Hello all,

It seems that someone got access to our webserver via some legacy software hosted on totalwar.org. This has now been locked down, and many features and functionality from the old sections of the Org are no longer accessible.

The hacker attempted to hijack and control a admin account (failed), and tried to deface sections of the site. Any alterations have been reversed and secured against.

Whilst passwords on the Org are encrypted, they may have been exposed during this time, and it is highly recommended that you change your passwords to ensure your accounts are not compromised. Similarly, if you use the same email address/username and password on other websites. Whilst this may just be a precaution as there is no way to tell, I would recommend following this advice.

We're still investigating the extent of the breach, and some functionality on the site which people may be using is disabled to ensure this cannot occur again

In the meantime, we recommend that everyone changes their passwords ASAP.

Best wishes,
Beskar

This has now been locked down, and many features and functionality from the old sections of the Org are no longer accessible.


What exactly is gone now?

What exactly is gone now?

Some old random pieces of dusty equipment that should have been thrown out years ago, but kept around long past its usefulness. Something no one would probably ever use, except for that one random person.But it was the reason for the breach/attempt. In short, I don't know, and therother is the person to ask.

Mostly, I've deactivated a whole bunch of file uploaders from back circa 2002-2004. The hack attempt was via these old php scripts.

I've also deactivated a number of unused sites like our Legend of the Green Dragon install. I could reactivate these if there's interest.

There was an attempt to break into a dummy forum account but this was unsuccessful.

Makes you wonder what somebody could hope to gain by hacking .org, other than just to be malicious.

The hack attempt was via these old php scripts.
Most likely old, buggy (or just poor) PHP code.

https://en.wikipedia.org/wiki/File_inclusion_vulnerability#PHP

Makes you wonder what somebody could hope to gain by hacking .org, other than just to be malicious.

Your answer is in the first post:


Whilst passwords on the Org are encrypted, they may have been exposed during this time, and it is highly recommended that you change your passwords to ensure your accounts are not compromised. Similarly, if you use the same email address/username and password on other websites.

Well, yeah, but simply having an email address and password to a forum that contains little to no personal information is kind of worthless. Even if those passwords are the same as for other websites, how would he know which websites to use them on, unless trying them randomly on stuff like social media sites?

If somebody does use my email address to do something, I guess that could be a problem, I could be getting all sorts of stuff from creditors and such when I have no clue what is going on. That address is associated with me, so I could get into trouble, I guess.

So I've changed my password, but I didn't see anywhere what the password requirements/limitations are. What kinds of characters can/must be used and what's the min/max password length?

vBulletin does not have options to restrict password choice. So there are no board-enforced requirements or limitations.

In general, I'd recommend passwords with 9 or more characters including upper and lower case, numbers and symbols that either don't contain dictionary words or have more than 2 unusual words with uncommon misspellings/substitutions/insertions/deletions.

According to KeePass, my new password has 127 bits of entropy and I no longer even know what it is. Hopefully that's secure enough. ~D
Honestly, I was slightly surprised to be allowed as many characters of as many different types as I used- so kudos to vBulletin, I guess.

Related to that, I heartily recommend KeePass (http://keepass.info/) to anyone who needs to store complex passwords for multiple sites (isn't that everyone?). It also has a nice plugin for TOTP, so I can use it has a backup for my Google Authenticator 2-factor authentication. :2thumbsup:

HAHAHAHA YOU FOOLS! I HAVE NOW GAINED ACCESS TO THIS MODERATOR ACCOUNT! WITNESS THE DESTRUCTION I SHALL WIELD VIA THE GOLDIKE POWERS GRANTED TO FORUM MODERATORS ON THIS SITE!

I used to use KeePass with Dropbox. It's a great piece of software but lacks the web and mobile integration of LastPass, which is what I now use.

And yeah, having different, essentially uncrackable passwords for every site is by far the most secure thing to do.

KeePass has an auto-insert functionality that can even be customized by adding the relevant commands to the list of auto type commands for any given entry. By now I find that quite useful, even for simple website logins. I tried Enpass, but the browser plugin of that one requires you to also start and unlock the app/program, at which point I found KeePass to actually be quite a bit faster.

Haven't tried LastPass, mainly because I got so used to KeePass that a monthly subscription seems unnecessary at this point.

And yeah, having different, essentially uncrackable passwords for every site is by far the most secure thing to do.

So secure, you won't be able to access it yourself.

Yeah, I now have a secret hard copy location incase something ever happened, and I need the password for my main accounts. Downside is, if someone ever found that, they could access my account. So how secure is it really?

Honestly, I like Microsofts pin solution. The main account t having a very secure password, but where you set it up at home, you can use a pin.

I don't think having a hard copy is a bad idea unless you are so important in reality that people would break into your home and specifically look for your passwords. But in that case I'd also advise to have bodyguards, someone could kidnap you to get your master password. And then you could let a bodyguard guard the hard copy. :sweatdrop:

I'd personally rather invest the money in a decent virus and spyware protection though.

Thankfully the babe thread was not affected. :bounce:

HAHAHAHA YOU FOOLS! I HAVE NOW GAINED ACCESS TO THIS MODERATOR ACCOUNT! WITNESS THE DESTRUCTION I SHALL WIELD VIA THE GOLDIKE POWERS GRANTED TO FORUM MODERATORS ON THIS SITE!

Since you have managed to hack into org, can you please make and old orgah happy by promoting me to a seniour member so that I can finally access the fabled "special" forum?

double post - still shows you how serious I am.

There is no senior member forum.

There is a moderator forum, where we basically tell eachother when we are afk, and sometimes randomly talk about boring site stuff.
Technically the infraction/warning/reporting section is a 'forum', but that is the system posting messages to it, rather than active discussion areas.

There is no senior member forum.

There is a moderator forum, where we basically tell eachother when we are afk, and sometimes randomly talk about boring site stuff.
Technically the infraction/warning/reporting section is a 'forum', but that is the system posting messages to it, rather than active discussion areas.

Beskar, you broke the moderator forum rule. One must not speak of the moderator forums in public...

:knight:

Oh, I thought that was the secret Admin forum that I post to myself in. I got a topic in there going "Who is the best Admin?" with the vote options being "Beskar" with one vote, and the rest having zero.

You have exposed the moderator forums, Beskar. We must now remove you from position. :knight:

*initiating process of removal*

Oh, I thought that was the secret Admin forum that I post to myself in. I got a topic in there going "Who is the best Admin?" with the vote options being "Beskar" with one vote, and the rest having zero.

Is there any way the rest of us can vote for you in that forum?:laugh4:

There is no senior member forum.

I approve of this bit of deception. :smoking:

As the first Senior Member in this thread (all though technically those in redpinkandgreen also are seniors) I can confirm that there are no special Senior Member forum on the .org where we keep the pr0n stash and secret locker room discussions.

[...] locker room discussions.

Indeed, there is absolutely no golden Trump-forum.

Probably a nutter who thinks anyone with an apolitical interest in war subscribes to fascism or some other extreme ideology. Whenever people find out I'm a Germanophile and have an extensive interest in the Eastern Front of WWII, I get THAT look,

Beskar, you broke the moderator forum rule. One must not speak of the moderator forums in public...

:knight:
I'm pretty sure that every forum has this.

Indeed. Every forums have moderator forums, but I was just making a bit of lighthearted fun of Beskar. :grin2:

Good to know thank you Admins.

Wrote stuff

Best wishes,
Beskar

What this means is basically; All your base are belong to us.


Never have the same PW at 2 places, is the sidenote.