CodeWalrus

CodeWalrus Website => Site Discussion => Site News & Announcements => Topic started by: DJ Omnimaga on December 06, 2015, 04:31:35 am

Title: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 06, 2015, 04:31:35 am
We were supposed to have a programming contest and a newsletter tomorrow, but first, we have some much more important news for all of our forum members, which will also be included in the newsletter header, which will also exceptionally be sent to every member, regardless of if they have opted in or out of e-mail notifications:


Yesterday, Omnimaga got hacked and both KermMartian and Geekboy1011's accounts were compromised elsewhere. The Omnimaga website has since been restored after hours of downtime, but the database content has been leaked and compromised. This includes all members personal information, ranging from private messages to passwords. According to Eeems, it looks like SMF doesn't salt+hash their passwords in a very secure way, something very possible due to how quickly the hacker managed to get Kerm and Geek's password. The passwords were re-used to attempt logging in on Cemetech.

If you have an Omnimaga account, then we heavily recommend that you change your password on any website (including CodeWalrus) on which you used the same password and we recommend that you use different passwords everywhere. No matter how hard it is for the hacker to decrypt the passwords, it's better to be safe than sorry!

We do not know how the attack occurred, we know that Omnimaga was two SMF versions behind and Omnimaga was not the only place attacked, as one of KermMartian e-mail account was also hit. Also, according to the Omnimaga topic and their IRC logs, the IP address used by the hacker is from France (although we do not know what it is).

On our side, we are going to investigate about what the IP address is and if it was used on CodeWalrus and our servers.

Source:
https://www.omnimaga.org/news/downtime-22209/
http://chat.eeems.ca/?server=irc.omnimaga.org%206667&channel=omnimaga&date=Sat%20Dec%2005%202015
Title: Re: Important security notice about your CodeWalrus account
Post by: bb010g on December 06, 2015, 04:43:01 am
This is also a good time to bring up password managers. (Anytime is a good time, really.)

KeePass (http://keepass.info/) and KeePassX (https://www.keepassx.org/) are solid.
pass (http://www.passwordstore.org/) is simple (in the Unix way) and on pretty much all platforms if you're willing to put in some setup.
1Password (https://agilebits.com/onepassword) is very nice, but closed source and not on Linux.
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 06, 2015, 05:48:49 am
We're out of luck so far to get the hacker IP address, because all Omni admins are offline. Ideally the other sites should do a forum scan of that IP in case it matches someone there. That's unless the hacker was using Tor or a proxy, though, then maybe we're out of luck.

I notified Planète-Casio of the attack because some of their members have Omnimaga accounts.

Thanks for the programs by the way. I just hope there is a way to retrieve the passwords from them so if my computer crashes and has to be reformated, then I am not locked out of all my Internet accounts.

EDIT: @Juju got one suspicious IP address, and is running scans on our server right now. Please report here once done.

He gave me the IP and I did scans on the forums. No matches could be found:
https://usercontent.irccloud-cdn.com/file/3EzvCLx2/
Title: Re: Important security notice about your CodeWalrus account
Post by: Juju on December 06, 2015, 08:10:45 am
Found 2 matches in the logs, both seems to be images linked from Omnimaga or TI-Planet. Also me looking for that IP. Nothing found here, really.
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 06, 2015, 08:45:28 am
Apparently, there was a lot of stuff on TI-Planet, though, in the server logs.

EDIT: According to Kerm, the password was freely given to the hacker. He also finds it weird that most recent community attacks and trolling always target Omni and Cemetech (eg Ephraim ban evasion, the sucks.fyi trolling via strange hostnames and now this) and never other sites.
Title: Re: Important security notice about your CodeWalrus account
Post by: Snektron on December 06, 2015, 10:06:26 am
Well, he suck.fyi guy was here too. Also i've updated my password too :)
Title: Re: Important security notice about your CodeWalrus account
Post by: Streetwalrus on December 06, 2015, 10:17:04 am
Quote from: bb010g on December 06, 2015, 04:43:01 am
This is also a good time to bring up password managers. (Anytime is a good time, really.)

KeePass (http://keepass.info/) and KeePassX (https://www.keepassx.org/) are solid.
pass (http://www.passwordstore.org/) is simple (in the Unix way) and on pretty much all platforms if you're willing to put in some setup.
1Password (https://agilebits.com/onepassword) is very nice, but closed source and not on Linux.

Indeed, it's high time I switched to something like that. Thanks for the recommendations.
Title: Re: Important security notice about your CodeWalrus account
Post by: Snektron on December 06, 2015, 10:20:46 am
We used KeePassX on my dad's linux computer. The problem was he deleted the database one time and said it was my own fault <_<
Title: Re: Important security notice about your CodeWalrus account
Post by: brentmaas on December 06, 2015, 10:48:14 am
I tried a bit of research into the IP, but all I could find was a physical adress.
Title: Re: Important security notice about your CodeWalrus account
Post by: Streetwalrus on December 06, 2015, 12:44:17 pm
Just set pass up and changed most of my passwords for 32 character passwords, different for each site. I suppose that's enough to keep me covered. :P
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 06, 2015, 10:48:31 pm
32 chars is a bad idea imho. Some sites upgrade their softwares and end up lowering the max lenght in fields and I remember yAronet password or nickname change field allowed more chars than than the login fields and I was unable to login anymore. 24 chars is safer against such admin mishaps.
Title: Re: Important security notice about your CodeWalrus account
Post by: Travis on December 06, 2015, 11:42:42 pm
Quote from: DJ Omnimaga on December 06, 2015, 05:48:49 amThanks for the programs by the way. I just hope there is a way to retrieve the passwords from them so if my computer crashes and has to be reformated, then I am not locked out of all my Internet accounts.


KeePassX saves the database in a location you specify, so if you keep that file backed up and don't forget the master password to decrypt it, you should be fine. It can also export everything to a .txt file in case you need that.
Title: Re: Important security notice about your CodeWalrus account
Post by: critor on December 06, 2015, 11:53:51 pm
Quote from: DJ Omnimaga on December 06, 2015, 08:45:28 amAccording to Kerm, the password was freely given to the hacker. He also finds it weird that most recent community attacks and trolling always target Omni and Cemetech (eg Ephraim ban evasion, the sucks.fyi trolling via strange hostnames and now this) and never other sites.


How would he know about other sites ? Is he omniscient ?

And apparently, he quickly forgot about this :
https://codewalr.us/index.php?topic=647.0
Title: Re: Important security notice about your CodeWalrus account
Post by: Juju on December 07, 2015, 12:53:57 am
Well, the most recent ones, as in, the last 3 incidents or so. He knows about other sites because we told him so.
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 07, 2015, 03:36:10 am
Guys, I found something strange on Omnimaga: Netham45 account is no longer listed in the member list (even if we do a search) and he isn't in the staff list either. I don't know how long it has been like that, though:

https://www.omnimaga.org/team

His account is still intact, but he is no longer in the staff groups and his signature changed was changed to "Omnimaga admin" instead of the broken Space Invader animation. He also last logged in on December 4th 2015.


Normally, when an existing SMF forum account no longer shows up in the member list, this means it is currently banned. Did he ask that on request due to a long hiatus or was his account compromised?


EDIT: An attempt to break into @Ivoah forum account on CodeWalrus has been recorded over three hours ago:

QuoteIP address   Display name   Message   Date
90.11.159.131   Guest   Password incorrect - Ivoah
?action=login2   Today at 07:34:23 pm


EDIT: There was also an attempt by 80.119.166.103 to login into my account, but it doesn't match anything else out of the ordinary on the forums. Mind doing a scan on CW server @Juju and on TI-Planet @Adriweb ? It was over an hour before Ivoah account was hit.
Title: Re: Important security notice about your CodeWalrus account
Post by: bb010g on December 07, 2015, 04:07:01 am
Quote from: Cumred_Snektron on December 06, 2015, 10:20:46 am
We used KeePassX on my dad's linux computer. The problem was he deleted the database one time and said it was my own fault <_<

baaaackuuuuups
Title: Re: Important security notice about your CodeWalrus account
Post by: Adriweb on December 07, 2015, 04:22:28 am
Yeah, I have access logs for that IP, same User agent etc.
Still doesn't tell who it actually is, though.
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 07, 2015, 04:35:03 am
Indeed. I hope we will know one day. If the hacker has a CodeWalrus account or is on our IRC channel, so far the agreement with Street is that the user will get banned (I haven't managed to get an hold of Ivoah, Juju and Cumred about it yet). It's also possible that we start cracking down on Tor users and multi-user accounts on IRC and forums (eg banning them if they refuse to reveal who they are or to use a real IP address).
Title: Re: Important security notice about your CodeWalrus account
Post by: Adriweb on December 07, 2015, 04:47:52 am
The obvious action would be to ban the user/ip (if he's ever found with sufficient proof), but... the problem is that if it's a proxy, more than one person could be using this IP, including legit users. And it's not like the user in question wouldn't just use yet another IP and/or account to do whatever he's doing.

In the meantime, not much is known unless some IPs in France and a user-agent.
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 07, 2015, 04:50:16 am
YEah, if it's a proxy then that could be a problem. I remember Omni had issues with false positive bans after many spambots were IP-banned. This is why we no longer ban spambots by their IP.
Title: Re: Important security notice about your CodeWalrus account
Post by: Streetwalrus on December 07, 2015, 01:25:43 pm
Quote from: bb010g on December 07, 2015, 04:07:01 am
Quote from: Cumred_Snektron on December 06, 2015, 10:20:46 am
We used KeePassX on my dad's linux computer. The problem was he deleted the database one time and said it was my own fault <_<

baaaackuuuuups

Yup, I love that pass encrypts with PGP, I use git integration and have the store on a remote private repo and my phone as well, the only problem would be if I lost my private key.
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 07, 2015, 02:31:13 pm
Nanowar confirmed on Revsoft via news and a PM sent to me that Revsoft was attacked as well. Database was compromised.

@Juju please redo scans of the two suspicious IPs
Title: Re: Important security notice about your CodeWalrus account
Post by: Streetwalrus on December 07, 2015, 02:36:56 pm
I see both IPs in today's Nginx logs. We should disable password authentication on ssh and use only private keys.
Title: Re: Important security notice about your CodeWalrus account
Post by: critor on December 07, 2015, 03:32:27 pm
Quote from: Juju on December 07, 2015, 12:53:57 am
Well, the most recent ones, as in, the last 3 incidents or so. He knows about other sites because we told him so.


And apparently he should stop assuming and implying strange things.

We've got hacking attempts almost everyday in the logs.
It's not because he doesn't know about it that it doesn't happen.
Title: Re: Important security notice about your CodeWalrus account
Post by: alexgt on December 07, 2015, 04:45:24 pm
This is strange how multiple websites are getting hacked at the same time O.O.
It is ISIS nooooo : P
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 07, 2015, 04:53:39 pm
Could this be why ticalc.org have troubles with their login and voting system since POTY started? @Travis should run some scans
Title: Re: Important security notice about your CodeWalrus account
Post by: Travis on December 07, 2015, 06:55:44 pm
I did discover suspicious activity from 90.11.159.131 on ticalc.org yesterday. We're investigating.

Edit: We may have something official to say later, but at this point, I do strongly recommend that people consider change their ticalc.org passwords now, especially if you're using the same passwords for anything else.
Title: Re: Important security notice about your CodeWalrus account
Post by: KermMart̕ian on December 07, 2015, 07:21:36 pm
Sorry to hear that you guys were also hit a day later by this attacker. I hope as a community we can all get to the bottom of who feels so destructively towards us.
Title: Re: Important security notice about your CodeWalrus account
Post by: alexgt on December 07, 2015, 07:43:39 pm
Well, if they blame us it doesn't mean that CW is bad it means there is a member that should be banned.
Title: Re: Important security notice about your CodeWalrus account
Post by: Lionel Debroux on December 07, 2015, 07:48:53 pm
Quote from: KermMartian on December 07, 2015, 07:21:36 pm
Of course, this all happened after the rest of the community noted how interesting it was that CodeWalrus was spared. That's a very unfortunate coincidence.

Strongly disappointed by your first comment ever on CW, Kerm, though not surprised nowadays. You know you can be a much more useful community member than you show here.
Title: Re: Important security notice about your CodeWalrus account
Post by: p4nix on December 07, 2015, 07:52:30 pm
Just ignore comments which lead to nowhere. :)
Coincidence is coincidence, proof is proof.
Title: Re: Important security notice about your CodeWalrus account
Post by: Sorunome on December 07, 2015, 08:29:03 pm
Quote from: DJ Omnimaga on December 06, 2015, 04:31:35 am[...] According to Eeems, it looks like SMF doesn't salt+hash their passwords in a very secure way[...]
That was me, but OK :P
Quote from: DJ Omnimaga on December 06, 2015, 04:31:35 am
[...]
We do not know how the attack occurred, we know that Omnimaga was two SMF versions behind and Omnimaga was not the only place attacked, as one of KermMartian e-mail account was also hit. Also, according to the Omnimaga topic and their IRC logs, the IP address used by the hacker is from France (although we do not know what it is).
[...]
At the time of the attack we were already at 2.0.11, Eeems ran upgrades a day or two earlier.
Title: Re: Important security notice about your CodeWalrus account
Post by: Streetwalrus on December 07, 2015, 10:01:34 pm
The attacker could have prepared his attack before you guys updated by setting up a backdoor. Did they leave anything behind on the server or did they kill it all ?
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 07, 2015, 10:11:27 pm
A backdoor is possible. I had this happen on TIMGUL in 2008. We used IB 1.3 and got hacked. When we switched to SMF, we still got hacked because a backdoor from the 1.3 days was still hidden in a folder somewhere.


Could it be Islamic State in response to our Paris attack thread? They don't like free speech so...
Title: Re: Important security notice about your CodeWalrus account
Post by: KermMart̕ian on December 07, 2015, 10:39:23 pm
Quote from: DJ Omnimaga on December 07, 2015, 10:11:27 pmCould it be Islamic State in response to our Paris attack thread? They don't like free speech so...
What? That seems like a stretch, especially since the Omnimaga staff and I determined that it's a community member performing these attacks (and they've been focused on a few select portions of the community).

Quote from: StreetwalrusThe attacker could have prepared his attack before you guys updated by setting up a backdoor. Did they leave anything behind on the server or did they kill it all ?
The attacker had an administrator's password, and did not use any backdoors or brute force.
Title: Re: Important security notice about your CodeWalrus account
Post by: aeTIos on December 07, 2015, 10:43:02 pm
Quote from: KermMartian on December 07, 2015, 10:39:23 pm
Quote from: DJ Omnimaga on December 07, 2015, 10:11:27 pmCould it be Islamic State in response to our Paris attack thread? They don't like free speech so...
Hahahahaha what? Your oddly verbose attempts to find an explanation for this are getting amusingly out-of-hand.

Kerm, if you really have nothing constructive to add to the discussion, please don't post at all. We all know you are salty about CW, and it really looks like you're trying to shove the blame of the attacks on us. I used to think higher of you.
Title: Re: Important security notice about your CodeWalrus account
Post by: Keoni29 on December 07, 2015, 10:45:53 pm
Dun changed my password just to be safe.
Title: Re: Important security notice about your CodeWalrus account
Post by: aeTIos on December 07, 2015, 10:56:43 pm
Also, @KermMartian , when is new information about the hacker due? I'd like to see those claims backed up. I also see no point in keeping his information (at least his handle) private.
Title: Re: Important security notice about your CodeWalrus account
Post by: Streetwalrus on December 07, 2015, 10:57:42 pm
KermM, friendly reminder that
(https://codewalr.us/proxy.php?request=http%3A%2F%2Fe.lvme.me%2Fxmeh35.jpg&hash=ce143d1e22e2b21041d5251f00b70d60)

If you have something interesting to say, say it. All your baseless accusations, as implicit as they are, hold no value though. Either post proof of what you're saying or don't post at all.

That said it looks to me like most of the community is under attack, even our own logs show that the suspicious IPs are trying to access CW with the passwords they stole, as well as ticalc.org and Revsoft.
Title: Re: Important security notice about your CodeWalrus account
Post by: KermMart̕ian on December 07, 2015, 11:14:19 pm
Quote from: Streetwalrus on December 07, 2015, 10:57:42 pm
KermM, friendly reminder that [you have no power here]

If you have something interesting to say, say it. All your baseless accusations, as implicit as they are, hold no value though. Either post proof of what you're saying or don't post at all.

That said it looks to me like most of the community is under attack, even our own logs show that the suspicious IPs are trying to access CW with the passwords they stole, as well as ticalc.org and Revsoft.
Don't worry, I'm not blaming CodeWalrus as a whole; I respect almost all of you a great deal, I just wish you hadn't felt that the community needed to be subdivided further (@aeTIos too). Point taken, though; I certainly have no power here, and I wouldn't want anyone to think I was being mean. *doffs hat* A good day to you, ladies and gents. :)
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 07, 2015, 11:18:53 pm
Quote from: KermMartian on December 07, 2015, 10:39:23 pm
Quote from: DJ Omnimaga on December 07, 2015, 10:11:27 pmCould it be Islamic State in response to our Paris attack thread? They don't like free speech so...
Hahahahaha what? That seems like a stretch, especially since the Omnimaga staff and I determined that it's a community member performing these attacks (and they've been focused on a few select portions of the community).

Quote from: StreetwalrusThe attacker could have prepared his attack before you guys updated by setting up a backdoor. Did they leave anything behind on the server or did they kill it all ?
The attacker had an administrator's password, and did not use any backdoors or brute force. The investigation was simplified by what user(s) were known to have that administrator's password.
The Islamic State comment was not really meant to be 100% serious, but given their goals and the fact they hacked sites before and the fact we have an active topic about them here, we never know. There are much bigger chances that it's a community member or a group of members who is fed up with the community and has decided to attack it at large. And it's not just a few select portions of the community, because Revsoft and CodeWalrus were attacked too. The CW attacks targeted my forum account yesterday at 6:20:16 PM GMT-5 (failed login attempt from 80.119.166.103) and Ivoah account at 7:34:23 PM (from 90.11.159.131)

There is also another suspicious IP from which two failed login attempts into Ivoah account happened yesterday, and it's 24.144.160.11. We do not know if it's legit or not, but since Ivoah has never posted a single message from that IP, then perhaps an eye should be kept on that one too.

But we cannot jump to conclusion by insinuating anything and accuse anyone yet, because slander and libel are as much of a crime as the hacking itself. We want to know the culprit as soon as possible and if legal actions have to be taken against him, then be it.
Title: Re: Important security notice about your CodeWalrus account
Post by: CVSoft on December 08, 2015, 01:03:17 am
I went through the access logs for BosaikNet and was unable to find any suspicious activity; no admin-login attempts were found and activity from IP addresses 90.11.159.131, 80.119.166.103, and 24.144.160.11 were not found in any access log. Whoever did this knew what domains they wanted to target.
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 08, 2015, 01:45:36 am
It's always possible that they browsed Omnimaga or other related sites for a while to gain more knowledge about which other related sites from the leaders there are, in order to target more, but the fact that only calculator sites have been targeted convinces me more that the culprit was somebody who is or used to be part of the TI community and hates it.

In any case, whoever did this will not win, because Omnimaga, Cemetech, Revsoft, TI-Planet, Ticalc.org and CodeWalrus are still standing today.
Title: Re: Important security notice about your CodeWalrus account
Post by: brentmaas on December 08, 2015, 07:44:03 am
I've noticed that the two IPs 90.11.159.131 and 80.119.166.103 are rather close to eachother, being located in adjacent towns, but the other IP, 24.144.160.11, is all the way in Pennsylvania (Next to a college = probably has a calculator = community member?)
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 08, 2015, 07:59:45 am
I'm definitively thinking that 24.144.160.11 was a legit user (Ivoah most likely). It might be a public internet hotspot from which Ivoah is unable to post, which could explain why he has no single post on record from there. Pennsylvania seems plausible, considering where Ivoah comes from (not too far from Pennsylvania, New York and New Jersey AFAIK, and I heard from New York Rangers/Islanders fans that it doesn't take long to commute between those areas). So his account is safe.

But yeah, from what I recall, the main attacker IP is from Toulouse, Midi-Pyrenées, while the second is from Paris, Ile-de-France, both located in France.
Title: Re: Important security notice about your CodeWalrus account
Post by: brentmaas on December 08, 2015, 08:22:27 am
90.11.159.131 and 80.119.166.103 were located as Billère and Tarbes to me, both southern france/pyrenées
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 08, 2015, 08:34:52 am
Strange that WHOIS info is different for two of us ???

Where did you get that info Brentmaas? I used http://iptrace.in
Title: Re: Important security notice about your CodeWalrus account
Post by: Keoni29 on December 08, 2015, 08:51:22 am
A smart attacker would try to leave no trace back to his own ip. These suspicious ip's in the logs come from attacks carried out by infected machines, via a vpn or the attacker is not smart.
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 08, 2015, 09:17:34 am
But how would an infected machine carry out such large scale attack without human intervention?
Title: Re: Important security notice about your CodeWalrus account
Post by: Keoni29 on December 08, 2015, 09:36:20 am
Usually these infected machines are listening on an IRC channel waiting for the command to attack.
Title: Re: Important security notice about your CodeWalrus account
Post by: brentmaas on December 08, 2015, 12:49:36 pm
Quote from: DJ Omnimaga on December 08, 2015, 08:34:52 am
Strange that WHOIS info is different for two of us ???

Where did you get that info Brentmaas? I used http://iptrace.in
http://yougetsignal.com
It has a couple of tools which are free to use.
Title: Re: Important security notice about your CodeWalrus account
Post by: alexgt on December 08, 2015, 02:16:57 pm
Do you think the attacker will be able to breach CW or no?

EDIT: it may be a little off topic but it was said in the first post something about a contest?
Title: Re: Important security notice about your CodeWalrus account
Post by: Streetwalrus on December 08, 2015, 02:23:04 pm
I don't think so, hopefully we reacted fast enough to change all of our passwords, at least for those who used the same as on omni. We should be fine.

As for the contest, yes, there is an upcoming contest.
Title: Re: Important security notice about your CodeWalrus account
Post by: alexgt on December 08, 2015, 02:26:06 pm
I thought so but is kinda weird that someone would go through all that effort just to get at the calc community. They must really hate us O.O
Title: Re: Important security notice about your CodeWalrus account
Post by: Ivoah on December 08, 2015, 02:26:52 pm
Quote from: DJ Omnimaga on December 08, 2015, 07:59:45 am
I'm definitively thinking that 24.144.160.11 was a legit user (Ivoah most likely). It might be a public internet hotspot from which Ivoah is unable to post, which could explain why he has no single post on record from there. Pennsylvania seems plausible, considering where Ivoah comes from (not too far from Pennsylvania, New York and New Jersey AFAIK, and I heard from New York Rangers/Islanders fans that it doesn't take long to commute between those areas). So his account is safe.

But yeah, from what I recall, the main attacker IP is from Toulouse, Midi-Pyrenées, while the second is from Paris, Ile-de-France, both located in France.


That was probably me trying to log into my account on my dad's iPad while on a car trip to a college in Pensylvania
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 08, 2015, 06:42:22 pm
Thanks for checking that out Ivoah. :)
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 08, 2015, 07:06:32 pm
WARNING: I think HP Museum was also hit, but I am not sure.

Someone has changed my forum account there and it's entirely possible that I was using the same password there as I did on Omnimaga.

It took me multiple password reset attempts before the password reset tool finally works


You might want to check your HP Museum accounts at http://www.hpmuseum.org/forum/ in case you were attacked.

Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 29, 2015, 04:20:21 am
@Streetwalrus ever since we updated login security, I notice an increase in failed login attempts in the logs from legit users/IP addresses. @rwill also reported that he got incorrect password errors even when entering the right password until a few tries and while the latter might be due to Holidays, online users in the last 7 days have decreased from 70 to 50 in less than a week. Mind notifying @Sorunome so he investigates in case his mod might be the culprit?
Title: Re: Important security notice about your CodeWalrus account
Post by: Sorunome on December 29, 2015, 06:50:00 am
Quote from: DJ Omnimaga on December 29, 2015, 04:20:21 am
[...]
Mind notifying @Sorunome so he investigates in case his mod might be the culprit?
In order to debug if it is related to the mod i'd need network logs of these failed login attempts, including timestamps and stuff. The password should be encrypted anyways but feel free to strip out the encrypted password on top of that.
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 29, 2015, 06:54:13 am
/me pokes @Juju and @Streetwalrus to share the logs, then.


Title: Re: Important security notice about your CodeWalrus account
Post by: Sorunome on December 29, 2015, 07:18:06 am
Quote from: DJ Omnimaga on December 29, 2015, 06:54:13 am
/me pokes @Juju and @Streetwalrus to share the logs, then.

The post-body and reply content doesn't land in server-side access logs, though, thus needing the logs of the client.
Server-side logs might help a bit, too.

Also, I am not saying that the login mod has a bug, all I'm saying is that it might have a bug and that these informations would be helpful to pinpoint if it has or if it hasn't. ;)
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 29, 2015, 07:19:55 am
Wait, do every member that were potentially affected (if any) need to send you special logs from their browser folder? Or do you mean we have to include the SMF error logs?
Title: Re: Important security notice about your CodeWalrus account
Post by: Sorunome on December 29, 2015, 07:20:53 am
Quote from: DJ Omnimaga on December 29, 2015, 07:19:55 am
Wait, do every member that were potentially affected (if any) need to send you special logs from their browser folder? Or do you mean we have to include the SMF error logs?
I mean that for the people to whom it happens it would be helpful if they could dump the output of the "network" tab in their debugging console (f12).
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 29, 2015, 07:22:54 am
Ah I see. In any case, I hope if this happens to them, that they see this topic beforehand. Also does this apply to Windows and Mac as well?
Title: Re: Important security notice about your CodeWalrus account
Post by: rwill on December 29, 2015, 10:04:51 am
Regarding the type of login problems, Art_of_camelot made a thread about it and he had the same symptoms as I had, it just hangs on the loading part. It may only happen on the first login after the security update was deployed, it happened on my first login after the update and he created the thread 5 minutes after that. I do not know if it was his first login after the security update, one might need to ask him if one wants to investigate in this direction further. I did look at what I POST to the server on login and besides some 20kb hashed_paswd in the form, where I do not know where it comes from, I noticed nothing out of the ordinary and had no problems ever besides the one time after the security update. Ah well, good luck.

And hopefully unrelated, I got this email directing me to this thread:


Subject: rwill, you have been mentioned at a post in CodeWalrus
Hello rwill!

DJ Omnimaga mentioned you in the post "Sorunome, you have been mentioned at a post in CodeWalrus", you can view the post at https://codewalr.us/index.php?msg=28835

Regards,
CodeWalrus


While the Sorunome part is certainly not his post title I think.
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 29, 2015, 10:09:30 pm
The Sorunome mention bug is known. It's a problem on the user mention mod's side when we @mention/!call multiple people at once in one post. You would need to report it to the original author on SMF forums.

As for the login loading taking forever, I have the same problem happening on Omnimaga until about the third try. On CW it never happened to me, but logging in takes a long while (up to 10 seconds sometimes). This is definitively something that Soru needs to fix.

If it becomes too much of an issue or hinders our activity, then we might need to revert the changes and ditch this mod, at the cost of lowered security, and if security becomes a problem, then we could just require everyone to login via Reddit, Facebook, Github, Google or something like that until SMF 2.1 comes out.
Title: Re: Important security notice about your CodeWalrus account
Post by: Streetwalrus on December 29, 2015, 10:28:52 pm
The problem should be solvable by killing the RSA layer which is unnecessary since we have https. It's just a piece of js that can be disabled.
/me prods @Sorunome to make it optional.
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 29, 2015, 10:29:52 pm
Oh, that could be an idea. Just as long as it doesn't require the regular users to do something special, because contacting 400 members to ensure that they do it doesn't mean all of them will get the message. :P
Title: Re: Important security notice about your CodeWalrus account
Post by: Streetwalrus on December 29, 2015, 10:31:26 pm
Removing it would be a site-wide admin option.
Title: Re: Important security notice about your CodeWalrus account
Post by: DJ Omnimaga on December 29, 2015, 10:45:41 pm
Yeah I am refering more to how we should avoid going the same route as the topic ID changes controversy , where no automated fix (eg a redirect or admins updating everyone's sigs) was available, thus, forcing thousands of people to manually fix their stuff themselves.
Title: Re: Important security notice about your CodeWalrus account
Post by: Sorunome on December 29, 2015, 10:49:49 pm
Quote from: Streetwalrus on December 29, 2015, 10:28:52 pm
The problem should be solvable by killing the RSA layer which is unnecessary since we have https. It's just a piece of js that can be disabled.
/me prods @Sorunome to make it optional.


>implying it isn't already optional
You just need to find where to set $context['disable_login_hashing'] in the admin pannel XD

EDIT: also
Quote<Sorunome> what might help is going into Subs-Auth.php search for the function getRSAValue (probably close to bottom), search for $smcFunc['db_query']('','DELETE FROM {db_prefix}rsa_keys WHERE ts < (NOW() - INTERVAL 1 MINUTE)'); and amke that to like 5 mins or so
Title: Re: Important security notice about your CodeWalrus account
Post by: Streetwalrus on January 01, 2016, 12:42:11 pm
Quote from: Sorunome on December 29, 2015, 10:49:49 pm
Quote from: Streetwalrus on December 29, 2015, 10:28:52 pm
The problem should be solvable by killing the RSA layer which is unnecessary since we have https. It's just a piece of js that can be disabled.
/me prods @Sorunome to make it optional.


>implying it isn't already optional
You just need to find where to set $context['disable_login_hashing'] in the admin pannel XD

Doesn't look like it's possible. Also a quick grep shows that pretty much everywhere it's set it's true.