Any risk to PMs?

[Mong.]

First and foremost, a huge thanks to RM for keeping the site up and running despite the malicious intent of others. I can't imagine that the extra work required is all that much fun, and I'm always grateful to be part of such a great community that would cease to exist without your efforts.

Regarding the recent hacking attack, I wondered if there was any threat to the contents of our PMs. The B/S/T obviously requires the exchange of personal info, such as PayPal and physical addresses. I've just taken the (probably unnecessary) step of deleting all sent and received messages from my inbox/outbox. I'm just curious as to whether or not there's any value at all in having done that, and if backups of PMs are kept on the server that might persist after user deletion.

This should probably stand as a reminder to myself (and perhaps others) that personal info should be kept to a minimum, probably only PayPal, really.

 

[Monsta_AU]

The VB database runs as a different user in the Linux space, with a separate password. The forum software obviously has that password (so it can generate HTML from the DB).

This database also holds your forum usernames and passwords in a hashed + salted method. It would be very difficult to get a user password out of the database as it involves running rainbow tables and looking up against many passwords which are hashed then salted with a different salt each time.

PM's would be easer to get at, if the hackers were able to get a dump of the SQL database. Due to checks of the logs and reviewing the scripts they attempted to run, we are certain they did not get this.

From what I can ascertain, the general attempt at this time was to gain the passwd file to the Linux system underneath. Again, that failed due to the fact that the Webserver does not have permissions to that file. The best they could then do is inject a new .htaccess file into the system to try some redirected scripts but again none were able to run due to the different permissions of the files they injected.

After spending an number of hours today looking at the cloned VM, I'm happy to call this one over. We took the opportunity to change the Linux passwords for administrative users, the database and a few other Linux-level users.

There are backups of the VM taken at regular intervals which are downloaded offsite (at my home) for restore purposes just in case of a massive server meltdown. These are held for a month then deleted. The PM's are part of that, but the PM's are not specifically backed up, no.

 

[Mark1966]

Echo the thanks above RM - appreciate all your work to keep P&C going!

 

[Ybbor]

Yes thank you RM

 

[Mong.]

Brilliant mate, thanks for the explanation. Paranoia sated.

 

[SmallYetDeadly]

Love your work RM. If you get over to Perth the beers are on me!

I can't help but wonder if we are the target of some sort of shave-site espionage :blink::wacko::evil:

 

[Monsta_AU]

Unfortunately not - just script kiddies exploiting holes in the hosting panel software. Unfortunately the hosting panel I chose has no way of getting the security patches emailed to me, so I have to check them myself.

 

[SmallYetDeadly]

but but but conspiracy theory?

I have been sitting here all day with my tin-foil hat on for no reason?

 

[borked]

but but but conspiracy theory?

I have been sitting here all day with my tin-foil hat on for no reason?

Did it keep you dry ?
If yes, then no,
If no, then yes !

 

[Monsta_AU]

Seems like more checking tonight has found some FTP logs where they tend to be using a few more 'direct' usernames than I am comfortable with. When I say this, it is not because I believe that any data has been captured, but they have done a lookup of all the domains I host on this machine, and are now trying to brute-force the usernames based on the domains.

For instance, I host 'themonsta.id.au' on this box - it's just a file hosting dump really.... pictures etc. I am seeing attempts on usernames like 'themonsta', 'id.au' and similar where I was not seeing that 6-8 weeks ago. But the funny thing is there is only one FTP account on this VM and it's nothing like any of those!

As a precaution only, I have firewalled out all SSH & FTP connections other than my home IP address. I have other means of getting to the hosting console too just in case something goes very wrong like Internode changing my IP!

I'm closing the thread, not because I want to hide anything, but because I think things are very secure now, and it's time to get on with the normal P&C shaving discussion.

 

[Monsta_AU]

Sorry guys, forgot to allow DNS through the Firewall! :embarrest:

All good now.