Attack Site Warning from FireFox

[knapplc]

I just got an alert from FireFox that HuskerBoard is an attack site.

It kicked me to this page: https://www.stopbadware.org/firefox?hl=en-US&url=http%3A%2F%2Fwww.huskerboard.com%2Findex.php

Anyone else getting this?

 

[Eric the Red]

Yes I got it

 

[DaveH]

So what was the deal with this? Did we actually get hacked or were we tagged as nefarious by mistake?

 

[zoogs]

We actually got hacked.

Something from a malware site got embedded into the templates somehow. That was removed day of, but afterwards the hosts upgraded PHP, Apache, and installed a new firewall on the server; we upgraded IPB and deleted unknown or extraneous files from the server, and changed the locks.

 

[DaveH]

Interesting. Thanks for the info. So it seems they may have exploited something in any number of components. PHP, Apache or even the board software itself. We just don't know what exactly was exploited?

Is SSH exposed to the Internet at all on our server?

Lastly, are we up to date on the board software at least security patch wise?

 

[AR Husker Fan]

Correct. We don't know if it came from a flaw in the software that allowed a SQL injection, or it was a compromised account, or some hole on the server itself. That's why we tried to cover all of those - upgraded all software to the latest version, changed database and admin (and other) passwords, etc.

Not sure whether SSH is exposed, but I seem to recall (and I may be imagining it) that Joe said that the recent SSH exploit was patched.

Yes, we are now up to date on all security patches. And we're going to install any updates ASAP when we're notified of them.

 

[DaveH]

Great. Thanks for the update, guys.

I had to recently clean up a *nix server that had was running a vulnerable version of bash. Some one from China, it seems, wanted to use it as a node in some DDOS stuff. Every once in a while they'd see a GIANT spike of traffic from the machine.

It was interesting cleaning up afterwards as they spread scripts and whatnot all over the box.

Oh, and if SSH is exposed we should make sure root isn't allowed to log in via ssh and, maybe, implement certificate based auth. Not sure how much control we have over that with our provider though.

 

[AR Husker Fan]

Yeah, it was a mess here. What Alex did was get a fresh download do the latest software packer for the board. After MySQL And the infrastructure was upgraded and secured, he backed up the board, wiped it clean, and installed the new software. Then, we restored just the other stuff from backup that was essential. There was surprising little of that, and I checked areas of possible hacks - some HTML files and JavaScripts.

You're right about SSH. I THINK I recall seeing some settings on the server WHM panel - I'll take a look when I when I get a chance. If we can't do it ourself, we need to contact the host. Excellent points, Dave. Thanks!

 

[zoogs]

Interesting. Thanks for the info. So it seems they may have exploited something in any number of components. PHP, Apache or even the board software itself. We just don't know what exactly was exploited?

Is SSH exposed to the Internet at all on our server?

Lastly, are we up to date on the board software at least security patch wise?

We're up to date now I believe (not with the latest PHP, mind, but the one they recommended. Upgrading more would mean other issues w/software compatibility so it's usually not the latest, but it's recent enough). We never figured out exactly how the attack happened, or when. The HTTP logs Joe managed to find didn't go back that far. When I asked the host company to review them and help us figure out what had happened, they declined, saying "because it would take a lot of time, etc" (literally including "etc").

So something we learned in all this is that they aren't really going to be much help.

Dave, you sound knowledgeable. You should probably take a look at all of this.

Also, guys, we still need to update our support account password. That one is very weak, I don't know how to change it, and it provides both access to the current root password, and the ability to request a change to it.

 

[DaveH]

Gotcha.

I have some experience with Apache, PHP and the like but it's not where the breadth of my experience lies.

I'd be happy to take a look and render an opinion though. If the admins want. I'd need some context, passwords, etc.

 

[zoogs]

If only you were here last week!

AR, can you get him set up with everything? I guess what you'd look for is how they got in (if that's possible to find) and maybe double check the stuff we did and see if you think we're good right now.

 

[DaveH]

I was around last week, I mean, as far as being alive. I heard what was going on with the board and figured Joe had it handled. The bat phone didn't ring and that's alright

 

[rawhide]

Damn, I love it when you guys talk dirty.

 

[AR Husker Fan]

If only you were here last week!

AR, can you get him set up with everything? I guess what you'd look for is how they got in (if that's possible to find) and maybe double check the stuff we did and see if you think we're good right now.

Done. Dave, check your email. Good to have you back!