Server compromised, expect downtime

thumbnail
Daniel M. Ingram, modified 8 Months ago.

Server compromised, expect downtime

Posts: 3192 Join Date: 4/20/09 Recent Posts
Dear DhO,

Our server on Hetzner is compromised, they tell me, so will shut this server down shortly until we can get this sorted, I think.

Apologies for the interruption.

Best wishes,

Daniel
thumbnail
Chris Marti, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 3994 Join Date: 1/26/13 Recent Posts
Were any of our credentials compromised?
thumbnail
Daniel M. Ingram, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 3192 Join Date: 4/20/09 Recent Posts
Ok, the warnings went away when a WordPress site that is also hosted there was updated, so may have been that simple. Will hopefully know more today and will check around to make sure all is well. Let's presume all is well for the moment, but will keep you all updated. If the DhO does need to go down for maintenance and the like, I will post something on my Twitter account @danielmingram about what is going on and when it might be back up.
thumbnail
Chris Marti, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 3994 Join Date: 1/26/13 Recent Posts
Sounds like a plan.
thumbnail
Daniel M. Ingram, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 3192 Join Date: 4/20/09 Recent Posts
Ok, was wrong, not fixed, heck. Got a message last night saying was ok, now a new message that it is not.

Hopefully, Simon will be able to sort it.

Thanks for your patience!
thumbnail
Daniel M. Ingram, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 3192 Join Date: 4/20/09 Recent Posts
Ok, after Simon was kind enough to do some excellent tech support, it appears that the problem is Liferay, so it will need to be upgraded to Liferay 7, and the last time we tried this we failed completely, so I will engage some paid expertise to sort this out. If people wonder what I do with the little bit of money I make on MCTB2, it is this sort of thing.

Thanks for your patience.

Expect DhO instability in the coming days. Save large new posts that you care about in a text file or something like that.

We have backups through today, so that's good.

Best wishes,

Daniel
thumbnail
Linda ”Polly Ester” Ö, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 5758 Join Date: 12/8/18 Recent Posts
Is this why replying with quotes is malfunctioning?
thumbnail
J W, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 458 Join Date: 2/11/20 Recent Posts
Am I reading this correctly, that someone hacked the server?
Why would someone ever do that, lol... there's nothing in that database that isn't visible, it's a public forum.
thumbnail
J W, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 458 Join Date: 2/11/20 Recent Posts
I guess the only thing would be passwords (hopefully they were encrypted).
Guess we should all be watching our accounts and report here if anyone gets hacked.
thumbnail
Zachary, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 199 Join Date: 3/16/18 Recent Posts
J W:
I guess the only thing would be passwords (hopefully they were encrypted).
Guess we should all be watching our accounts and report here if anyone gets hacked.
Am I reading this correctly, that someone hacked the server?
Why would someone ever do that, lol... there's nothing in that database that isn't visible, it's a public forum.

Some hackers just like to break in to sites for sport, though they could be after user credentials. Since we don't know yet if credentials were comprimised, if you re-use your DhO account password on any other service/app/site, it'd be a good idea to change your password there. 
thumbnail
Siavash, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 1350 Join Date: 5/5/19 Recent Posts
Don't worry! No one would pay for DhO passwords. It should be something that you could sell it, or something that could open the doors to find something that you could sell it, or gain some power on something or someone and etc. DhO data should not be in those categories, normally!

(Passwords are usually hashed and are not easy to retrieve, if you could do it at all.)
thumbnail
Lewis James, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 155 Join Date: 5/13/15 Recent Posts
Once a software vulnerability is made public and widely available people will set up bots to scan through sites looking for known insecure versions and compromising them / injecting a backdoor / etc on the off-chance they find something valuable.

Looking at the HTTP response headers, the site is running Liferay CE 6.2 GA2 (6.2.1). You can find a list of known vulnerabilities on the Liferay site here:

https://portal.liferay.dev/learn/security/known-vulnerabilities/-/categories/113763930?p_r_p_categoryId=113763930

A bunch of cross-site scripting issues, which can range from fairly minor (think: adding a script to the page that says "Daniel Ingram is a doodoohead"... whether that's minor or not depends on who you are I guess) to pretty annoying (think: adding a bitcoin miner in the background of the page, or redirecting you to a phishing site). The attacker generally won't gain access to the *server*, but may be able to run arbritary scripts in the user's browser. Thankfully if you're using a modern browser there are plenty of security features to stop them from doing anything too bad.

However I would recommend everyone download and use the NoScript browser extension for now and enable it for this site in case any dodgy code has been injected into the site.

There is also a known RCE (remote command execution) exploit for Liferay < 6.2.5, though it seems the details aren't completely public so I don't know if this is a risk, or if so, how much of a risk it is:

https://www.cvedetails.com/cve/CVE-2019-16891/

This kind of exploit can allow an attacker to run whatever program they like on the actual server hardware, which could be a problem and may compromise database info. Passwords should be hashed with, according to the Liferay docs, "PBKDF2--WithHmac--SHA1/160/128000" which basically means passwords are encrypted by a random function run an arbritrary number of times, and encoded using a specified SHA algorithm. However, if that algorithm is SHA1, that has known weaknesses and its use is strongly discouraged these days. Additionally, a note on the Liferay docs says that if a site is upgraded from a prior version to 6.2, they may enable "legacy" password support, which likely uses plain SHA1, which would be even weaker.

Basically in the event that an attacker gained database access they wouldn't get your passwords, but may get hashed versions which may be possible to either brute force (less likely) or look up in a table of known password hashes (if it's SHA1, and you're using a password that can be found in such a table, either using a common word or a password that's previously been leaked, that's quite likely).

Without more info from the hosting provider and/or Daniel's tech team it's hard to say what the actual risk is, though they may not want to disclose that information until it's secured to prevent copycat attacks.
thumbnail
Angel Roberto Puente, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 252 Join Date: 5/5/19 Recent Posts
Chris Marti:
Were any of our credentials compromised?
Are we in danger of losing our attainments?
thumbnail
Papa Che Dusko, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 1981 Join Date: 3/1/20 Recent Posts
Angel Roberto Puente:
Chris Marti:
Were any of our credentials compromised?
Are we in danger of losing our attainments?

LOL emoticon Priceless! emoticon 
thumbnail
Not two, not one, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 931 Join Date: 7/13/17 Recent Posts
Papa Che Dusko:
Angel Roberto Puente:
Chris Marti:
Were any of our credentials compromised?
Are we in danger of losing our attainments?

LOL emoticon Priceless! emoticon 

Lol. very good!  Also a promising shortcut, if attainments could be gotten rid of that easily.  emoticonemoticonemoticon emoticon
thumbnail
Chris Marti, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 3994 Join Date: 1/26/13 Recent Posts
Since we're not getting any detailed information about this incident or just what has been compromised, I would suggest that a DhO password change is in order, especially if you use your DhO password for anything else.
thumbnail
Ni Nurta, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 729 Join Date: 2/22/20 Recent Posts
Chris Marti:
Since we're not getting any detailed information about this incident or just what has been compromised, I would suggest that a DhO password change is in order, especially if you use your DhO password for anything else.
Damm, how am I supposed to remember different password than "password"? emoticon
thumbnail
Chris Marti, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 3994 Join Date: 1/26/13 Recent Posts
Try "12345"
thumbnail
Siavash, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 1350 Join Date: 5/5/19 Recent Posts
Chris Marti:
Since we're not getting any detailed information about this incident or just what has been compromised, I would suggest that a DhO password change is in order, especially if you use your DhO password for anything else.


If someone is using their DhO password in other websites/apps/services, I think the thing they should do is to change their passwords on those websites/apps/services, and more importantly be sure that they have a recovery method for their passwords in those systems that they can use if they lost their passwords. Changing DhO password, I don't think is very helpful. The passwords in the database are likely safe.

If someones has access to parts of the server (I mean if they still have access), reading and monitoring the input data on a password change generally should be easier than retrieving the current passwords stored in the database.
thumbnail
Chris Marti, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 3994 Join Date: 1/26/13 Recent Posts
Changing DhO password, I don't think is very helpful.

Yes, that's right. I've changed my DhO password even though I use a strong password generator (1Password) for all my passwords. I plan to change it often until we know what's up. Also, I just don't trust that anything is "probably safe." I have found that skepticism surrounding cybersecurity issues is a good way to proceed.
thumbnail
Siavash, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 1350 Join Date: 5/5/19 Recent Posts
 I use a strong password generator (<This_is_part_of_the_credentials>) for all my passwords.


Mentioning what you use for your password generation would change my options if I wanted to attack you! ;)
thumbnail
Chris Marti, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 3994 Join Date: 1/26/13 Recent Posts
Mentioning what you use for your password generation would change my options if I wanted to attack you! ;)

Sure.
thumbnail
Daniel M. Ingram, modified 7 Months ago.

RE: Server compromised, expect downtime

Posts: 3192 Join Date: 4/20/09 Recent Posts
Simon The Oak has patched what we think was the problem, installed software to scan for files and programs that shouldn't be there, but, still, this version of Liferay is old and has known vulnerabilities, as pointed out above, so Manish is currently trying to upgrade the platform: may his noble efforts go well!

Many thanks to the volunteer support team!

I don't think at this point that the DhO itself was compromised, but that they managed to get access to the server through it and use it to attack other sites, which is still a serious problem, as Hetzner, where we are currently hosted, has a very low tolerance for that sort of thing, so the primary threat to the DhO was them shutting the server down, I think. More updates as they become available.
thumbnail
Siavash, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 1350 Join Date: 5/5/19 Recent Posts
Also, I just don't trust that anything is "probably safe." I have found that skepticism surrounding cybersecurity issues is a good way to proceed.


Just in the context of DhO. If it was a bank for example, that would be a completely different story. Also if there are personal interests/conflicts, that can change it too. I am just emphasizing priorities for an attacker and for the server.
thumbnail
Ni Nurta, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 729 Join Date: 2/22/20 Recent Posts
Siavash:

If someones has access to parts of the server (I mean if they still have access), reading and monitoring the input data on a password change generally should be easier than retrieving the current passwords stored in the database.
That is why I patiently wait until the white borderless box disappear.

I do not worry about my account too much. It is not my self and is impermanent anyway.
thumbnail
Siavash, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 1350 Join Date: 5/5/19 Recent Posts
That is why I patiently wait until the white borderless box disappear.


Yes. I think this is the right thing to do for most DhO members on DhO currently (Assuming they do the basics: Using firewalls, updating their operating system, updating their browser to its latest version, having security settings on browser at standard or ahigher level, using browser' safety checks, checking ssl lock icon on their browser address bar, not sharing same passwords among different apps...). And considering that DhO uses Single SignOn, and most users do not login each time they use DhO, and instead of actual password, a token is sent to the server that is stored by the browser and the operating system.
thumbnail
Zachary, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 199 Join Date: 3/16/18 Recent Posts
Angel Roberto Puente:
Chris Marti:
Were any of our credentials compromised?
Are we in danger of losing our attainments?


Haha, was the hacker able to access any jhanas? 
thumbnail
Papa Che Dusko, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 1981 Join Date: 3/1/20 Recent Posts
Zachary:
Angel Roberto Puente:
Chris Marti:
Were any of our credentials compromised?
Are we in danger of losing our attainments?


Haha, was the hacker able to access any jhanas? 

LoL emoticon This is getting better emoticon Hacker tried but failed; apparently couldn't manage to crack the password: niMiTTa 
thumbnail
Ni Nurta, modified 8 Months ago.

RE: Server compromised, expect downtime

Posts: 729 Join Date: 2/22/20 Recent Posts
Zachary:
Angel Roberto Puente:
Chris Marti:
Were any of our credentials compromised?
Are we in danger of losing our attainments?
Haha, was the hacker able to access any jhanas? 
Not sure jhanas but hell realms, hungry ghost realms and animal realms they will surely be able to access

Breadcrumb