I have evidence that someone may have breached site security, with the specific intention of obstructing my own use of it.
A little under three hours ago, I uploaded a fractal, made two other posts, then tried to vote on some of the contest entries. "Tried" is the operative term. I watched the first entry in the film section, selected a vote, and clicked "Rate Picture". At that moment, apparently, a rule was created on the site to redirect all HTTP requests coming from the IP 67.70.56.48 (which was mine, at that time) to a bogus "connection problems" page (which was in no way easily mistaken for a genuine, browser-generated "connection timeout" message). I tried reloading the page I was on, then the front page of the site, all with the same bogus response, then borrowed another machine and net connection and found the site responding normally when contacted from there, indicating that whatever had happened, I'd been singled out for some special "honor".
I have since determined that it's a narrow IP-based block; deliberately losing my DHCP lease and getting a fresh IP assigned by my network provider sufficed to circumvent it. The new IP differs from the old in only the last two octets and still it works.
This establishes, beyond a reasonable doubt, the following facts:
1. On or about 6:40 Eastern time, somebody sought to block my access to this site.
2. That somebody did NOT use the moderator's banhammer to do so, suggesting that it was not a moderator responsible and thus that the block lacks any legitimacy.
3. The methods that were used, to wit a low-level .htaccess redirect based on IP, suggests that the web server was compromised, but the forum DB was *not*. Otherwise the attacker would have deleted pauldelbrot from table users or something instead. Or else, the attacker is clueless about phpBB and its numerous imitators including SMF, and utterly at sea with mySQL, but knows how Apache works well enough to hack a simple .htaccess based ban.
This, in turn, suggests that the following courses of action be strongly recommended:
1. Restore the .htaccess of a few days ago, to undo the block against 67.70.56.48 and any other tampering that may have accompanied its insertion.
2. Identify how the miscreant got in and modified the file, and block the exploit that was used. It may be as simple as belatedly applying a patch to the server, to SMF, or (most likely) to PHP. If a zero-day was used, then it will take someone knowledgeable about the innards of the affected component (likely PHP) to find and fix the hole, and the fix should then be submitted to PHP's maintainers, or, failing that, the hole reported to them.
3. If there are other hardening actions that can be taken, for example to make .htaccess root-writable only and read-only to all of the browser-associated processes, that would obstruct the particular attack observed today while avoiding any nasty side effects, then those should be done as well. (On the other hand, if .htaccess is already only root-writable and was in fact the site of the sabotage blocking 67.70.56.48, then you're dealing with a root compromise. If you have remotely current backups, I'd then recommend NFO and reimage the whole system.)
4. The intruder appears to have singled me out, of all of the user base, to try to block from using this site. That suggests a personal vendetta of some sort is the motive. If anyone is aware of anyone here who has been simmering with some sort of resentment against me for any reason, that could help in putting together a suspect list. Of course, so might any forensics that might be performed. Did the firewall logs record an HTTP connect right before the .htaccess was altered (or whatever it was that was done), and if so, from what originating IP?
5. While my access is restored for now, by the simple expedient of changing my IP, it was inconvenient to do that, will be inconvenient to do it again if history repeats itself, sooner or later I'd run out of IPs I can use even if the attacker keeps blocking them one by one, and sooner or later my mysterious opponent will likely figure out how to hostmask my whole class-C netblock anyway. Or even get into the database and wreak havoc there. Therefore, finding and plugging the hole and/or bringing the perpetrator to justice must be regarded as somewhat urgent. If that proves difficult, but a particular file is confirmed as altered (.htaccess again seems likeliest, it's where I'd go first to pull something like this if I was the type to do such things), I'd recommend setting a trap using that file, so lots of details will be logged the next time it's opened for writing. The added forensics might allow identification of the hole and/or its exploiter.
6. Well, maybe this should really be #1.
grep -r "67\.70\." *
That ought to locate the altered file(s) with few, if any, false positives, unless clever obfuscations were used (by an attacker that apparently can't figure out hostmasks). The modification dates on the files should then pinpoint the exact time of the implementation of the crude attempt to block me, and the final few minutes before that moment will be the interesting parts of all the server and firewall logs. (If there was a root compromise, the server logs can't be trusted, but the firewall logs are likely to be intact.)
I'd like to be kept apprised of any developments in the investigation of this incident. I also feel that it would be helpful for there to be an out-of-band channel for contacting FF's admins that will generate timely responses. Webmaster bounces, in contravention of RFC2142, and CK has long periods AFK (as any merely human administrator must), so some sort of inbox all the moderators have access to that can receive emergency communications from members would be useful, and which can be sent to by email or another method not reliant on a functioning login here. If tonight's attacker had been somewhat less inept, I'd now have no way of using this site properly and no immediate way to fix it. I could have been blocked, despite having not actually done anything wrong, for hours or possibly even days! Obviously, that's a troubling prospect, and steps should be taken to prevent any user from being unable to bring a problem to the attention of *someone* that has the capacity to fix it, within some reasonably short time (I'd suggest a maximum of one hour; with mods in multiple time zones and notification technologies like FB, SMS, and email, that doesn't seem impracticable).