Logo by chaos_crystal - Contribute your own Logo!

END OF AN ERA, FRACTALFORUMS.COM IS CONTINUED ON FRACTALFORUMS.ORG

it was a great time but no longer maintainable by c.Kleinhuis contact him for any data retrieval,
thanks and see you perhaps in 10 years again

this forum will stay online for reference
News: Check out the originating "3d Mandelbulb" thread here
 
*
Welcome, Guest. Please login or register. March 28, 2024, 07:33:17 PM


Login with username, password and session length


The All New FractalForums is now in Public Beta Testing! Visit FractalForums.org and check it out!


Pages: [1]   Go Down
  Print  
Share this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on RedditShare this topic on StumbleUponShare this topic on Twitter
Author Topic: Potential security breach  (Read 1500 times)
0 Members and 1 Guest are viewing this topic.
Pauldelbrot
Fractal Senior
******
Posts: 2592



pderbyshire2
« on: June 26, 2014, 03:54:35 AM »

I have evidence that someone may have breached site security, with the specific intention of obstructing my own use of it.

A little under three hours ago, I uploaded a fractal, made two other posts, then tried to vote on some of the contest entries. "Tried" is the operative term. I watched the first entry in the film section, selected a vote, and clicked "Rate Picture". At that moment, apparently, a rule was created on the site to redirect all HTTP requests coming from the IP 67.70.56.48 (which was mine, at that time) to a bogus "connection problems" page (which was in no way easily mistaken for a genuine, browser-generated "connection timeout" message). I tried reloading the page I was on, then the front page of the site, all with the same bogus response, then borrowed another machine and net connection and found the site responding normally when contacted from there, indicating that whatever had happened, I'd been singled out for some special "honor".

I have since determined that it's a narrow IP-based block; deliberately losing my DHCP lease and getting a fresh IP assigned by my network provider sufficed to circumvent it. The new IP differs from the old in only the last two octets and still it works.

This establishes, beyond a reasonable doubt, the following facts:

1. On or about 6:40 Eastern time, somebody sought to block my access to this site.

2. That somebody did NOT use the moderator's banhammer to do so, suggesting that it was not a moderator responsible and thus that the block lacks any legitimacy.

3. The methods that were used, to wit a low-level .htaccess redirect based on IP, suggests that the web server was compromised, but the forum DB was *not*. Otherwise the attacker would have deleted pauldelbrot from table users or something instead. Or else, the attacker is clueless about phpBB and its numerous imitators including SMF, and utterly at sea with mySQL, but knows how Apache works well enough to hack a simple .htaccess based ban.

This, in turn, suggests that the following courses of action be strongly recommended:

1. Restore the .htaccess of a few days ago, to undo the block against 67.70.56.48 and any other tampering that may have accompanied its insertion.

2. Identify how the miscreant got in and modified the file, and block the exploit that was used. It may be as simple as belatedly applying a patch to the server, to SMF, or (most likely) to PHP. If a zero-day was used, then it will take someone knowledgeable about the innards of the affected component (likely PHP) to find and fix the hole, and the fix should then be submitted to PHP's maintainers, or, failing that, the hole reported to them.

3. If there are other hardening actions that can be taken, for example to make .htaccess root-writable only and read-only to all of the browser-associated processes, that would obstruct the particular attack observed today while avoiding any nasty side effects, then those should be done as well. (On the other hand, if .htaccess is already only root-writable and was in fact the site of the sabotage blocking 67.70.56.48, then you're dealing with a root compromise. If you have remotely current backups, I'd then recommend NFO and reimage the whole system.)

4. The intruder appears to have singled me out, of all of the user base, to try to block from using this site. That suggests a personal vendetta of some sort is the motive. If anyone is aware of anyone here who has been simmering with some sort of resentment against me for any reason, that could help in putting together a suspect list. Of course, so might any forensics that might be performed. Did the firewall logs record an HTTP connect right before the .htaccess was altered (or whatever it was that was done), and if so, from what originating IP?

5. While my access is restored for now, by the simple expedient of changing my IP, it was inconvenient to do that, will be inconvenient to do it again if history repeats itself, sooner or later I'd run out of IPs I can use even if the attacker keeps blocking them one by one, and sooner or later my mysterious opponent will likely figure out how to hostmask my whole class-C netblock anyway. Or even get into the database and wreak havoc there. Therefore, finding and plugging the hole and/or bringing the perpetrator to justice must be regarded as somewhat urgent. If that proves difficult, but a particular file is confirmed as altered (.htaccess again seems likeliest, it's where I'd go first to pull something like this if I was the type to do such things), I'd recommend setting a trap using that file, so lots of details will be logged the next time it's opened for writing. The added forensics might allow identification of the hole and/or its exploiter.

6. Well, maybe this should really be #1.
Code:
grep -r "67\.70\." *
That ought to locate the altered file(s) with few, if any, false positives, unless clever obfuscations were used (by an attacker that apparently can't figure out hostmasks). The modification dates on the files should then pinpoint the exact time of the implementation of the crude attempt to block me, and the final few minutes before that moment will be the interesting parts of all the server and firewall logs. (If there was a root compromise, the server logs can't be trusted, but the firewall logs are likely to be intact.)

I'd like to be kept apprised of any developments in the investigation of this incident. I also feel that it would be helpful for there to be an out-of-band channel for contacting FF's admins that will generate timely responses. Webmaster bounces, in contravention of RFC2142, and CK has long periods AFK (as any merely human administrator must), so some sort of inbox all the moderators have access to that can receive emergency communications from members would be useful, and which can be sent to by email or another method not reliant on a functioning login here. If tonight's attacker had been somewhat less inept, I'd now have no way of using this site properly and no immediate way to fix it. I could have been blocked, despite having not actually done anything wrong, for hours or possibly even days! Obviously, that's a troubling prospect, and steps should be taken to prevent any user from being unable to bring a problem to the attention of *someone* that has the capacity to fix it, within some reasonably short time (I'd suggest a maximum of one hour; with mods in multiple time zones and notification technologies like FB, SMS, and email, that doesn't seem impracticable).
Logged

taurus
Fractal Supremo
*****
Posts: 1175



profile.php?id=1339106810 @taurus_arts_66
WWW
« Reply #1 on: June 26, 2014, 09:32:52 AM »

I can't really follow pauldels detailed description, but I also had issues, that suggest security problems on fractalforums.com. Every time I leave a browser tab with ff open, I frequently observe unasked new browser tabs, with fake dialogs, that try to force me to update my browser, media-player or flashplayer. The problem disappears after closing the ff tab. Two or three times my virus guard, stopped a malicious php script in that context.
Logged

when life offers you a lemon, get yourself some salt and tequila!
blob
Strange Attractor
***
Posts: 272



« Reply #2 on: June 26, 2014, 10:55:15 AM »

4. The intruder appears to have singled me out, of all of the user base, to try to block from using this site. That suggests a personal vendetta of some sort is the motive.

I hope you can realize by thinking about those two sentences you wrote here that you suffer from classic paranoid delusion/persecution complex.

If the problems with the site you describe are indeed real, how in the world can you assess you are the only one suffering from them and are being maliciously targeted???

I wish you all the best.
Logged
Sockratease
Global Moderator
Fractal Senior
******
Posts: 3181



« Reply #3 on: June 26, 2014, 11:24:00 AM »

Since changing your IP fixed it, I consider the problem solved with no further actions needed   police

As for your wildly unfounded belief that you were singled out for something - this is not the first time you have made such crazy statements and as you were told before, all such statements will be ignored as the meaningless garbage they are.

If you want a theory, here's one : we do have a list of members who were banned for spam and such.  This includes an IP based ban as well as other means.  Since your ISP gives you a dynamic IP Address it is possible you were assigned one that was used by somebody on the ban list.

There is no convenient way to see the complete list, and it's not worth going through it one at a time since merely changing your IP fixes the problem.

As for the rest of your suggestions, no.  There is no way we are going to set up an emergency response team just for things like this.  We all need to sleep too, so a one hour reply "maximum" is so unrealistic as to be unable to be taken seriously.  Even approving new members manually can take over 8 hours.

There is nothing about this site that warrants a complete security team.  We have no personal information beyond an email address.  There is no justification for such extreme measures.

I am sorry you had problems.

I have no idea what caused them, or how to even begin looking into them.

Maybe Christian does, but you'd have to ask nicely and with Absolutely NO accusations of anybody maliciously causing your problems.  That is offensive and makes us far less interested in helping you figure out what you are doing wrong, or if there is some other source to the issue.

I gave you a theory, and you found a workaround.

This issue is closed in my mind - and if this thread turns into another shouting match I will just lock it.  Depending on how ugly  (like has happened in the past when you made similar accusations and complaints when reporting problems), the thread will be removed from public view.

Keep it civil, and stop accusing people of maliciously screwing with you, and this thread can remain.

I can't really follow pauldels detailed description, but I also had issues, that suggest security problems on fractalforums.com. Every time I leave a browser tab with ff open, I frequently observe unasked new browser tabs, with fake dialogs, that try to force me to update my browser, media-player or flashplayer. The problem disappears after closing the ff tab. Two or three times my virus guard, stopped a malicious php script in that context.

Just a thought on this one, is it possible that something does need updating?

I have never seen such notices here.  I block my stuff from auto updating, so would not see such things if they were present.  That is strange and I can only suggest trying it on similar, or sites with embedded videos like youtube, vimeo, etc.  If it repeats - that tells us something.  If not, that also tells us something!

Sadly, I have zero knowledge of php and only Christian can get to that portion of the site's workings.  He's at the Fractal Artist Conference in Spain right now and don't expect him to be back until it's over.  So that is the earliest any of this can be looked into...

I know it's more than an hour, so I hope you can be patient   alien
« Last Edit: June 26, 2014, 11:27:56 AM by Sockratease, Reason: Speelinf Eroorz » Logged

Life is complex - It has real and imaginary components.

The All New Fractal Forums is now in Public Beta Testing! Visit FractalForums.org and check it out!
Pauldelbrot
Fractal Senior
******
Posts: 2592



pderbyshire2
« Reply #4 on: June 26, 2014, 11:47:27 PM »

If you want a theory, here's one : we do have a list of members who were banned for spam and such.  This includes an IP based ban as well as other means.  Since your ISP gives you a dynamic IP Address it is possible you were assigned one that was used by somebody on the ban list.

If I'd just changed IP in between viewing the contest entry in question and then attempting to vote on it, that would be a plausible explanation, but I had had that IP continually for at least the preceding five hours. It was therefore added to whatever list it was added to while *I* was the one using it, during a two-minute period yesterday, and without my having done anything to legitimately provoke such an occurrence.

Also -- does the official IP blocklist really redirect the suspected spammer to a page with a phony error message instead of just blackholing the traffic (resulting in a timeout), closing the socket (resulting in "connection refused"), or serving a page stating an actually forthright and honest explanation for the block? If it does, why be misleading? If not, then what I ran into was not the antispam method you suggested might be the cause.

Quote
I have no idea what caused them, or how to even begin looking into them.

Maybe Christian does, but you'd have to ask nicely and with Absolutely NO accusations of anybody maliciously causing your problems.  That is offensive and makes us far less interested in helping you figure out what you are doing wrong, or if there is some other source to the issue.

I accused no specific person and indeed indicated that the evidence was that the person responsible was not you or any other of the moderators here. I'm not sure why, then, you apparently are offended.

Quote
Just a thought on this one, is it possible that something does need updating?

I have never seen such notices here.  I block my stuff from auto updating, so would not see such things if they were present.  That is strange and I can only suggest trying it on similar, or sites with embedded videos like youtube, vimeo, etc.  If it repeats - that tells us something.  If not, that also tells us something!

Taurus's symptoms sound more like possible adware that got onto his own machine than like whatever it was that I ran into.

Quote
Sadly, I have zero knowledge of php and only Christian can get to that portion of the site's workings.  He's at the Fractal Artist Conference in Spain right now and don't expect him to be back until it's over.  So that is the earliest any of this can be looked into...

He posted yesterday, a short time before the incident, so he does have access to the site from there it seems. Which is not really surprising. I doubt there's been a conference anywhere in the First World since the late 1990s where there hasn't been internet access at both the conference itself and area hotels. Now, it's certainly possible that the conference has him busy enough not to be able to give this site as much attention as normal, and that would be understandable, but it's not the same thing as a complete lack of access.
Logged

lenord
Fractal Bachius
*
Posts: 611


No Matter where you go there you are


« Reply #5 on: June 27, 2014, 12:14:47 PM »

Amazing, never seen such megalomania, Narcissus could have taken lessons from Pauldelbrot
Logged
Sockratease
Global Moderator
Fractal Senior
******
Posts: 3181



« Reply #6 on: June 27, 2014, 10:35:44 PM »

Paul, I will not dignify anything you said with a response.

Just deal with it.

I'm locking this thread and do not want to see a new one on this topic.



EDIT - For those reading this and thinking it has been handled abruptly, we have been up and down this road many times with Paul.  If a rational attempt to resolve this is made, it will never end and so it's being stopped before it starts this time.
« Last Edit: June 28, 2014, 02:47:17 AM by Sockratease » Logged

Life is complex - It has real and imaginary components.

The All New Fractal Forums is now in Public Beta Testing! Visit FractalForums.org and check it out!
Pages: [1]   Go Down
  Print  
 
Jump to:  

Related Topics
Subject Started by Replies Views Last post
Security Mechanisms Mandelbulb3D Gallery MarkJayBee 0 3813 Last post March 11, 2011, 11:56:19 PM
by MarkJayBee
Into the Breach Mandelbulb3D Gallery lenord 0 525 Last post May 03, 2011, 05:54:56 AM
by lenord
Security Mechanisms II Mandelbulb3D Gallery MarkJayBee 0 916 Last post August 21, 2011, 02:16:52 PM
by MarkJayBee
Into the Breach Mandelbulb3D Gallery CO99A5 0 469 Last post September 01, 2011, 11:45:01 PM
by CO99A5
Maximum Security Prison Images Showcase (Rate My Fractal) thom 0 859 Last post June 13, 2012, 04:20:27 AM
by thom

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS! Dilber MC Theme by HarzeM
Page created in 0.204 seconds with 28 queries. (Pretty URLs adds 0.007s, 2q)