Org Mobile Site
Thread: Hack Attempt on .Org
Hello all,
It seems that someone got access to our webserver via some legacy software hosted on totalwar.org. This has now been locked down, and many features and functionality from the old sections of the Org are no longer accessible.
The hacker attempted to hijack and control a admin account (failed), and tried to deface sections of the site. Any alterations have been reversed and secured against.
Whilst passwords on the Org are encrypted, they may have been exposed during this time, and it is highly recommended that you change your passwords to ensure your accounts are not compromised. Similarly, if you use the same email address/username and password on other websites. Whilst this may just be a precaution as there is no way to tell, I would recommend following this advice.
We're still investigating the extent of the breach, and some functionality on the site which people may be using is disabled to ensure this cannot occur again
In the meantime, we recommend that everyone changes their passwords ASAP.
Best wishes,
Beskar
It seems that someone got access to our webserver via some legacy software hosted on totalwar.org. This has now been locked down, and many features and functionality from the old sections of the Org are no longer accessible.
The hacker attempted to hijack and control a admin account (failed), and tried to deface sections of the site. Any alterations have been reversed and secured against.
Whilst passwords on the Org are encrypted, they may have been exposed during this time, and it is highly recommended that you change your passwords to ensure your accounts are not compromised. Similarly, if you use the same email address/username and password on other websites. Whilst this may just be a precaution as there is no way to tell, I would recommend following this advice.
We're still investigating the extent of the breach, and some functionality on the site which people may be using is disabled to ensure this cannot occur again
In the meantime, we recommend that everyone changes their passwords ASAP.
Best wishes,
Beskar
Originally Posted by Beskar:
This has now been locked down, and many features and functionality from the old sections of the Org are no longer accessible.
What exactly is gone now?This has now been locked down, and many features and functionality from the old sections of the Org are no longer accessible.
Originally Posted by Montmorency:
What exactly is gone now?
Some old random pieces of dusty equipment that should have been thrown out years ago, but kept around long past its usefulness. Something no one would probably ever use, except for that one random person.But it was the reason for the breach/attempt. In short, I don't know, and @therother is the person to ask.What exactly is gone now?
Mostly, I've deactivated a whole bunch of file uploaders from back circa 2002-2004. The hack attempt was via these old php scripts.
I've also deactivated a number of unused sites like our Legend of the Green Dragon install. I could reactivate these if there's interest.
There was an attempt to break into a dummy forum account but this was unsuccessful.
I've also deactivated a number of unused sites like our Legend of the Green Dragon install. I could reactivate these if there's interest.
There was an attempt to break into a dummy forum account but this was unsuccessful.
Makes you wonder what somebody could hope to gain by hacking .org, other than just to be malicious.
Originally Posted by therother:
The hack attempt was via these old php scripts.
Most likely old, buggy (or just poor) PHP code.The hack attempt was via these old php scripts.
https://en.wikipedia.org/wiki/File_i...nerability#PHP
Originally Posted by Vincent Butler:
Makes you wonder what somebody could hope to gain by hacking .org, other than just to be malicious.
Your answer is in the first post:Makes you wonder what somebody could hope to gain by hacking .org, other than just to be malicious.
Originally Posted by Beskar:
Whilst passwords on the Org are encrypted, they may have been exposed during this time, and it is highly recommended that you change your passwords to ensure your accounts are not compromised. Similarly, if you use the same email address/username and password on other websites.
Whilst passwords on the Org are encrypted, they may have been exposed during this time, and it is highly recommended that you change your passwords to ensure your accounts are not compromised. Similarly, if you use the same email address/username and password on other websites.
Well, yeah, but simply having an email address and password to a forum that contains little to no personal information is kind of worthless. Even if those passwords are the same as for other websites, how would he know which websites to use them on, unless trying them randomly on stuff like social media sites?
If somebody does use my email address to do something, I guess that could be a problem, I could be getting all sorts of stuff from creditors and such when I have no clue what is going on. That address is associated with me, so I could get into trouble, I guess.
If somebody does use my email address to do something, I guess that could be a problem, I could be getting all sorts of stuff from creditors and such when I have no clue what is going on. That address is associated with me, so I could get into trouble, I guess.
So I've changed my password, but I didn't see anywhere what the password requirements/limitations are. What kinds of characters can/must be used and what's the min/max password length?
vBulletin does not have options to restrict password choice. So there are no board-enforced requirements or limitations.
In general, I'd recommend passwords with 9 or more characters including upper and lower case, numbers and symbols that either don't contain dictionary words or have more than 2 unusual words with uncommon misspellings/substitutions/insertions/deletions.
In general, I'd recommend passwords with 9 or more characters including upper and lower case, numbers and symbols that either don't contain dictionary words or have more than 2 unusual words with uncommon misspellings/substitutions/insertions/deletions.
According to KeePass, my new password has 127 bits of entropy and I no longer even know what it is. Hopefully that's secure enough. 
Honestly, I was slightly surprised to be allowed as many characters of as many different types as I used- so kudos to vBulletin, I guess.
Related to that, I heartily recommend KeePass to anyone who needs to store complex passwords for multiple sites (isn't that everyone?). It also has a nice plugin for TOTP, so I can use it has a backup for my Google Authenticator 2-factor authentication.
Honestly, I was slightly surprised to be allowed as many characters of as many different types as I used- so kudos to vBulletin, I guess.
Related to that, I heartily recommend KeePass to anyone who needs to store complex passwords for multiple sites (isn't that everyone?). It also has a nice plugin for TOTP, so I can use it has a backup for my Google Authenticator 2-factor authentication.
HAHAHAHA YOU FOOLS! I HAVE NOW GAINED ACCESS TO THIS MODERATOR ACCOUNT! WITNESS THE DESTRUCTION I SHALL WIELD VIA THE GOLDIKE POWERS GRANTED TO FORUM MODERATORS ON THIS SITE!
I used to use KeePass with Dropbox. It's a great piece of software but lacks the web and mobile integration of LastPass, which is what I now use.
And yeah, having different, essentially uncrackable passwords for every site is by far the most secure thing to do.
And yeah, having different, essentially uncrackable passwords for every site is by far the most secure thing to do.
KeePass has an auto-insert functionality that can even be customized by adding the relevant commands to the list of auto type commands for any given entry. By now I find that quite useful, even for simple website logins. I tried Enpass, but the browser plugin of that one requires you to also start and unlock the app/program, at which point I found KeePass to actually be quite a bit faster.
Haven't tried LastPass, mainly because I got so used to KeePass that a monthly subscription seems unnecessary at this point.
Haven't tried LastPass, mainly because I got so used to KeePass that a monthly subscription seems unnecessary at this point.
Originally Posted by therother:
And yeah, having different, essentially uncrackable passwords for every site is by far the most secure thing to do.
So secure, you won't be able to access it yourself.And yeah, having different, essentially uncrackable passwords for every site is by far the most secure thing to do.
Yeah, I now have a secret hard copy location incase something ever happened, and I need the password for my main accounts. Downside is, if someone ever found that, they could access my account. So how secure is it really?
Honestly, I like Microsofts pin solution. The main account t having a very secure password, but where you set it up at home, you can use a pin.
I don't think having a hard copy is a bad idea unless you are so important in reality that people would break into your home and specifically look for your passwords. But in that case I'd also advise to have bodyguards, someone could kidnap you to get your master password. And then you could let a bodyguard guard the hard copy. 
I'd personally rather invest the money in a decent virus and spyware protection though.
I'd personally rather invest the money in a decent virus and spyware protection though.
Thankfully the babe thread was not affected. 
Originally Posted by Myth:
HAHAHAHA YOU FOOLS! I HAVE NOW GAINED ACCESS TO THIS MODERATOR ACCOUNT! WITNESS THE DESTRUCTION I SHALL WIELD VIA THE GOLDIKE POWERS GRANTED TO FORUM MODERATORS ON THIS SITE!
Since you have managed to hack into org, can you please make and old orgah happy by promoting me to a seniour member so that I can finally access the fabled "special" forum?HAHAHAHA YOU FOOLS! I HAVE NOW GAINED ACCESS TO THIS MODERATOR ACCOUNT! WITNESS THE DESTRUCTION I SHALL WIELD VIA THE GOLDIKE POWERS GRANTED TO FORUM MODERATORS ON THIS SITE!
double post - still shows you how serious I am.
There is no senior member forum.
There is a moderator forum, where we basically tell eachother when we are afk, and sometimes randomly talk about boring site stuff.
Technically the infraction/warning/reporting section is a 'forum', but that is the system posting messages to it, rather than active discussion areas.
There is a moderator forum, where we basically tell eachother when we are afk, and sometimes randomly talk about boring site stuff.
Technically the infraction/warning/reporting section is a 'forum', but that is the system posting messages to it, rather than active discussion areas.
Originally Posted by Beskar:
There is no senior member forum.
There is a moderator forum, where we basically tell eachother when we are afk, and sometimes randomly talk about boring site stuff.
Technically the infraction/warning/reporting section is a 'forum', but that is the system posting messages to it, rather than active discussion areas.
Beskar, you broke the moderator forum rule. One must not speak of the moderator forums in public... There is no senior member forum.
There is a moderator forum, where we basically tell eachother when we are afk, and sometimes randomly talk about boring site stuff.
Technically the infraction/warning/reporting section is a 'forum', but that is the system posting messages to it, rather than active discussion areas.
Oh, I thought that was the secret Admin forum that I post to myself in. I got a topic in there going "Who is the best Admin?" with the vote options being "Beskar" with one vote, and the rest having zero.
You have exposed the moderator forums, Beskar. We must now remove you from position.
*initiating process of removal*
*initiating process of removal*
Originally Posted by Beskar:
Oh, I thought that was the secret Admin forum that I post to myself in. I got a topic in there going "Who is the best Admin?" with the vote options being "Beskar" with one vote, and the rest having zero.
Is there any way the rest of us can vote for you in that forum?Oh, I thought that was the secret Admin forum that I post to myself in. I got a topic in there going "Who is the best Admin?" with the vote options being "Beskar" with one vote, and the rest having zero.
Originally Posted by Beskar:
There is no senior member forum.
I approve of this bit of deception. There is no senior member forum.
As the first Senior Member in this thread (all though technically those in redpinkandgreen also are seniors) I can confirm that there are no special Senior Member forum on the .org where we keep the pr0n stash and secret locker room discussions.
Originally Posted by Sigurd:
[...] locker room discussions.
Indeed, there is absolutely no golden Trump-forum.[...] locker room discussions.
Probably a nutter who thinks anyone with an apolitical interest in war subscribes to fascism or some other extreme ideology. Whenever people find out I'm a Germanophile and have an extensive interest in the Eastern Front of WWII, I get THAT look,
Originally Posted by edyzmedieval:
Beskar, you broke the moderator forum rule. One must not speak of the moderator forums in public...
I'm pretty sure that every forum has this.Beskar, you broke the moderator forum rule. One must not speak of the moderator forums in public...
Indeed. Every forums have moderator forums, but I was just making a bit of lighthearted fun of Beskar. 
Single Sign On provided by vBSSO