Alternatively, join us on Discord.

Important security notice about your CodeWalrus account

Started by DJ Omnimaga, December 06, 2015, 04:31:35 am

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

p4nix

Just ignore comments which lead to nowhere. :)
Coincidence is coincidence, proof is proof.

Sorunome

Quote from: DJ Omnimaga on December 06, 2015, 04:31:35 am[...] According to Eeems, it looks like SMF doesn't salt+hash their passwords in a very secure way[...]
That was me, but OK :P
Quote from: DJ Omnimaga on December 06, 2015, 04:31:35 am
[...]
We do not know how the attack occurred, we know that Omnimaga was two SMF versions behind and Omnimaga was not the only place attacked, as one of KermMartian e-mail account was also hit. Also, according to the Omnimaga topic and their IRC logs, the IP address used by the hacker is from France (although we do not know what it is).
[...]
At the time of the attack we were already at 2.0.11, Eeems ran upgrades a day or two earlier.
This is a signature.
And now......give me an internet!

To be or not to be.........is that even a question? Who gets to decide this anyways?

Streetwalrus

The attacker could have prepared his attack before you guys updated by setting up a backdoor. Did they leave anything behind on the server or did they kill it all ?

DJ Omnimaga

December 07, 2015, 10:11:27 pm #33 Last Edit: December 07, 2015, 10:16:00 pm by DJ Omnimaga
A backdoor is possible. I had this happen on TIMGUL in 2008. We used IB 1.3 and got hacked. When we switched to SMF, we still got hacked because a backdoor from the 1.3 days was still hidden in a folder somewhere.


Could it be Islamic State in response to our Paris attack thread? They don't like free speech so...

KermMart̕ian

December 07, 2015, 10:39:23 pm #34 Last Edit: December 09, 2015, 02:09:18 am by KermMartian
Quote from: DJ Omnimaga on December 07, 2015, 10:11:27 pmCould it be Islamic State in response to our Paris attack thread? They don't like free speech so...
What? That seems like a stretch, especially since the Omnimaga staff and I determined that it's a community member performing these attacks (and they've been focused on a few select portions of the community).

Quote from: StreetwalrusThe attacker could have prepared his attack before you guys updated by setting up a backdoor. Did they leave anything behind on the server or did they kill it all ?
The attacker had an administrator's password, and did not use any backdoors or brute force.

aeTIos

Quote from: KermMartian on December 07, 2015, 10:39:23 pm
Quote from: DJ Omnimaga on December 07, 2015, 10:11:27 pmCould it be Islamic State in response to our Paris attack thread? They don't like free speech so...
Hahahahaha what? Your oddly verbose attempts to find an explanation for this are getting amusingly out-of-hand.

Kerm, if you really have nothing constructive to add to the discussion, please don't post at all. We all know you are salty about CW, and it really looks like you're trying to shove the blame of the attacks on us. I used to think higher of you.
ceci n'est pas une signature

Keoni29

If you like my work, why not give me an internet?

aeTIos

Also, @KermMartian , when is new information about the hacker due? I'd like to see those claims backed up. I also see no point in keeping his information (at least his handle) private.
ceci n'est pas une signature

Streetwalrus

KermM, friendly reminder that


If you have something interesting to say, say it. All your baseless accusations, as implicit as they are, hold no value though. Either post proof of what you're saying or don't post at all.

That said it looks to me like most of the community is under attack, even our own logs show that the suspicious IPs are trying to access CW with the passwords they stole, as well as ticalc.org and Revsoft.

KermMart̕ian

Quote from: Streetwalrus on December 07, 2015, 10:57:42 pm
KermM, friendly reminder that [you have no power here]

If you have something interesting to say, say it. All your baseless accusations, as implicit as they are, hold no value though. Either post proof of what you're saying or don't post at all.

That said it looks to me like most of the community is under attack, even our own logs show that the suspicious IPs are trying to access CW with the passwords they stole, as well as ticalc.org and Revsoft.
Don't worry, I'm not blaming CodeWalrus as a whole; I respect almost all of you a great deal, I just wish you hadn't felt that the community needed to be subdivided further (@aeTIos too). Point taken, though; I certainly have no power here, and I wouldn't want anyone to think I was being mean. *doffs hat* A good day to you, ladies and gents. :)

DJ Omnimaga

Quote from: KermMartian on December 07, 2015, 10:39:23 pm
Quote from: DJ Omnimaga on December 07, 2015, 10:11:27 pmCould it be Islamic State in response to our Paris attack thread? They don't like free speech so...
Hahahahaha what? That seems like a stretch, especially since the Omnimaga staff and I determined that it's a community member performing these attacks (and they've been focused on a few select portions of the community).

Quote from: StreetwalrusThe attacker could have prepared his attack before you guys updated by setting up a backdoor. Did they leave anything behind on the server or did they kill it all ?
The attacker had an administrator's password, and did not use any backdoors or brute force. The investigation was simplified by what user(s) were known to have that administrator's password.
The Islamic State comment was not really meant to be 100% serious, but given their goals and the fact they hacked sites before and the fact we have an active topic about them here, we never know. There are much bigger chances that it's a community member or a group of members who is fed up with the community and has decided to attack it at large. And it's not just a few select portions of the community, because Revsoft and CodeWalrus were attacked too. The CW attacks targeted my forum account yesterday at 6:20:16 PM GMT-5 (failed login attempt from 80.119.166.103) and Ivoah account at 7:34:23 PM (from 90.11.159.131)

There is also another suspicious IP from which two failed login attempts into Ivoah account happened yesterday, and it's 24.144.160.11. We do not know if it's legit or not, but since Ivoah has never posted a single message from that IP, then perhaps an eye should be kept on that one too.

But we cannot jump to conclusion by insinuating anything and accuse anyone yet, because slander and libel are as much of a crime as the hacking itself. We want to know the culprit as soon as possible and if legal actions have to be taken against him, then be it.

CVSoft

I went through the access logs for BosaikNet and was unable to find any suspicious activity; no admin-login attempts were found and activity from IP addresses 90.11.159.131, 80.119.166.103, and 24.144.160.11 were not found in any access log. Whoever did this knew what domains they wanted to target.

DJ Omnimaga

It's always possible that they browsed Omnimaga or other related sites for a while to gain more knowledge about which other related sites from the leaders there are, in order to target more, but the fact that only calculator sites have been targeted convinces me more that the culprit was somebody who is or used to be part of the TI community and hates it.

In any case, whoever did this will not win, because Omnimaga, Cemetech, Revsoft, TI-Planet, Ticalc.org and CodeWalrus are still standing today.

brentmaas

I've noticed that the two IPs 90.11.159.131 and 80.119.166.103 are rather close to eachother, being located in adjacent towns, but the other IP, 24.144.160.11, is all the way in Pennsylvania (Next to a college = probably has a calculator = community member?)
Lel I glitched Omni

DJ Omnimaga

I'm definitively thinking that 24.144.160.11 was a legit user (Ivoah most likely). It might be a public internet hotspot from which Ivoah is unable to post, which could explain why he has no single post on record from there. Pennsylvania seems plausible, considering where Ivoah comes from (not too far from Pennsylvania, New York and New Jersey AFAIK, and I heard from New York Rangers/Islanders fans that it doesn't take long to commute between those areas). So his account is safe.

But yeah, from what I recall, the main attacker IP is from Toulouse, Midi-Pyrenées, while the second is from Paris, Ile-de-France, both located in France.

Powered by EzPortal