages and Boards don't contain any scripts or anything executable).  If you have a current copy of Messages and Boards and Rad has to restore the forum from an old backup again, the restore will fix the forum *infrastructure* and a straight recopy of the two folders should bring the forum *content* current again.





Title: Re: Hacked Again?!
Post by Rad on Jan 18th, 2014 at 10:07am
I have not noticed any problems since the restore.

Did you close all rad pages and flush your browser cache?

If you get the 'waiting for' that site, then either you still have infected javascript files in your cache or we are hacked.

i will re-scan all files.

Title: Re: Hacked Again?!
Post by Rad on Jan 18th, 2014 at 11:13am
This morning (Saturday) I had the studly dude at my web host runs the script to check for instances of the vacance- name, and the only hits came from html files where I/we had mentioned it ourselves.

So we are good .. as of Saturday morning, 9AM Pacific.

Plus I changed my site log-in password .. yet again.

Title: Re: Hacked Again?!
Post by NightOwl on Jan 20th, 2014 at 5:52pm
@ Rad


NightOwl wrote on Jan 17th, 2014 at 10:56pm:
It is Friday, 1/17/2014 at around 8:30 pm Pacific Std Time.

I am seeing the same issues with the website as noted yesterday

Well, everything seemed back to normal early on Friday morning, 1/17, after the forum had been restored.  It wasn't until the evening that I was having problems.


Rad wrote on Jan 18th, 2014 at 10:07am:
Did you close all rad pages and flush your browser cache?

No, I had not--but the problem was not there earlier in the day.  I did flush the cache after I read this, but the problem was already gone at that point (again)--so don't know if that was necessary or not.

Haven't had any problems since...(fingers crossed!)...

Title: Re: Hacked Again?!
Post by Amish. on Jan 21st, 2014 at 12:22pm
you could have gotten the infected files before the destination server got overloaded.

that's really what made the hack so apparent.

Title: Re: Hacked Again?!
Post by NightOwl on Jan 22nd, 2014 at 2:12pm
@ Dan Goodell


Dan Goodell wrote on Jan 18th, 2014 at 2:09am:
I take it you moderators have ftp access to radified.com/cgi-bin/yabb2, right?  If so, can you just make copies of a couple of the subfolders in yabb2?

Actually, no!  The *moderator* or *Admin* designation determines the options that can be controlled using the forum's *Admin Control Panel*. 

Access to the web site's directories and files is under the control of the web site owner--Rad.


Dan Goodell wrote on Jan 18th, 2014 at 2:09am:
It's been years since I ran a couple forums myself but I used the same YaBB software (albeit an older version than what Rad's running now).  IIRC there should be a couple folders called something like "Messages" and "Boards" or something like that.  Those were the two folders I used to keep judiciously backed up.

That's interesting!


Dan Goodell wrote on Jan 18th, 2014 at 2:09am:
If you have a current copy of Messages and Boards and Rad has to restore the forum from an old backup again, the restore will fix the forum *infrastructure* and a straight recopy of the two folders should bring the forum *content* current again.

Even more interesting!

Well, I wonder, if we know in the future that the board has to be restored from an older backup image, if we could first save those Messages and Board files for over-writing the dated Messages and Board files that will come from the older restored forum backup?!



@ Rad

Is that an option in the future?  Do we need to be keeping regular backups of those files or directories?  Can that be automated, and the backups stored elsewhere on the server and/or off-site? 

Curious--are those files for the Board threads and Messages just text files?  Are the encrypted?  Can they be accesses one message or thread at a time?  Are the individual threads and messages available by searching, or are they in some proprietary data based file that only the forum software can understand and access?


Title: Re: Hacked Again?!
Post by Dan Goodell on Jan 22nd, 2014 at 7:34pm

NightOwl wrote on Jan 22nd, 2014 at 2:12pm:
Curious--are those files for the Board threads and Messages just text files?Are the encrypted?Can they be accesses one message or thread at a time?Are the individual threads and messages available by searching, or are they in some proprietary data based file that only the forum software can understand and access?


The forum software is written in perl, and part of the beauty of perl is it's tailor made to use text files for everything, from the program itself (perl scripts in text format) to the data files (also in text format).

I dragged a backup of one of my old forums out of storage to refresh my memory.  According to the footer on this forum Rad is running YaBB 2.4, while my old forums were on YaBB 1.4.  It's probably generally similar, but take that as a disclaimer for the following comments below.

The Boards directory contained a series of text files that were basically related to the forum structure--names and locations of the forum's msg boards and an id that may have pointed to each board's most recent post.

The Messages directory contained a series of text files representing all msgs for all boards, lumped into this one directory.  Each post was stored separately as a pair of text files--one file being the post's contents and the other an index to where (which board and thread) the post belonged.  The posts could be read individually but not as a thread because everything was lumped together in one directory.

Hover over a thread link when you're looking at the index to any board and notice the url to where the link points.  See that long numeric string?  That's the post's id number and the actual post is stored in the Messages directory as a pair of files with that id number.  (Note: I haven't explored where pics or uploads go.)

Those two directories contain the names, contents and indexes of all the boards, so should serve as a drag-and-drop backup of the contents of the entire forum.  They do not contain the colors, layout, member list, or any parts of the forum that could be the called the infrastructure.

It should be easy to automate backups--my linux is rusty but I'm sure Rad can easily setup a cron job on the server.  Maybe he's been doing that already, but I don't know on what time schedule.




Title: Re: Hacked Again?!
Post by Dan Goodell on Jan 22nd, 2014 at 9:56pm

Dan Goodell wrote on Jan 22nd, 2014 at 7:34pm:
Each post was stored separately as a pair of text files--one file being the post's contents and the other an index to where (which board and thread) the post belonged.The posts could be read individually but not as a thread because everything was lumped together in one directory.

Oops, let me correct that.  It seems I may have randomly pulled a backup from an earlier version from around 10 yrs ago.  A more recent backup (about 5 yrs ago) from the YaBB 1.4 version I was using then shows the text files in the Messages directory are whole threads, not individual messages.

So you can indeed read a whole thread together.  It's a tad inconvenient because the posts run on in one long string with delimiter codes to mark the beginning of each post (and linux line feeds are different from Windows), but if your goal is just to do a text search then it should work fine.




Title: Re: All Clear For Now
Post by NightOwl on Feb 1st, 2014 at 2:25pm
To all

It's about two weeks since the forum was hacked--looks like the problem has been removed, and we have been without incident since mid-January.  So, folks should be able to post without worry.

So, no saving copies of your posts for re-posting because they might be lost--we're not anticipating any ongoing problems based on our current status.

Title: Re: Hacked Again?!
Post by Rad on Feb 5th, 2014 at 11:30pm
yes.
=)

Radified Community Forums » Powered by YaBB 2.4!
YaBB © 2000-2009. All Rights Reserved.