Server compromised, expect downtime - Discussion
Server compromised, expect downtime
Daniel M Ingram, modified 4 Years ago at 11/24/20 12:05 AM
Created 4 Years ago at 11/24/20 12:05 AM
Server compromised, expect downtime
Posts: 3293 Join Date: 4/20/09 Recent Posts
Dear DhO,
Our server on Hetzner is compromised, they tell me, so will shut this server down shortly until we can get this sorted, I think.
Apologies for the interruption.
Best wishes,
Daniel
Our server on Hetzner is compromised, they tell me, so will shut this server down shortly until we can get this sorted, I think.
Apologies for the interruption.
Best wishes,
Daniel
Chris M, modified 4 Years ago at 11/24/20 7:17 AM
Created 4 Years ago at 11/24/20 7:17 AM
RE: Server compromised, expect downtime
Posts: 5474 Join Date: 1/26/13 Recent PostsDaniel M Ingram, modified 4 Years ago at 11/24/20 10:37 AM
Created 4 Years ago at 11/24/20 10:37 AM
RE: Server compromised, expect downtime
Posts: 3293 Join Date: 4/20/09 Recent Posts
Ok, the warnings went away when a WordPress site that is also hosted there was updated, so may have been that simple. Will hopefully know more today and will check around to make sure all is well. Let's presume all is well for the moment, but will keep you all updated. If the DhO does need to go down for maintenance and the like, I will post something on my Twitter account @danielmingram about what is going on and when it might be back up.
Chris M, modified 4 Years ago at 11/24/20 11:10 AM
Created 4 Years ago at 11/24/20 11:10 AM
RE: Server compromised, expect downtime
Posts: 5474 Join Date: 1/26/13 Recent PostsDaniel M Ingram, modified 4 Years ago at 11/24/20 11:11 AM
Created 4 Years ago at 11/24/20 11:11 AM
RE: Server compromised, expect downtime
Posts: 3293 Join Date: 4/20/09 Recent Posts
Ok, was wrong, not fixed, heck. Got a message last night saying was ok, now a new message that it is not.
Hopefully, Simon will be able to sort it.
Thanks for your patience!
Hopefully, Simon will be able to sort it.
Thanks for your patience!
Daniel M Ingram, modified 4 Years ago at 11/24/20 11:48 AM
Created 4 Years ago at 11/24/20 11:48 AM
RE: Server compromised, expect downtime
Posts: 3293 Join Date: 4/20/09 Recent Posts
Ok, after Simon was kind enough to do some excellent tech support, it appears that the problem is Liferay, so it will need to be upgraded to Liferay 7, and the last time we tried this we failed completely, so I will engage some paid expertise to sort this out. If people wonder what I do with the little bit of money I make on MCTB2, it is this sort of thing.
Thanks for your patience.
Expect DhO instability in the coming days. Save large new posts that you care about in a text file or something like that.
We have backups through today, so that's good.
Best wishes,
Daniel
Thanks for your patience.
Expect DhO instability in the coming days. Save large new posts that you care about in a text file or something like that.
We have backups through today, so that's good.
Best wishes,
Daniel
Angel Roberto Puente, modified 4 Years ago at 11/24/20 12:04 PM
Created 4 Years ago at 11/24/20 12:04 PM
RE: Server compromised, expect downtime
Posts: 281 Join Date: 5/5/19 Recent PostsPapa Che Dusko, modified 4 Years ago at 11/24/20 12:13 PM
Created 4 Years ago at 11/24/20 12:13 PM
RE: Server compromised, expect downtime
Posts: 3128 Join Date: 3/1/20 Recent PostsAngel Roberto Puente:
Chris Marti:
Were any of our credentials compromised?
LOL Priceless!
Linda ”Polly Ester” Ö, modified 4 Years ago at 11/24/20 12:33 PM
Created 4 Years ago at 11/24/20 12:33 PM
RE: Server compromised, expect downtime
Posts: 7135 Join Date: 12/8/18 Recent PostsJ W, modified 4 Years ago at 11/24/20 3:02 PM
Created 4 Years ago at 11/24/20 3:02 PM
RE: Server compromised, expect downtime
Posts: 711 Join Date: 2/11/20 Recent Posts
Am I reading this correctly, that someone hacked the server?
Why would someone ever do that, lol... there's nothing in that database that isn't visible, it's a public forum.
Why would someone ever do that, lol... there's nothing in that database that isn't visible, it's a public forum.
J W, modified 4 Years ago at 11/24/20 4:21 PM
Created 4 Years ago at 11/24/20 4:21 PM
RE: Server compromised, expect downtime
Posts: 711 Join Date: 2/11/20 Recent Posts
I guess the only thing would be passwords (hopefully they were encrypted).
Guess we should all be watching our accounts and report here if anyone gets hacked.
Guess we should all be watching our accounts and report here if anyone gets hacked.
Z , modified 4 Years ago at 11/24/20 5:14 PM
Created 4 Years ago at 11/24/20 5:13 PM
RE: Server compromised, expect downtime
Posts: 201 Join Date: 3/16/18 Recent PostsJ W:
I guess the only thing would be passwords (hopefully they were encrypted).
Guess we should all be watching our accounts and report here if anyone gets hacked.
Guess we should all be watching our accounts and report here if anyone gets hacked.
Am I reading this correctly, that someone hacked the server?
Why would someone ever do that, lol... there's nothing in that database that isn't visible, it's a public forum.
Why would someone ever do that, lol... there's nothing in that database that isn't visible, it's a public forum.
Some hackers just like to break in to sites for sport, though they could be after user credentials. Since we don't know yet if credentials were comprimised, if you re-use your DhO account password on any other service/app/site, it'd be a good idea to change your password there.
Z , modified 4 Years ago at 11/24/20 7:52 PM
Created 4 Years ago at 11/24/20 5:15 PM
RE: Server compromised, expect downtime
Posts: 201 Join Date: 3/16/18 Recent PostsAngel Roberto Puente:
Chris Marti:
Were any of our credentials compromised?
Haha, was the hacker able to access any jhanas?
Siavash ', modified 4 Years ago at 11/24/20 5:17 PM
Created 4 Years ago at 11/24/20 5:17 PM
RE: Server compromised, expect downtime
Posts: 1700 Join Date: 5/5/19 Recent Posts
Don't worry! No one would pay for DhO passwords. It should be something that you could sell it, or something that could open the doors to find something that you could sell it, or gain some power on something or someone and etc. DhO data should not be in those categories, normally!
(Passwords are usually hashed and are not easy to retrieve, if you could do it at all.)
(Passwords are usually hashed and are not easy to retrieve, if you could do it at all.)
Papa Che Dusko, modified 4 Years ago at 11/24/20 11:40 PM
Created 4 Years ago at 11/24/20 11:40 PM
RE: Server compromised, expect downtime
Posts: 3128 Join Date: 3/1/20 Recent PostsZachary:
Angel Roberto Puente:
Chris Marti:
Were any of our credentials compromised?
Haha, was the hacker able to access any jhanas?
LoL This is getting better Hacker tried but failed; apparently couldn't manage to crack the password: niMiTTa
Pawel K, modified 4 Years ago at 11/25/20 12:16 AM
Created 4 Years ago at 11/25/20 12:16 AM
RE: Server compromised, expect downtime
Posts: 1172 Join Date: 2/22/20 Recent PostsZachary:
Angel Roberto Puente:
Chris Marti:
Were any of our credentials compromised?
Not two, not one, modified 4 Years ago at 11/25/20 2:08 AM
Created 4 Years ago at 11/25/20 2:08 AM
RE: Server compromised, expect downtime
Posts: 1053 Join Date: 7/13/17 Recent PostsPapa Che Dusko:
Angel Roberto Puente:
Chris Marti:
Were any of our credentials compromised?
LOL Priceless!
Lol. very good! Also a promising shortcut, if attainments could be gotten rid of that easily.
Chris M, modified 4 Years ago at 11/25/20 7:57 AM
Created 4 Years ago at 11/25/20 7:57 AM
RE: Server compromised, expect downtime
Posts: 5474 Join Date: 1/26/13 Recent Posts
Since we're not getting any detailed information about this incident or just what has been compromised, I would suggest that a DhO password change is in order, especially if you use your DhO password for anything else.
Pawel K, modified 4 Years ago at 11/25/20 8:15 AM
Created 4 Years ago at 11/25/20 8:15 AM
RE: Server compromised, expect downtime
Posts: 1172 Join Date: 2/22/20 Recent PostsChris Marti:
Since we're not getting any detailed information about this incident or just what has been compromised, I would suggest that a DhO password change is in order, especially if you use your DhO password for anything else.
Chris M, modified 4 Years ago at 11/25/20 8:19 AM
Created 4 Years ago at 11/25/20 8:19 AM
RE: Server compromised, expect downtime
Posts: 5474 Join Date: 1/26/13 Recent PostsLewis James, modified 4 Years ago at 11/25/20 11:05 AM
Created 4 Years ago at 11/25/20 11:05 AM
RE: Server compromised, expect downtime
Posts: 155 Join Date: 5/13/15 Recent Posts
Once a software vulnerability is made public and widely available people will set up bots to scan through sites looking for known insecure versions and compromising them / injecting a backdoor / etc on the off-chance they find something valuable.
Looking at the HTTP response headers, the site is running Liferay CE 6.2 GA2 (6.2.1). You can find a list of known vulnerabilities on the Liferay site here:
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/categories/113763930?p_r_p_categoryId=113763930
A bunch of cross-site scripting issues, which can range from fairly minor (think: adding a script to the page that says "Daniel Ingram is a doodoohead"... whether that's minor or not depends on who you are I guess) to pretty annoying (think: adding a bitcoin miner in the background of the page, or redirecting you to a phishing site). The attacker generally won't gain access to the *server*, but may be able to run arbritary scripts in the user's browser. Thankfully if you're using a modern browser there are plenty of security features to stop them from doing anything too bad.
However I would recommend everyone download and use the NoScript browser extension for now and enable it for this site in case any dodgy code has been injected into the site.
There is also a known RCE (remote command execution) exploit for Liferay < 6.2.5, though it seems the details aren't completely public so I don't know if this is a risk, or if so, how much of a risk it is:
https://www.cvedetails.com/cve/CVE-2019-16891/
This kind of exploit can allow an attacker to run whatever program they like on the actual server hardware, which could be a problem and may compromise database info. Passwords should be hashed with, according to the Liferay docs, "PBKDF2--WithHmac--SHA1/160/128000" which basically means passwords are encrypted by a random function run an arbritrary number of times, and encoded using a specified SHA algorithm. However, if that algorithm is SHA1, that has known weaknesses and its use is strongly discouraged these days. Additionally, a note on the Liferay docs says that if a site is upgraded from a prior version to 6.2, they may enable "legacy" password support, which likely uses plain SHA1, which would be even weaker.
Basically in the event that an attacker gained database access they wouldn't get your passwords, but may get hashed versions which may be possible to either brute force (less likely) or look up in a table of known password hashes (if it's SHA1, and you're using a password that can be found in such a table, either using a common word or a password that's previously been leaked, that's quite likely).
Without more info from the hosting provider and/or Daniel's tech team it's hard to say what the actual risk is, though they may not want to disclose that information until it's secured to prevent copycat attacks.
Looking at the HTTP response headers, the site is running Liferay CE 6.2 GA2 (6.2.1). You can find a list of known vulnerabilities on the Liferay site here:
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/categories/113763930?p_r_p_categoryId=113763930
A bunch of cross-site scripting issues, which can range from fairly minor (think: adding a script to the page that says "Daniel Ingram is a doodoohead"... whether that's minor or not depends on who you are I guess) to pretty annoying (think: adding a bitcoin miner in the background of the page, or redirecting you to a phishing site). The attacker generally won't gain access to the *server*, but may be able to run arbritary scripts in the user's browser. Thankfully if you're using a modern browser there are plenty of security features to stop them from doing anything too bad.
However I would recommend everyone download and use the NoScript browser extension for now and enable it for this site in case any dodgy code has been injected into the site.
There is also a known RCE (remote command execution) exploit for Liferay < 6.2.5, though it seems the details aren't completely public so I don't know if this is a risk, or if so, how much of a risk it is:
https://www.cvedetails.com/cve/CVE-2019-16891/
This kind of exploit can allow an attacker to run whatever program they like on the actual server hardware, which could be a problem and may compromise database info. Passwords should be hashed with, according to the Liferay docs, "PBKDF2--WithHmac--SHA1/160/128000" which basically means passwords are encrypted by a random function run an arbritrary number of times, and encoded using a specified SHA algorithm. However, if that algorithm is SHA1, that has known weaknesses and its use is strongly discouraged these days. Additionally, a note on the Liferay docs says that if a site is upgraded from a prior version to 6.2, they may enable "legacy" password support, which likely uses plain SHA1, which would be even weaker.
Basically in the event that an attacker gained database access they wouldn't get your passwords, but may get hashed versions which may be possible to either brute force (less likely) or look up in a table of known password hashes (if it's SHA1, and you're using a password that can be found in such a table, either using a common word or a password that's previously been leaked, that's quite likely).
Without more info from the hosting provider and/or Daniel's tech team it's hard to say what the actual risk is, though they may not want to disclose that information until it's secured to prevent copycat attacks.
Siavash ', modified 4 Years ago at 11/25/20 3:48 PM
Created 4 Years ago at 11/25/20 3:48 PM
RE: Server compromised, expect downtime
Posts: 1700 Join Date: 5/5/19 Recent PostsChris Marti:
Since we're not getting any detailed information about this incident or just what has been compromised, I would suggest that a DhO password change is in order, especially if you use your DhO password for anything else.
If someone is using their DhO password in other websites/apps/services, I think the thing they should do is to change their passwords on those websites/apps/services, and more importantly be sure that they have a recovery method for their passwords in those systems that they can use if they lost their passwords. Changing DhO password, I don't think is very helpful. The passwords in the database are likely safe.
If someones has access to parts of the server (I mean if they still have access), reading and monitoring the input data on a password change generally should be easier than retrieving the current passwords stored in the database.
Chris M, modified 4 Years ago at 11/25/20 4:10 PM
Created 4 Years ago at 11/25/20 4:08 PM
RE: Server compromised, expect downtime
Posts: 5474 Join Date: 1/26/13 Recent PostsChanging DhO password, I don't think is very helpful.
Yes, that's right. I've changed my DhO password even though I use a strong password generator (1Password) for all my passwords. I plan to change it often until we know what's up. Also, I just don't trust that anything is "probably safe." I have found that skepticism surrounding cybersecurity issues is a good way to proceed.
Siavash ', modified 4 Years ago at 11/25/20 4:11 PM
Created 4 Years ago at 11/25/20 4:11 PM
RE: Server compromised, expect downtime
Posts: 1700 Join Date: 5/5/19 Recent Posts I use a strong password generator (<This_is_part_of_the_credentials>) for all my passwords.
Mentioning what you use for your password generation would change my options if I wanted to attack you! ;)
Siavash ', modified 4 Years ago at 11/25/20 4:17 PM
Created 4 Years ago at 11/25/20 4:13 PM
RE: Server compromised, expect downtime
Posts: 1700 Join Date: 5/5/19 Recent PostsAlso, I just don't trust that anything is "probably safe." I have found that skepticism surrounding cybersecurity issues is a good way to proceed.
Just in the context of DhO. If it was a bank for example, that would be a completely different story. Also if there are personal interests/conflicts, that can change it too. I am just emphasizing priorities for an attacker and for the server.
Pawel K, modified 4 Years ago at 11/25/20 4:54 PM
Created 4 Years ago at 11/25/20 4:54 PM
RE: Server compromised, expect downtime
Posts: 1172 Join Date: 2/22/20 Recent PostsSiavash:
If someones has access to parts of the server (I mean if they still have access), reading and monitoring the input data on a password change generally should be easier than retrieving the current passwords stored in the database.
I do not worry about my account too much. It is not my self and is impermanent anyway.
Siavash ', modified 4 Years ago at 11/25/20 6:34 PM
Created 4 Years ago at 11/25/20 4:58 PM
RE: Server compromised, expect downtime
Posts: 1700 Join Date: 5/5/19 Recent PostsThat is why I patiently wait until the white borderless box disappear.
Yes. I think this is the right thing to do for most DhO members on DhO currently (Assuming they do the basics: Using firewalls, updating their operating system, updating their browser to its latest version, having security settings on browser at standard or ahigher level, using browser' safety checks, checking ssl lock icon on their browser address bar, not sharing same passwords among different apps...). And considering that DhO uses Single SignOn, and most users do not login each time they use DhO, and instead of actual password, a token is sent to the server that is stored by the browser and the operating system.
Chris M, modified 4 Years ago at 11/26/20 9:01 AM
Created 4 Years ago at 11/26/20 9:01 AM
RE: Server compromised, expect downtime
Posts: 5474 Join Date: 1/26/13 Recent PostsMentioning what you use for your password generation would change my options if I wanted to attack you! ;)
Sure.
Daniel M Ingram, modified 4 Years ago at 11/29/20 11:40 AM
Created 4 Years ago at 11/29/20 11:40 AM
RE: Server compromised, expect downtime
Posts: 3293 Join Date: 4/20/09 Recent Posts
Simon The Oak has patched what we think was the problem, installed software to scan for files and programs that shouldn't be there, but, still, this version of Liferay is old and has known vulnerabilities, as pointed out above, so Manish is currently trying to upgrade the platform: may his noble efforts go well!
Many thanks to the volunteer support team!
I don't think at this point that the DhO itself was compromised, but that they managed to get access to the server through it and use it to attack other sites, which is still a serious problem, as Hetzner, where we are currently hosted, has a very low tolerance for that sort of thing, so the primary threat to the DhO was them shutting the server down, I think. More updates as they become available.
Many thanks to the volunteer support team!
I don't think at this point that the DhO itself was compromised, but that they managed to get access to the server through it and use it to attack other sites, which is still a serious problem, as Hetzner, where we are currently hosted, has a very low tolerance for that sort of thing, so the primary threat to the DhO was them shutting the server down, I think. More updates as they become available.