Results 1 to 28 of 28

Thread: Hack Attempt on .Org

  1. #1
    The Red Titled Forum Administrator Beskar's Avatar
    Join Date
    Feb 2008
    Location
    Albion
    Posts
    14,999

    Default Hack Attempt on .Org

    Hello all,

    It seems that someone got access to our webserver via some legacy software hosted on totalwar.org. This has now been locked down, and many features and functionality from the old sections of the Org are no longer accessible.

    The hacker attempted to hijack and control a admin account (failed), and tried to deface sections of the site. Any alterations have been reversed and secured against.

    Whilst passwords on the Org are encrypted, they may have been exposed during this time, and it is highly recommended that you change your passwords to ensure your accounts are not compromised. Similarly, if you use the same email address/username and password on other websites. Whilst this may just be a precaution as there is no way to tell, I would recommend following this advice.

    We're still investigating the extent of the breach, and some functionality on the site which people may be using is disabled to ensure this cannot occur again

    In the meantime, we recommend that everyone changes their passwords ASAP.

    Best wishes,
    Beskar
    Last edited by Beskar; 10-27-2016 at 17:12.
    "What makes something right or wrong?" | How to spot a Humanist
    "Men of Quality do not fear Equality." # | "Belief doesn't change facts. Facts, if you are reasonable, should change your beliefs." RG

    Members thankful for this post (3):



  2. #2
    Senior Member Senior Member Othello Champion Montmorency's Avatar
    Join Date
    Sep 2010
    Posts
    7,383

    Default Re: Hack Attempt on .Org

    Quote Originally Posted by Beskar View Post
    This has now been locked down, and many features and functionality from the old sections of the Org are no longer accessible.
    What exactly is gone now?
    Vitiate Man.

    Member thankful for this post:

    Roma5 


  3. #3
    The Red Titled Forum Administrator Beskar's Avatar
    Join Date
    Feb 2008
    Location
    Albion
    Posts
    14,999

    Default Re: Hack Attempt on .Org

    Quote Originally Posted by Montmorency View Post
    What exactly is gone now?
    Some old random pieces of dusty equipment that should have been thrown out years ago, but kept around long past its usefulness. Something no one would probably ever use, except for that one random person.But it was the reason for the breach/attempt. In short, I don't know, and @therother is the person to ask.
    "What makes something right or wrong?" | How to spot a Humanist
    "Men of Quality do not fear Equality." # | "Belief doesn't change facts. Facts, if you are reasonable, should change your beliefs." RG

    Member thankful for this post:

    Roma5 


  4. #4
    Research Fiend Technical Administrator Tetris Champion, Boxteroid Champion, Asteroids 2k3 Champion, Summer Games Champion, Shootout Champion, Snakeman Champion, Classic Donkey Kong Champion, Ms Pacman Champion therother's Avatar
    Join Date
    Feb 2004
    Location
    UK
    Posts
    2,440

    Default Re: Hack Attempt on .Org

    Mostly, I've deactivated a whole bunch of file uploaders from back circa 2002-2004. The hack attempt was via these old php scripts.

    I've also deactivated a number of unused sites like our Legend of the Green Dragon install. I could reactivate these if there's interest.

    There was an attempt to break into a dummy forum account but this was unsuccessful.
    Last edited by therother; 10-27-2016 at 19:38.
    Nullius addictus iurare in uerba magistri -- Quintus Horatius Flaccus

    History is a pack of lies about events that never happened told by people who weren't there -- George Santayana

    Members thankful for this post (3):



  5. #5
    Requin Member Vincent Butler's Avatar
    Join Date
    May 2014
    Location
    Somewhere, but not there.
    Posts
    448

    Default Re: Hack Attempt on .Org

    Makes you wonder what somebody could hope to gain by hacking .org, other than just to be malicious.

    Member thankful for this post:

    Roma5 


  6. #6

    Default Re: Hack Attempt on .Org

    Quote Originally Posted by therother View Post
    The hack attempt was via these old php scripts.
    Most likely old, buggy (or just poor) PHP code.

    https://en.wikipedia.org/wiki/File_i...nerability#PHP

    Member thankful for this post:

    Roma5 


  7. #7
    Member Member Stazi's Avatar
    Join Date
    Jun 2008
    Location
    Poland
    Posts
    413

    Default Re: Hack Attempt on .Org

    Quote Originally Posted by Vincent Butler View Post
    Makes you wonder what somebody could hope to gain by hacking .org, other than just to be malicious.
    Your answer is in the first post:

    Quote Originally Posted by Beskar View Post
    Whilst passwords on the Org are encrypted, they may have been exposed during this time, and it is highly recommended that you change your passwords to ensure your accounts are not compromised. Similarly, if you use the same email address/username and password on other websites.
    "Do not fight for glory. Do not fight for love of your lord. Do not fight for hatred, honor or faith. Fight only for victory and you will succeed." - Uji sensei.

    Member thankful for this post:

    Roma5 


  8. #8
    Requin Member Vincent Butler's Avatar
    Join Date
    May 2014
    Location
    Somewhere, but not there.
    Posts
    448

    Default Re: Hack Attempt on .Org

    Well, yeah, but simply having an email address and password to a forum that contains little to no personal information is kind of worthless. Even if those passwords are the same as for other websites, how would he know which websites to use them on, unless trying them randomly on stuff like social media sites?

    If somebody does use my email address to do something, I guess that could be a problem, I could be getting all sorts of stuff from creditors and such when I have no clue what is going on. That address is associated with me, so I could get into trouble, I guess.
    Blessed be the LORD my strength, which teacheth my hands to war, and my fingers to fight: Psalm 144:1

    In peace there's nothing so becomes a man
    As modest stillness and humility:
    But when the blast of war blows in our ears,
    Then imitate the action of the tiger;
    -Henry V by William Shakespeare

  9. #9
    wicked, evil Moderator Xiahou's Avatar
    Join Date
    Aug 2002
    Location
    in the cloud.
    Posts
    8,898

    Default Re: Hack Attempt on .Org

    So I've changed my password, but I didn't see anywhere what the password requirements/limitations are. What kinds of characters can/must be used and what's the min/max password length?
    "Government is not reason; it is not eloquent; it is force. Like fire, it is a dangerous servant and a fearful master."

    George Washington

  10. #10
    Research Fiend Technical Administrator Tetris Champion, Boxteroid Champion, Asteroids 2k3 Champion, Summer Games Champion, Shootout Champion, Snakeman Champion, Classic Donkey Kong Champion, Ms Pacman Champion therother's Avatar
    Join Date
    Feb 2004
    Location
    UK
    Posts
    2,440

    Default Re: Hack Attempt on .Org

    vBulletin does not have options to restrict password choice. So there are no board-enforced requirements or limitations.

    In general, I'd recommend passwords with 9 or more characters including upper and lower case, numbers and symbols that either don't contain dictionary words or have more than 2 unusual words with uncommon misspellings/substitutions/insertions/deletions.
    Nullius addictus iurare in uerba magistri -- Quintus Horatius Flaccus

    History is a pack of lies about events that never happened told by people who weren't there -- George Santayana

    Member thankful for this post:

    Xiahou 


  11. #11
    wicked, evil Moderator Xiahou's Avatar
    Join Date
    Aug 2002
    Location
    in the cloud.
    Posts
    8,898

    Default Re: Hack Attempt on .Org

    According to KeePass, my new password has 127 bits of entropy and I no longer even know what it is. Hopefully that's secure enough.
    Honestly, I was slightly surprised to be allowed as many characters of as many different types as I used- so kudos to vBulletin, I guess.

    Related to that, I heartily recommend KeePass to anyone who needs to store complex passwords for multiple sites (isn't that everyone?). It also has a nice plugin for TOTP, so I can use it has a backup for my Google Authenticator 2-factor authentication.
    Last edited by Xiahou; 11-10-2016 at 14:18.
    "Government is not reason; it is not eloquent; it is force. Like fire, it is a dangerous servant and a fearful master."

    George Washington

  12. #12
    Strategist and Storyteller Member Myth's Avatar
    Join Date
    Apr 2010
    Posts
    3,909

    Default Re: Hack Attempt on .Org

    HAHAHAHA YOU FOOLS! I HAVE NOW GAINED ACCESS TO THIS MODERATOR ACCOUNT! WITNESS THE DESTRUCTION I SHALL WIELD VIA THE GOLDIKE POWERS GRANTED TO FORUM MODERATORS ON THIS SITE!
    The art of war, then, is governed by five constant
    factors, to be taken into account in one's deliberations,
    when seeking to determine the conditions obtaining in the field.

    These are: (1) The Moral Law; (2) Heaven; (3) Earth;
    (4) The Commander; (5) Method and discipline.
    Sun Tzu, "The Art of War"
    Like totalwar.org on Facebook!

    Members thankful for this post (2):



  13. #13
    Research Fiend Technical Administrator Tetris Champion, Boxteroid Champion, Asteroids 2k3 Champion, Summer Games Champion, Shootout Champion, Snakeman Champion, Classic Donkey Kong Champion, Ms Pacman Champion therother's Avatar
    Join Date
    Feb 2004
    Location
    UK
    Posts
    2,440

    Default Re: Hack Attempt on .Org

    I used to use KeePass with Dropbox. It's a great piece of software but lacks the web and mobile integration of LastPass, which is what I now use.

    And yeah, having different, essentially uncrackable passwords for every site is by far the most secure thing to do.
    Nullius addictus iurare in uerba magistri -- Quintus Horatius Flaccus

    History is a pack of lies about events that never happened told by people who weren't there -- George Santayana

  14. #14
    Iron Fist Senior Member Husar's Avatar
    Join Date
    Jan 2003
    Location
    Germany
    Posts
    14,158

    Default Re: Hack Attempt on .Org

    KeePass has an auto-insert functionality that can even be customized by adding the relevant commands to the list of auto type commands for any given entry. By now I find that quite useful, even for simple website logins. I tried Enpass, but the browser plugin of that one requires you to also start and unlock the app/program, at which point I found KeePass to actually be quite a bit faster.

    Haven't tried LastPass, mainly because I got so used to KeePass that a monthly subscription seems unnecessary at this point.


    "Topic is tired and needs a nap." - Tosa Inu

  15. #15
    The Red Titled Forum Administrator Beskar's Avatar
    Join Date
    Feb 2008
    Location
    Albion
    Posts
    14,999

    Default Re: Hack Attempt on .Org

    Quote Originally Posted by therother View Post
    And yeah, having different, essentially uncrackable passwords for every site is by far the most secure thing to do.
    So secure, you won't be able to access it yourself.

    Yeah, I now have a secret hard copy location incase something ever happened, and I need the password for my main accounts. Downside is, if someone ever found that, they could access my account. So how secure is it really?

    Honestly, I like Microsofts pin solution. The main account t having a very secure password, but where you set it up at home, you can use a pin.
    "What makes something right or wrong?" | How to spot a Humanist
    "Men of Quality do not fear Equality." # | "Belief doesn't change facts. Facts, if you are reasonable, should change your beliefs." RG

  16. #16
    Iron Fist Senior Member Husar's Avatar
    Join Date
    Jan 2003
    Location
    Germany
    Posts
    14,158

    Default Re: Hack Attempt on .Org

    I don't think having a hard copy is a bad idea unless you are so important in reality that people would break into your home and specifically look for your passwords. But in that case I'd also advise to have bodyguards, someone could kidnap you to get your master password. And then you could let a bodyguard guard the hard copy.

    I'd personally rather invest the money in a decent virus and spyware protection though.


    "Topic is tired and needs a nap." - Tosa Inu

  17. #17
    Colonel In Chief Member PROVOST's Avatar
    Join Date
    Jan 2014
    Location
    Terra Australis
    Posts
    1,951

    Default Re: Hack Attempt on .Org

    Thankfully the babe thread was not affected.
    You can build a throne with bayonets, but you can't sit on it for long. -Boris Yeltsin


    мыслете наш он покой

  18. #18
    Assassins Guild Member The Outsider's Avatar
    Join Date
    Nov 2005
    Location
    Everywhere...
    Posts
    317

    Default Re: Hack Attempt on .Org

    Quote Originally Posted by Myth View Post
    HAHAHAHA YOU FOOLS! I HAVE NOW GAINED ACCESS TO THIS MODERATOR ACCOUNT! WITNESS THE DESTRUCTION I SHALL WIELD VIA THE GOLDIKE POWERS GRANTED TO FORUM MODERATORS ON THIS SITE!
    Since you have managed to hack into org, can you please make and old orgah happy by promoting me to a seniour member so that I can finally access the fabled "special" forum?

  19. #19
    Assassins Guild Member The Outsider's Avatar
    Join Date
    Nov 2005
    Location
    Everywhere...
    Posts
    317

    Default Re: Hack Attempt on .Org

    double post - still shows you how serious I am.

  20. #20
    The Red Titled Forum Administrator Beskar's Avatar
    Join Date
    Feb 2008
    Location
    Albion
    Posts
    14,999

    Default Re: Hack Attempt on .Org

    There is no senior member forum.

    There is a moderator forum, where we basically tell eachother when we are afk, and sometimes randomly talk about boring site stuff.
    Technically the infraction/warning/reporting section is a 'forum', but that is the system posting messages to it, rather than active discussion areas.
    "What makes something right or wrong?" | How to spot a Humanist
    "Men of Quality do not fear Equality." # | "Belief doesn't change facts. Facts, if you are reasonable, should change your beliefs." RG

  21. #21
    Ja mata, TosaInu Moderator edyzmedieval's Avatar
    Join Date
    May 2005
    Location
    Fortress of the Mountains
    Posts
    10,101

    Default Re: Hack Attempt on .Org

    Quote Originally Posted by Beskar View Post
    There is no senior member forum.

    There is a moderator forum, where we basically tell eachother when we are afk, and sometimes randomly talk about boring site stuff.
    Technically the infraction/warning/reporting section is a 'forum', but that is the system posting messages to it, rather than active discussion areas.
    Beskar, you broke the moderator forum rule. One must not speak of the moderator forums in public...

    Ja mata, TosaInu. You will forever be remembered.

    Proud

    Been to:

    10 years+ at the Org

  22. #22
    The Red Titled Forum Administrator Beskar's Avatar
    Join Date
    Feb 2008
    Location
    Albion
    Posts
    14,999

    Default Re: Hack Attempt on .Org

    Oh, I thought that was the secret Admin forum that I post to myself in. I got a topic in there going "Who is the best Admin?" with the vote options being "Beskar" with one vote, and the rest having zero.
    "What makes something right or wrong?" | How to spot a Humanist
    "Men of Quality do not fear Equality." # | "Belief doesn't change facts. Facts, if you are reasonable, should change your beliefs." RG

  23. #23
    Ja mata, TosaInu Moderator edyzmedieval's Avatar
    Join Date
    May 2005
    Location
    Fortress of the Mountains
    Posts
    10,101

    Default Re: Hack Attempt on .Org

    You have exposed the moderator forums, Beskar. We must now remove you from position.

    *initiating process of removal*
    Ja mata, TosaInu. You will forever be remembered.

    Proud

    Been to:

    10 years+ at the Org

  24. #24
    Requin Member Vincent Butler's Avatar
    Join Date
    May 2014
    Location
    Somewhere, but not there.
    Posts
    448

    Default Re: Hack Attempt on .Org

    Quote Originally Posted by Beskar View Post
    Oh, I thought that was the secret Admin forum that I post to myself in. I got a topic in there going "Who is the best Admin?" with the vote options being "Beskar" with one vote, and the rest having zero.
    Is there any way the rest of us can vote for you in that forum?

  25. #25
    chaos chaos chaos Moderator Pogo Panic Champion, Space Rescue Champion, Graveyard Champion, Invasion 2196 Champion, Rally 2100 Champion, Missle Attack Champion, Ninja Kid Champion, Ninja Turtles 1 Champion, Pop-Up Killer Champion, Ratman Ralph Champion, Mahjong Connect Champion GeneralHankerchief's Avatar
    Join Date
    Mar 2006
    Location
    On a pirate ship
    Posts
    11,529

    Default Re: Hack Attempt on .Org

    Quote Originally Posted by Beskar View Post
    There is no senior member forum.
    I approve of this bit of deception.
    "I'm going to die anyway, and therefore have nothing more to do except deliberately annoy Lemur." -Orb, in the chat
    "Lemur. Even if he's innocent, he's a pain; so kill him." -Ignoramus
    "I'm going to need to collect all of the rants about the guilty lemur, and put them in a pretty box with ponies and pink bows. Then I'm going to sprinkle sparkly magic dust on the box, and kiss it." -Lemur
    Mafia: Promoting peace and love since June 2006

    Quote Originally Posted by TosaInu
    At times I read back my own posts [...]. It's not always clear at first glance.

    Member thankful for this post:

    Beskar 


  26. #26
    Dragonslayer Emeritus Senior Member Sigurd's Avatar
    Join Date
    Nov 2002
    Location
    Norge
    Posts
    6,862

    Default Re: Hack Attempt on .Org

    As the first Senior Member in this thread (all though technically those in redpinkandgreen also are seniors) I can confirm that there are no special Senior Member forum on the .org where we keep the pr0n stash and secret locker room discussions.
    Status Emeritus

  27. #27
    Iron Fist Senior Member Husar's Avatar
    Join Date
    Jan 2003
    Location
    Germany
    Posts
    14,158

    Default Re: Hack Attempt on .Org

    Quote Originally Posted by Sigurd View Post
    [...] locker room discussions.
    Indeed, there is absolutely no golden Trump-forum.


    "Topic is tired and needs a nap." - Tosa Inu

  28. #28
    New Member Member kiowhatta's Avatar
    Join Date
    Jan 2017
    Posts
    0

    Default Re: Hack Attempt on .Org

    Probably a nutter who thinks anyone with an apolitical interest in war subscribes to fascism or some other extreme ideology. Whenever people find out I'm a Germanophile and have an extensive interest in the Eastern Front of WWII, I get THAT look,

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Single Sign On provided by vBSSO