Hi Everyone,

I'm extremely tired, so you will get the short version. An intruder compromised the system through an FTP process which was supposed to be disabled, but must have been reenabled by the hosting company. They accessed the system through FTP only, downloading files, injecting a malicious line of code, then reuploading them. Their goal was the spreading of that malicious code, no user passwords have been compromised.

They didn't access the system in any other method or take any other actions. The forums and affected pages were taken down swiftly after the compromise. The system has been restored, all server and admin passwords have been changed, and that avenue of attack has been eliminated.

I've removed the threads reporting the issue, because they were riddled with links to the code and sites, which is highly dangerous to users, as well as very bad for others (as it increases their search rank). Also, for future reference, we don't need fifty thousand people saying "me too" without adding anything new or useful to the conversation, this actually makes things harder to track down.

Due to the restoration process, it is possible that some minor technical glitches may arise, particularly with the forums. Please let me know if you notice any glaring errors.

As always, thank you Rawhide for all the hard work you do to keep the site running.

That's all.

Rawhide wins 100 internets as far as I'm concerned! :smallsmile:

*smoooooch*

Thanks for fixing things.

One question, before things went down(dunno how long before as I don't know when you turned things off) my Noscript detected a new script on giantitp. I assumed it to be from the advertisements, although this never happened before. Was this the malicious code you speak of?

Thank you, Rawhide, both for your outstanding work and for your clear and cogent explanation as to what went wrong.

Respectfully,

Brian P.

Thanks for the update. For those who visited the site last night, what precautions should we take?

I only saw a pop-up login page (I run Firefox) and I scanned my computer for viruses with both Microsoft Security Essentials and MalwareBytes. Am I good to go?

Thanks for fixing it, and for letting us know what happened :smallsmile:

Ouch, Sorry....:smalleek:
Thank you for the work, you make this place a lot better! :smallbiggrin:

Rawhide, you are a gentleman and a scholar. Should you ever need to bunk at my place, I will feed the man-eating couch bed before you lay down your weary head.

Thank you for fixing the forum so quickly, and I apologize for being one of the people reporting the problem without adding (much) detail.

Thank you, Rawhide, both for your outstanding work and for your clear and cogent explanation as to what went wrong.

Respectfully,

Brian P.

Seconded. I really don't think you and the other moderators get enough thanks for the great work you all do.

For service above and beyond the call of duty:
http://www.thunderseo.com/wp-content/uploads/2012/11/you-win-the-internet.jpg

Keep up the good work Rawhide. After a good night's sleep. :smallsmile:

Thank you very much, sir!

You sir are an amazing man. Thanks. Enjoy your time sleeping.

Hail the bane of Daemonica Electronica
Our praise, our thanks
And admiration

Well that's a relief!
I'm running a full scan with MSE right now, let's see what happens...

Had a feeling that's what happened when that weird German sign in prompt kept showing up.

Thanks for diligently keeping our inter-webz safe Rawhide.

Thanks, Rawhide. :smallsmile:


One question, before things went down(dunno how long before as I don't know when you turned things off) my Noscript detected a new script on giantitp. I assumed it to be from the advertisements, although this never happened before. Was this the malicious code you speak of?

The malicious code in question was planted in one of the forum's core scripts, the one responsible for handling popup menus. It caused our browser's to invisibly open a webpage from another server, which in turn loaded another script. That's the script that caused our browsers to attempt to login into luedolph.de.

I'll go old school for this one:

For all you do, (Rawhide)
this Buds for you.

Microsoft Security Essentials tells me that no malware got onto my computer through the forums, so yay.

My thanks as well. :smallsmile: Enjoy your deserved sleep.

Thank you so much, Rawhide! Wish I could pay you a drink of your choice. :smallsmile:

Hi Everyone,

I've removed the threads reporting the issue, because they were riddled with links to the code and sites, which is highly dangerous to users, as well as very bad for others (as it increases their search rank). Also, for future reference, we don't need fifty thousand people saying "me too" without adding anything new or useful to the conversation, this actually makes things harder to track down.



Does this affect things when we clicked on the report link as well? Should we just PM mods for a bit to make sure this doesn't repeat itself?

I think there may still be something remaining. Every time I access another forum page(in fact, every time I even reload) a pop-up tells me that such and such site requires authentication for access. Same as what I got yesterday evening in fact. I am fairly sure it is not just my comp either, as its only this site I get the message for.

Edit: Maybe not...As soon as I posted this, I stopped getting the message. Atleast for now.

I think there may still be something remaining. Every time I access another forum page(in fact, every time I even reload) a pop-up tells me that such and such site requires authentication for access. Same as what I got yesterday evening in fact. I am fairly sure it is not just my comp either, as its only this site I get the message for.

Edit: Maybe not...As soon as I posted this, I stopped getting the message. Atleast for now.

Try clearing your browser's cache so that you get clean copies of the forum's scripts.

Do we have any idea who/what did it?

Try clearing your browser's cache so that you get clean copies of the forum's scripts.

Yeah, just did. I had neglected to do so. Thanks.

Oh, and I guess I forgot to say thank you to Rawhide....Thank you Rawhide!

So, that's why Kaspersky decided to throw a fit when I tried to check in on the boards last night. Kaspersky being Kaspersky, though, it put a stop to any shenanigans before they could get out of control; subsequent scans by it and MalwareBytes after clearing my cache didn't pick up anything.

It bears repeating: Thanks for keeping this forum healthy, Rawhide. A healthy forum is a happy one.

EDIT: Just occured to me after posting this, but the paranoid conspiracy theorist part of me thinks there might be a connection between this latest attack, the previous DDOS, and the recent uptick in spambots...

EDIT: Just occured to me after posting this, but the paranoid conspiracy theorist part of me thinks there might be a connection between this latest attack, the previous DDOS, and the recent uptick in spambots...

You thought that to 'eh? I considered the possibility but decided I didn't want to ruin the rest of the day by dwelling on it...

EDIT: Just occured to me after posting this, but the paranoid conspiracy theorist part of me thinks there might be a connection between this latest attack, the previous DDOS, and the recent uptick in spambots...

Personally, I'd like to know why somebody would direct a large number of login attempts towards luedolph.de.

The DDoS was interesting, and its timing was unfortunate. The server had been in the middle of a very sensitive process when it was hit. I'm hesitant to speculate further, since I don't know who did the server repairs and to what extent. It's possible that the vulnerable FTP service was re-enabled by the hosting company by default during the repairs. It's also possible that somebody predicted that behavior and planned accordingly, but the idea seems rather far-fetched.

Edit: It seems more likely that somebody just happened to find the vulnerability, which had been left behind after the DDoS.

As for the spam bots, I don't see how that would directly contribute towards any sort of endgame.

Did the forums just get switched off briefly again?

Did the forums just get switched off briefly again?

Yes, to fix dice rolling (http://www.giantitp.com/forums/showthread.php?t=285792).

Edit: It seems more likely that somebody just happened to find the vulnerability, which had been left behind after the DDoS.

My understanding is this. That the hosting company goofed when we reloaded the system software after the attack and left something open that they were supposed to close. This sat open until someone wandered by and noticed it, and then dove in. I plan on making a News post shortly.

As far as the forums being down now, I think Rawhide is trying to fix the die roller, which looks like it got borked when he fixed this morning's problem.

EDIT: Admininja'd.

Just putting my 2cp in and adding another HUGE thank you to Rawhide. You are a legend for all the work you do to keep these boards running properly! (This goes out to all the other mods and admins as well)

News post made.

I accessed the site several times between 12:30 and 2:00 EST and didn't run into any malicious code. In fact I didn't know there'd been an attack until seeing this thread just now. How strange. :smallconfused:

You're immune....it was you! :smalltongue:

Rawhide, you're awesome. That is all.

Giant, I think Rawhide needs a cameo in OoTS somewhere for his hard work. :)

Agreed. Rawhide, thank you so much for keeping the forum where I've spent the past 3.5 years up and running.

Lemme just step in here in to join the well-deserved chorus of applause and gratitude to Rawhide.
Cheers :smallcool:

Rawhide is number one.

Here. I'll prove it.

http://i938.photobucket.com/albums/ad223/Temotei221/Rawhidees1.png

Any idea whether whatever-it-was-precisely-you-fixed/stopped would have affected iOS devices?

Thank you both for the update and good work, Rawhide.

Thanks Rawhide, forum protector extraordinaire!

I didn't know who Rawhide was until now.

I shall never forget.

I didn't know who Rawhide was until now.

I shall never forget.
Amen, brother. :smallsigh:

I guess that's why Windows Defender/Microsoft Security Essentials went off yesterday morning and said it was removing a malicious threat. Who in the world gets their jollies off on messing with such a nice site as this one? Must be anti-stick people, or anti-gaming, or both ><

Does Rawhide have, perchance, a Twitter feed or some such newfangled contraption by which I might remain up to date on maintenance in the future? The scraps of information gleanable from forum error pages are rather inadequate, and Rich isn't always up when these things happen.

Does Rawhide have, perchance, a Twitter feed or some such newfangled contraption by which I might remain up to date on maintenance in the future? The scraps of information gleanable from forum error pages are rather inadequate, and Rich isn't always up when these things happen.

There'd be nothing much more that would tell you anyway. The information you need to know will be in the closed forum messages, and in any cases involving investigation we're not going to release any other information until we know for sure what happened.

I guess that's why Windows Defender/Microsoft Security Essentials went off yesterday morning and said it was removing a malicious threat. Who in the world gets their jollies off on messing with such a nice site as this one? Must be anti-stick people, or anti-gaming, or both ><

I don't think the attacker cares about this site, except insofar as it gets a lot of traffic and thus can be used to spread malware to a lot of targets.

I wasn't on the site during the given window, but I did get a 'forums are switched off' page just before that. I'm going to run a bunch of scans anyway (it's been a while since I did computer housekeeping), but is there any pressing need to run anything if you were here after the forums went offline but before the 2 1/2 hour window?

I wasn't on the site during the given window, but I did get a 'forums are switched off' page just before that. I'm going to run a bunch of scans anyway (it's been a while since I did computer housekeeping), but is there any pressing need to run anything if you were here after the forums went offline but before the 2 1/2 hour window?

Your timeline is wacky. The forums were switched off after the window, not before.

*ahem*
Loadin' loadin', loadin'
Though the bandwidth's swollen,
Keep them forum's loadin',
Rawhide!
Malware, code and servers,
Hackers with a ferver,
Glad we got Rawhide on our side!
Think of all we'd be missin'
Good comics, games and dicing!
All lost but for our very own Rawhide!

[Chorus]
Load 'em up, stamp 'em out,
Stamp 'em out, load 'em up,
Load 'em up, stamp 'em out,
Rawhide!
Keep 'em up, clean 'em out,
Clean 'em out, keep 'em up,
Keep 'em up, clean 'em out,
Rawhide!

Rawhide!

(With apologies to the authors of the theme to, well, Rawhide.)

Snip, snip[/I].)

Ha, thats pretty good. :smallcool:

*ahem*
Loadin' loadin', loadin'
Though the bandwidth's swollen,
Keep them forum's loadin',
Rawhide!
<<snip>>


*Slow clap*

Brilliant!

*takes a bow*

I must admit that did raise a chuckle from me.

Let me add my thanks, Rawhide. You do a hard job very well.

Also, Ravens_cry wins an internet from me.

Rawhide, you're my hero!


*ahem*
Loadin' loadin', loadin'
...
Rawhide!


GitP won't ever stop surprising me! :smallbiggrin:

GitP won't ever stop surprising me! :smallbiggrin:

I sure hope so. When I spend 8+ hours a day on this site alone--more on weekends--I look forward to being suprised. So far I have not been disappointed.

I didn't realise how much I depended on this site until it was taken down (twice). Rawhide, you're awesome. So is your new song :smallbiggrin:.

There'd be nothing much more that would tell you anyway. The information you need to know will be in the closed forum messages, and in any cases involving investigation we're not going to release any other information until we know for sure what happened.

Sadface. Ah well.