Welcome, Guest. Please Login
 
  HomeHelpSearchLogin FAQ Radified Ghost.Classic Ghost.New Bootable CD Blog  
 
Page Index Toggle Pages: 1
Send Topic Print
Hacked Again?! (Read 20447 times)
NightOwl
Radministrator
*****
Offline


"I tought I saw a puddy
tat..."

Posts: 5826
Olympia, WA--Puget Sound--USA


Back to top
Hacked Again?!
Jan 17th, 2014 at 10:56pm
 
To all

It is Friday, 1/17/2014 at around 8:30 pm Pacific Std Time.

I am seeing the same issues with the website as noted yesterday--i.e.:

Quote:
This morning I noticed the browser (Chrome--I thought it did not do JavaScripts?) said > "Waiting for site > vacance-petit-prix.com"

And the forum is sluggish and unresponsive.

I recommend folks might want to stop posting until this is figured out--or at least copy and paste your posts to WordPad and save them on your system so you can go back and re-post them if you want later.

Edited:
2/1/2014--it's about two weeks since the forum was hacked--looks like the problem has been removed, and we have been without incident since mid-January.  So, folks should be able to post without worry--at least for now! 

So, no saving copies of your posts for re-posting because they might be lost--we're not anticipating any ongoing problems based on current status--NightOwl


There is a *Print* function that will bring up a text version of the thread--you can copy that and paste it to Word and you will have the entire thread saved in the order the posts were made.  One will have to manually recreate the thread later, but it can be done
 

____________________________________________________________________________________________

No question is stupid ... but, possibly the answers are Wink !
 
IP Logged
 

NightOwl
Radministrator
*****
Offline


"I tought I saw a puddy
tat..."

Posts: 5826
Olympia, WA--Puget Sound--USA


Back to top
Re: Hacked Again?!
Reply #1 - Jan 18th, 2014 at 1:26am
 
To All

Well, it's approx. 11:15 pm and I no longer see any of the delays that were happening earlier in the evening.

I've tried IE8, FireFox, and Chrome--and none show any problems--so don't know what to think right now!  The *Waiting for site > vacance-petit-prix.com* no longer shows at the bottom of the Chrome browser screen--that message was occurring when the site was stalling.
 

____________________________________________________________________________________________

No question is stupid ... but, possibly the answers are Wink !
 
IP Logged
 
Dan Goodell
Special Guest
*****
Offline



Posts: 552
N California


Back to top
Re: Hacked Again?!
Reply #2 - Jan 18th, 2014 at 2:09am
 
NightOwl wrote on Jan 17th, 2014 at 10:56pm:
I am seeing the same issues with the website as noted yesterday [...] And the forum is sluggish and unresponsive.


I just tried it with Chrome and scripting turned on, but didn't see any problems.



Quote:
I recommend folks might want to stop posting until this is figured out--or at least copy and paste your posts to WordPad and save them on your system so you can go back and re-post them if you want later.

There is a *Print* function that will bring up a text version of the thread--you can copy that and paste it to Word and you will have the entire thread saved in the order the posts were made.One will have to manually recreate the thread later, but it can be done 


I take it you moderators have ftp access to radified.com/cgi-bin/yabb2, right?  If so, can you just make copies of a couple of the subfolders in yabb2?

It's been years since I ran a couple forums myself but I used the same YaBB software (albeit an older version than what Rad's running now).  IIRC there should be a couple folders called something like "Messages" and "Boards" or something like that.  Those were the two folders I used to keep judiciously backed up.

All the scripts and css stuff should be in other folders and would be the targets of any hacking attack (because Messages and Boards don't contain any scripts or anything executable).  If you have a current copy of Messages and Boards and Rad has to restore the forum from an old backup again, the restore will fix the forum *infrastructure* and a straight recopy of the two folders should bring the forum *content* current again.




 
 
IP Logged
 
Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Hacked Again?!
Reply #3 - Jan 18th, 2014 at 10:07am
 
I have not noticed any problems since the restore.

Did you close all rad pages and flush your browser cache?

If you get the 'waiting for' that site, then either you still have infected javascript files in your cache or we are hacked.

i will re-scan all files.
 
WWW  
IP Logged
 
Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Hacked Again?!
Reply #4 - Jan 18th, 2014 at 11:13am
 
This morning (Saturday) I had the studly dude at my web host runs the script to check for instances of the vacance- name, and the only hits came from html files where I/we had mentioned it ourselves.

So we are good .. as of Saturday morning, 9AM Pacific.

Plus I changed my site log-in password .. yet again.
 
WWW  
IP Logged
 
NightOwl
Radministrator
*****
Offline


"I tought I saw a puddy
tat..."

Posts: 5826
Olympia, WA--Puget Sound--USA


Back to top
Re: Hacked Again?!
Reply #5 - Jan 20th, 2014 at 5:52pm
 
@
Rad

NightOwl wrote on Jan 17th, 2014 at 10:56pm:
It is Friday, 1/17/2014 at around 8:30 pm Pacific Std Time.

I am seeing the same issues with the website as noted yesterday

Well, everything seemed back to normal early on Friday morning, 1/17, after the forum had been restored.  It wasn't until the evening that I was having problems.

Rad wrote on Jan 18th, 2014 at 10:07am:
Did you close all rad pages and flush your browser cache?

No, I had not--but the problem was not there earlier in the day.  I did flush the cache after I read this, but the problem was already gone at that point (again)--so don't know if that was necessary or not.

Haven't had any problems since...(fingers crossed!)...
 

____________________________________________________________________________________________

No question is stupid ... but, possibly the answers are Wink !
 
IP Logged
 

Amish.
Technoluster
***
Offline


Dude! (Rad in SeaMonkey)

Posts: 104


Back to top
Re: Hacked Again?!
Reply #6 - Jan 21st, 2014 at 12:22pm
 
you could have gotten the infected files before the destination server got overloaded.

that's really what made the hack so apparent.
 
 
IP Logged
 
NightOwl
Radministrator
*****
Offline


"I tought I saw a puddy
tat..."

Posts: 5826
Olympia, WA--Puget Sound--USA


Back to top
Re: Hacked Again?!
Reply #7 - Jan 22nd, 2014 at 2:12pm
 
@
Dan Goodell

Dan Goodell wrote on Jan 18th, 2014 at 2:09am:
I take it you moderators have ftp access to radified.com/cgi-bin/yabb2, right?  If so, can you just make copies of a couple of the subfolders in yabb2?

Actually, no!  The *moderator* or *Admin* designation determines the options that can be controlled using the forum's *Admin Control Panel*. 

Access to the web site's directories and files is under the control of the web site owner--Rad.

Dan Goodell wrote on Jan 18th, 2014 at 2:09am:
It's been years since I ran a couple forums myself but I used the same YaBB software (albeit an older version than what Rad's running now).  IIRC there should be a couple folders called something like "Messages" and "Boards" or something like that.  Those were the two folders I used to keep judiciously backed up.

That's interesting!

Dan Goodell wrote on Jan 18th, 2014 at 2:09am:
If you have a current copy of Messages and Boards and Rad has to restore the forum from an old backup again, the restore will fix the forum *infrastructure* and a straight recopy of the two folders should bring the forum *content* current again.

Even more interesting!

Well, I wonder, if we know in the future that the board has to be restored from an older backup image, if we could first save those Messages and Board files for over-writing the dated Messages and Board files that will come from the older restored forum backup?!



@
Rad

Is that an option in the future?  Do we need to be keeping regular backups of those files or directories?  Can that be automated, and the backups stored elsewhere on the server and/or off-site? 

Curious--are those files for the Board threads and Messages just text files?  Are the encrypted?  Can they be accesses one message or thread at a time?  Are the individual threads and messages available by searching, or are they in some proprietary data based file that only the forum software can understand and access?

 

____________________________________________________________________________________________

No question is stupid ... but, possibly the answers are Wink !
 
IP Logged
 
Dan Goodell
Special Guest
*****
Offline



Posts: 552
N California


Back to top
Re: Hacked Again?!
Reply #8 - Jan 22nd, 2014 at 7:34pm
 
NightOwl wrote on Jan 22nd, 2014 at 2:12pm:
Curious--are those files for the Board threads and Messages just text files?Are the encrypted?Can they be accesses one message or thread at a time?Are the individual threads and messages available by searching, or are they in some proprietary data based file that only the forum software can understand and access?


The forum software is written in perl, and part of the beauty of perl is it's tailor made to use text files for everything, from the program itself (perl scripts in text format) to the data files (also in text format).

I dragged a backup of one of my old forums out of storage to refresh my memory.  According to the footer on this forum Rad is running YaBB 2.4, while my old forums were on YaBB 1.4.  It's probably generally similar, but take that as a disclaimer for the following comments below.

The Boards directory contained a series of text files that were basically related to the forum structure--names and locations of the forum's msg boards and an id that may have pointed to each board's most recent post.

The Messages directory contained a series of text files representing all msgs for all boards, lumped into this one directory.  Each post was stored separately as a pair of text files--one file being the post's contents and the other an index to where (which board and thread) the post belonged.  The posts could be read individually but not as a thread because everything was lumped together in one directory.

Hover over a thread link when you're looking at the index to any board and notice the url to where the link points.  See that long numeric string?  That's the post's id number and the actual post is stored in the Messages directory as a pair of files with that id number.  (Note: I haven't explored where pics or uploads go.)

Those two directories contain the names, contents and indexes of all the boards, so should serve as a drag-and-drop backup of the contents of the entire forum.  They do not contain the colors, layout, member list, or any parts of the forum that could be the called the infrastructure.

It should be easy to automate backups--my linux is rusty but I'm sure Rad can easily setup a cron job on the server.  Maybe he's been doing that already, but I don't know on what time schedule.



 
 
IP Logged
 
Dan Goodell
Special Guest
*****
Offline



Posts: 552
N California


Back to top
Re: Hacked Again?!
Reply #9 - Jan 22nd, 2014 at 9:56pm
 
Dan Goodell wrote on Jan 22nd, 2014 at 7:34pm:
Each post was stored separately as a pair of text files--one file being the post's contents and the other an index to where (which board and thread) the post belonged.The posts could be read individually but not as a thread because everything was lumped together in one directory.

Oops, let me correct that.  It seems I may have randomly pulled a backup from an earlier version from around 10 yrs ago.  A more recent backup (about 5 yrs ago) from the YaBB 1.4 version I was using then shows the text files in the Messages directory are whole threads, not individual messages.

So you can indeed read a whole thread together.  It's a tad inconvenient because the posts run on in one long string with delimiter codes to mark the beginning of each post (and linux line feeds are different from Windows), but if your goal is just to do a text search then it should work fine.



 
 
IP Logged
 
NightOwl
Radministrator
*****
Offline


"I tought I saw a puddy
tat..."

Posts: 5826
Olympia, WA--Puget Sound--USA


Back to top
Re: All Clear For Now
Reply #10 - Feb 1st, 2014 at 2:25pm
 
To all

It's about two weeks since the forum was hacked--looks like the problem has been removed, and we have been without incident since mid-January.  So, folks should be able to post without worry.

So, no saving copies of your posts for re-posting because they might be lost--we're not anticipating any ongoing problems based on our current status.
 

____________________________________________________________________________________________

No question is stupid ... but, possibly the answers are Wink !
 
IP Logged
 

Rad
Radministrator
*****
Offline


Sufferin' succotash

Posts: 4090
Newport Beach, California


Back to top
Re: Hacked Again?!
Reply #11 - Feb 5th, 2014 at 11:30pm
 
yes.
=)
 
WWW  
IP Logged
 
Page Index Toggle Pages: 1
Send Topic Print