We were supposed to have a programming contest and a newsletter tomorrow, but first, we have some much more important news for all of our forum members, which will also be included in the newsletter header, which will also exceptionally be sent to every member, regardless of if they have opted in or out of e-mail notifications:
Yesterday, Omnimaga got hacked and both KermMartian and Geekboy1011's accounts were compromised elsewhere. The Omnimaga website has since been restored after hours of downtime, but the database content has been leaked and compromised. This includes all members personal information, ranging from private messages to passwords. According to Eeems, it looks like SMF doesn't salt+hash their passwords in a very secure way, something very possible due to how quickly the hacker managed to get Kerm and Geek's password. The passwords were re-used to attempt logging in on Cemetech.
If you have an Omnimaga account, then we heavily recommend that you change your password on any website (including CodeWalrus) on which you used the same password and we recommend that you use different passwords everywhere. No matter how hard it is for the hacker to decrypt the passwords, it's better to be safe than sorry!
We do not know how the attack occurred, we know that Omnimaga was two SMF versions behind and Omnimaga was not the only place attacked, as one of KermMartian e-mail account was also hit. Also, according to the Omnimaga topic and their IRC logs, the IP address used by the hacker is from France (although we do not know what it is).
On our side, we are going to investigate about what the IP address is and if it was used on CodeWalrus and our servers.
Source:
https://www.omnimaga.org/news/downtime-22209/
http://chat.eeems.ca/?server=irc.omnimaga.org%206667&channel=omnimaga&date=Sat%20Dec%2005%202015
This is also a good time to bring up password managers. (Anytime is a good time, really.)
KeePass (http://keepass.info/) and KeePassX (https://www.keepassx.org/) are solid.
pass (http://www.passwordstore.org/) is simple (in the Unix way) and on pretty much all platforms if you're willing to put in some setup.
1Password (https://agilebits.com/onepassword) is very nice, but closed source and not on Linux.
We're out of luck so far to get the hacker IP address, because all Omni admins are offline. Ideally the other sites should do a forum scan of that IP in case it matches someone there. That's unless the hacker was using Tor or a proxy, though, then maybe we're out of luck.
I notified Planète-Casio of the attack because some of their members have Omnimaga accounts.
Thanks for the programs by the way. I just hope there is a way to retrieve the passwords from them so if my computer crashes and has to be reformated, then I am not locked out of all my Internet accounts.
EDIT:
@Juju got one suspicious IP address, and is running scans on our server right now. Please report here once done.
He gave me the IP and I did scans on the forums. No matches could be found:
https://usercontent.irccloud-cdn.com/file/3EzvCLx2/
Found 2 matches in the logs, both seems to be images linked from Omnimaga or TI-Planet. Also me looking for that IP. Nothing found here, really.
Apparently, there was a lot of stuff on TI-Planet, though, in the server logs.
EDIT: According to Kerm, the password was freely given to the hacker. He also finds it weird that most recent community attacks and trolling always target Omni and Cemetech (eg Ephraim ban evasion, the sucks.fyi trolling via strange hostnames and now this) and never other sites.
Well, he suck.fyi guy was here too. Also i've updated my password too :)
Quote from: bb010g on December 06, 2015, 04:43:01 AM
This is also a good time to bring up password managers. (Anytime is a good time, really.)
KeePass (http://keepass.info/) and KeePassX (https://www.keepassx.org/) are solid.
pass (http://www.passwordstore.org/) is simple (in the Unix way) and on pretty much all platforms if you're willing to put in some setup.
1Password (https://agilebits.com/onepassword) is very nice, but closed source and not on Linux.
Indeed, it's high time I switched to something like that. Thanks for the recommendations.
We used KeePassX on my dad's linux computer. The problem was he deleted the database one time and said it was my own fault <_<
I tried a bit of research into the IP, but all I could find was a physical adress.
Just set pass up and changed most of my passwords for 32 character passwords, different for each site. I suppose that's enough to keep me covered. :P
32 chars is a bad idea imho. Some sites upgrade their softwares and end up lowering the max lenght in fields and I remember yAronet password or nickname change field allowed more chars than than the login fields and I was unable to login anymore. 24 chars is safer against such admin mishaps.
Quote from: DJ Omnimaga on December 06, 2015, 05:48:49 AMThanks for the programs by the way. I just hope there is a way to retrieve the passwords from them so if my computer crashes and has to be reformated, then I am not locked out of all my Internet accounts.
KeePassX saves the database in a location you specify, so if you keep that file backed up and don't forget the master password to decrypt it, you should be fine. It can also export everything to a .txt file in case you need that.
Quote from: DJ Omnimaga on December 06, 2015, 08:45:28 AMAccording to Kerm, the password was freely given to the hacker. He also finds it weird that most recent community attacks and trolling always target Omni and Cemetech (eg Ephraim ban evasion, the sucks.fyi trolling via strange hostnames and now this) and never other sites.
How would he know about other sites ? Is he omniscient ?
And apparently, he quickly forgot about this :
https://codewalr.us/index.php?topic=647.0
Well, the most recent ones, as in, the last 3 incidents or so. He knows about other sites because we told him so.
Guys, I found something strange on Omnimaga: Netham45 account is no longer listed in the member list (even if we do a search) and he isn't in the staff list either. I don't know how long it has been like that, though:
https://www.omnimaga.org/team
His account is still intact, but he is no longer in the staff groups and his signature changed was changed to "Omnimaga admin" instead of the broken Space Invader animation. He also last logged in on December 4th 2015.
Normally, when an existing SMF forum account no longer shows up in the member list, this means it is currently banned. Did he ask that on request due to a long hiatus or was his account compromised?
EDIT: An attempt to break into
@Ivoah forum account on CodeWalrus has been recorded over three hours ago:
QuoteIP address Display name Message Date
90.11.159.131 Guest Password incorrect - Ivoah
?action=login2 Today at 07:34:23 pm
EDIT: There was also an attempt by 80.119.166.103 to login into my account, but it doesn't match anything else out of the ordinary on the forums. Mind doing a scan on CW server
@Juju and on TI-Planet
@Adriweb ? It was over an hour before Ivoah account was hit.
Quote from: Cumred_Snektron on December 06, 2015, 10:20:46 AM
We used KeePassX on my dad's linux computer. The problem was he deleted the database one time and said it was my own fault <_<
baaaackuuuuups
Yeah, I have access logs for that IP, same User agent etc.
Still doesn't tell who it actually is, though.
Indeed. I hope we will know one day. If the hacker has a CodeWalrus account or is on our IRC channel, so far the agreement with Street is that the user will get banned (I haven't managed to get an hold of Ivoah, Juju and Cumred about it yet). It's also possible that we start cracking down on Tor users and multi-user accounts on IRC and forums (eg banning them if they refuse to reveal who they are or to use a real IP address).
The obvious action would be to ban the user/ip (if he's ever found with sufficient proof), but... the problem is that if it's a proxy, more than one person could be using this IP, including legit users. And it's not like the user in question wouldn't just use yet another IP and/or account to do whatever he's doing.
In the meantime, not much is known unless some IPs in France and a user-agent.
YEah, if it's a proxy then that could be a problem. I remember Omni had issues with false positive bans after many spambots were IP-banned. This is why we no longer ban spambots by their IP.
Quote from: bb010g on December 07, 2015, 04:07:01 AM
Quote from: Cumred_Snektron on December 06, 2015, 10:20:46 AM
We used KeePassX on my dad's linux computer. The problem was he deleted the database one time and said it was my own fault <_<
baaaackuuuuups
Yup, I love that pass encrypts with PGP, I use git integration and have the store on a remote private repo and my phone as well, the only problem would be if I lost my private key.
Nanowar confirmed on Revsoft via news and a PM sent to me that Revsoft was attacked as well. Database was compromised.
@Juju please redo scans of the two suspicious IPs
I see both IPs in today's Nginx logs. We should disable password authentication on ssh and use only private keys.
Quote from: Juju on December 07, 2015, 12:53:57 AM
Well, the most recent ones, as in, the last 3 incidents or so. He knows about other sites because we told him so.
And apparently he should stop assuming and implying strange things.
We've got hacking attempts almost everyday in the logs.
It's not because he doesn't know about it that it doesn't happen.
This is strange how multiple websites are getting hacked at the same time O.O.
It is ISIS nooooo : P
Could this be why ticalc.org have troubles with their login and voting system since POTY started?
@Travis should run some scans
I did discover suspicious activity from 90.11.159.131 on ticalc.org yesterday. We're investigating.
Edit: We may have something official to say later, but at this point, I do strongly recommend that people consider change their ticalc.org passwords now, especially if you're using the same passwords for anything else.
Sorry to hear that you guys were also hit a day later by this attacker. I hope as a community we can all get to the bottom of who feels so destructively towards us.
Well, if they blame us it doesn't mean that CW is bad it means there is a member that should be banned.
Quote from: KermMartian on December 07, 2015, 07:21:36 PM
Of course, this all happened after the rest of the community noted how interesting it was that CodeWalrus was spared. That's a very unfortunate coincidence.
Strongly disappointed by your first comment ever on CW, Kerm, though not surprised nowadays. You know you can be a much more useful community member than you show here.
Just ignore comments which lead to nowhere. :)
Coincidence is coincidence, proof is proof.
Quote from: DJ Omnimaga on December 06, 2015, 04:31:35 AM[...] According to Eeems, it looks like SMF doesn't salt+hash their passwords in a very secure way[...]
That was me, but OK :P
Quote from: DJ Omnimaga on December 06, 2015, 04:31:35 AM
[...]
We do not know how the attack occurred, we know that Omnimaga was two SMF versions behind and Omnimaga was not the only place attacked, as one of KermMartian e-mail account was also hit. Also, according to the Omnimaga topic and their IRC logs, the IP address used by the hacker is from France (although we do not know what it is).
[...]
At the time of the attack we were already at 2.0.11, Eeems ran upgrades a day or two earlier.
The attacker could have prepared his attack before you guys updated by setting up a backdoor. Did they leave anything behind on the server or did they kill it all ?
A backdoor is possible. I had this happen on TIMGUL in 2008. We used IB 1.3 and got hacked. When we switched to SMF, we still got hacked because a backdoor from the 1.3 days was still hidden in a folder somewhere.
Could it be Islamic State in response to our Paris attack thread? They don't like free speech so...
Quote from: DJ Omnimaga on December 07, 2015, 10:11:27 PMCould it be Islamic State in response to our Paris attack thread? They don't like free speech so...
What? That seems like a stretch, especially since the Omnimaga staff and I determined that it's a community member performing these attacks (and they've been focused on a few select portions of the community).
Quote from: StreetwalrusThe attacker could have prepared his attack before you guys updated by setting up a backdoor. Did they leave anything behind on the server or did they kill it all ?
The attacker had an administrator's password, and did not use any backdoors or brute force.
Quote from: KermMartian on December 07, 2015, 10:39:23 PM
Quote from: DJ Omnimaga on December 07, 2015, 10:11:27 PMCould it be Islamic State in response to our Paris attack thread? They don't like free speech so...
Hahahahaha what? Your oddly verbose attempts to find an explanation for this are getting amusingly out-of-hand.
Kerm, if you really have nothing constructive to add to the discussion, please don't post at all. We all know you are salty about CW, and it really looks like you're trying to shove the blame of the attacks on us. I used to think higher of you.
Dun changed my password just to be safe.
Also,
@KermMartian , when is new information about the hacker due? I'd like to see those claims backed up. I also see no point in keeping his information (at least his handle) private.
KermM, friendly reminder that
(http://e.lvme.me/xmeh35.jpg)
If you have something interesting to say, say it. All your baseless accusations, as implicit as they are, hold no value though. Either post proof of what you're saying or don't post at all.
That said it looks to me like most of the community is under attack, even our own logs show that the suspicious IPs are trying to access CW with the passwords they stole, as well as ticalc.org and Revsoft.
Quote from: Streetwalrus on December 07, 2015, 10:57:42 PM
KermM, friendly reminder that [you have no power here]
If you have something interesting to say, say it. All your baseless accusations, as implicit as they are, hold no value though. Either post proof of what you're saying or don't post at all.
That said it looks to me like most of the community is under attack, even our own logs show that the suspicious IPs are trying to access CW with the passwords they stole, as well as ticalc.org and Revsoft.
Don't worry, I'm not blaming CodeWalrus as a whole; I respect almost all of you a great deal, I just wish you hadn't felt that the community needed to be subdivided further (@aeTIos too). Point taken, though; I certainly have no power here, and I wouldn't want anyone to think I was being mean. *doffs hat* A good day to you, ladies and gents. :)
Quote from: KermMartian on December 07, 2015, 10:39:23 PM
Quote from: DJ Omnimaga on December 07, 2015, 10:11:27 PMCould it be Islamic State in response to our Paris attack thread? They don't like free speech so...
Hahahahaha what? That seems like a stretch, especially since the Omnimaga staff and I determined that it's a community member performing these attacks (and they've been focused on a few select portions of the community).
Quote from: StreetwalrusThe attacker could have prepared his attack before you guys updated by setting up a backdoor. Did they leave anything behind on the server or did they kill it all ?
The attacker had an administrator's password, and did not use any backdoors or brute force. The investigation was simplified by what user(s) were known to have that administrator's password.
The Islamic State comment was not really meant to be 100% serious, but given their goals and the fact they hacked sites before and the fact we have an active topic about them here, we never know. There are much bigger chances that it's a community member or a group of members who is fed up with the community and has decided to attack it at large. And it's not just a few select portions of the community, because Revsoft and CodeWalrus were attacked too. The CW attacks targeted my forum account yesterday at 6:20:16 PM GMT-5 (failed login attempt from 80.119.166.103) and Ivoah account at 7:34:23 PM (from 90.11.159.131)
There is also another suspicious IP from which two failed login attempts into Ivoah account happened yesterday, and it's 24.144.160.11. We do not know if it's legit or not, but since Ivoah has never posted a single message from that IP, then perhaps an eye should be kept on that one too.
But we cannot jump to conclusion by insinuating anything and accuse anyone yet, because slander and libel are as much of a crime as the hacking itself. We want to know the culprit as soon as possible and if legal actions have to be taken against him, then be it.
I went through the access logs for BosaikNet and was unable to find any suspicious activity; no admin-login attempts were found and activity from IP addresses 90.11.159.131, 80.119.166.103, and 24.144.160.11 were not found in any access log. Whoever did this knew what domains they wanted to target.
It's always possible that they browsed Omnimaga or other related sites for a while to gain more knowledge about which other related sites from the leaders there are, in order to target more, but the fact that only calculator sites have been targeted convinces me more that the culprit was somebody who is or used to be part of the TI community and hates it.
In any case, whoever did this will not win, because Omnimaga, Cemetech, Revsoft, TI-Planet, Ticalc.org and CodeWalrus are still standing today.
I've noticed that the two IPs 90.11.159.131 and 80.119.166.103 are rather close to eachother, being located in adjacent towns, but the other IP, 24.144.160.11, is all the way in Pennsylvania (Next to a college = probably has a calculator = community member?)
I'm definitively thinking that 24.144.160.11 was a legit user (Ivoah most likely). It might be a public internet hotspot from which Ivoah is unable to post, which could explain why he has no single post on record from there. Pennsylvania seems plausible, considering where Ivoah comes from (not too far from Pennsylvania, New York and New Jersey AFAIK, and I heard from New York Rangers/Islanders fans that it doesn't take long to commute between those areas). So his account is safe.
But yeah, from what I recall, the main attacker IP is from Toulouse, Midi-Pyrenées, while the second is from Paris, Ile-de-France, both located in France.
90.11.159.131 and 80.119.166.103 were located as Billère and Tarbes to me, both southern france/pyrenées
Strange that WHOIS info is different for two of us ???
Where did you get that info Brentmaas? I used http://iptrace.in
A smart attacker would try to leave no trace back to his own ip. These suspicious ip's in the logs come from attacks carried out by infected machines, via a vpn or the attacker is not smart.
But how would an infected machine carry out such large scale attack without human intervention?
Usually these infected machines are listening on an IRC channel waiting for the command to attack.
Quote from: DJ Omnimaga on December 08, 2015, 08:34:52 AM
Strange that WHOIS info is different for two of us ???
Where did you get that info Brentmaas? I used http://iptrace.in
http://yougetsignal.com
It has a couple of tools which are free to use.
Do you think the attacker will be able to breach CW or no?
EDIT: it may be a little off topic but it was said in the first post something about a contest?
I don't think so, hopefully we reacted fast enough to change all of our passwords, at least for those who used the same as on omni. We should be fine.
As for the contest, yes, there is an upcoming contest.
I thought so but is kinda weird that someone would go through all that effort just to get at the calc community. They must really hate us O.O
Quote from: DJ Omnimaga on December 08, 2015, 07:59:45 AM
I'm definitively thinking that 24.144.160.11 was a legit user (Ivoah most likely). It might be a public internet hotspot from which Ivoah is unable to post, which could explain why he has no single post on record from there. Pennsylvania seems plausible, considering where Ivoah comes from (not too far from Pennsylvania, New York and New Jersey AFAIK, and I heard from New York Rangers/Islanders fans that it doesn't take long to commute between those areas). So his account is safe.
But yeah, from what I recall, the main attacker IP is from Toulouse, Midi-Pyrenées, while the second is from Paris, Ile-de-France, both located in France.
That was probably me trying to log into my account on my dad's iPad while on a car trip to a college in Pensylvania
Thanks for checking that out Ivoah. :)
WARNING: I think HP Museum was also hit, but I am not sure.
Someone has changed my forum account there and it's entirely possible that I was using the same password there as I did on Omnimaga.
It took me multiple password reset attempts before the password reset tool finally works
You might want to check your HP Museum accounts at http://www.hpmuseum.org/forum/ in case you were attacked.
@Streetwalrus ever since we updated login security, I notice an increase in failed login attempts in the logs from legit users/IP addresses.
@rwill also reported that he got incorrect password errors even when entering the right password until a few tries and while the latter might be due to Holidays, online users in the last 7 days have decreased from 70 to 50 in less than a week. Mind notifying
@Sorunome so he investigates in case his mod might be the culprit?
Quote from: DJ Omnimaga on December 29, 2015, 04:20:21 AM
[...]
Mind notifying @Sorunome so he investigates in case his mod might be the culprit?
In order to debug if it is related to the mod i'd need network logs of these failed login attempts, including timestamps and stuff. The password should be encrypted anyways but feel free to strip out the encrypted password on top of that.
/me pokes
@Juju and
@Streetwalrus to share the logs, then.
Quote from: DJ Omnimaga on December 29, 2015, 06:54:13 AM
/me pokes @Juju and @Streetwalrus to share the logs, then.
The post-body and reply content doesn't land in server-side access logs, though, thus needing the logs of the client.
Server-side logs might help a bit, too.
Also, I am not saying that the login mod has a bug, all I'm saying is that it might have a bug and that these informations would be helpful to pinpoint if it has or if it hasn't. ;)
Wait, do every member that were potentially affected (if any) need to send you special logs from their browser folder? Or do you mean we have to include the SMF error logs?
Quote from: DJ Omnimaga on December 29, 2015, 07:19:55 AM
Wait, do every member that were potentially affected (if any) need to send you special logs from their browser folder? Or do you mean we have to include the SMF error logs?
I mean that for the people to whom it happens it would be helpful if they could dump the output of the "network" tab in their debugging console (f12).
Ah I see. In any case, I hope if this happens to them, that they see this topic beforehand. Also does this apply to Windows and Mac as well?
Regarding the type of login problems, Art_of_camelot made a thread about it and he had the same symptoms as I had, it just hangs on the loading part. It may only happen on the first login after the security update was deployed, it happened on my first login after the update and he created the thread 5 minutes after that. I do not know if it was his first login after the security update, one might need to ask him if one wants to investigate in this direction further. I did look at what I POST to the server on login and besides some 20kb hashed_paswd in the form, where I do not know where it comes from, I noticed nothing out of the ordinary and had no problems ever besides the one time after the security update. Ah well, good luck.
And hopefully unrelated, I got this email directing me to this thread:
Subject: rwill, you have been mentioned at a post in CodeWalrus
Hello rwill!
DJ Omnimaga mentioned you in the post "Sorunome, you have been mentioned at a post in CodeWalrus", you can view the post at https://codewalr.us/index.php?msg=28835
Regards,
CodeWalrus
While the Sorunome part is certainly not his post title I think.
The Sorunome mention bug is known. It's a problem on the user mention mod's side when we @mention/!call multiple people at once in one post. You would need to report it to the original author on SMF forums.
As for the login loading taking forever, I have the same problem happening on Omnimaga until about the third try. On CW it never happened to me, but logging in takes a long while (up to 10 seconds sometimes). This is definitively something that Soru needs to fix.
If it becomes too much of an issue or hinders our activity, then we might need to revert the changes and ditch this mod, at the cost of lowered security, and if security becomes a problem, then we could just require everyone to login via Reddit, Facebook, Github, Google or something like that until SMF 2.1 comes out.
The problem should be solvable by killing the RSA layer which is unnecessary since we have https. It's just a piece of js that can be disabled.
/me prods
@Sorunome to make it optional.
Oh, that could be an idea. Just as long as it doesn't require the regular users to do something special, because contacting 400 members to ensure that they do it doesn't mean all of them will get the message. :P
Removing it would be a site-wide admin option.
Yeah I am refering more to how we should avoid going the same route as the topic ID changes controversy , where no automated fix (eg a redirect or admins updating everyone's sigs) was available, thus, forcing thousands of people to manually fix their stuff themselves.
Quote from: Streetwalrus on December 29, 2015, 10:28:52 PM
The problem should be solvable by killing the RSA layer which is unnecessary since we have https. It's just a piece of js that can be disabled.
/me prods @Sorunome to make it optional.
>implying it isn't already optional
You just need to find where to set $context['disable_login_hashing'] in the admin pannel XD
EDIT: also
Quote<Sorunome> what might help is going into Subs-Auth.php search for the function getRSAValue (probably close to bottom), search for $smcFunc['db_query']('','DELETE FROM {db_prefix}rsa_keys WHERE ts < (NOW() - INTERVAL 1 MINUTE)'); and amke that to like 5 mins or so
Quote from: Sorunome on December 29, 2015, 10:49:49 PM
Quote from: Streetwalrus on December 29, 2015, 10:28:52 PM
The problem should be solvable by killing the RSA layer which is unnecessary since we have https. It's just a piece of js that can be disabled.
/me prods @Sorunome to make it optional.
>implying it isn't already optional
You just need to find where to set $context['disable_login_hashing'] in the admin pannel XD
Doesn't look like it's possible. Also a quick grep shows that pretty much everywhere it's set it's true.