ACCOUNT HIJACKED - SITE/FORUMS RESTORED FROM MON, FEBRUARY 8

Discussions about administration, management, technology and development

Moderator: OpenUru.org Moderators

admin
Site Admin
Posts: 194
Joined: Thu Nov 13, 2008 6:33 pm

ACCOUNT HIJACKED - SITE/FORUMS RESTORED FROM MON, FEBRUARY 8

Post by admin » Sat Feb 13, 2010 7:05 am

Hi folks,

The host account for this domain was hijacked early Friday. I blame myself for using a password susceptible to dictionary attacks. All the other passwords had strong security except the main account password. Go figure. It was laziness.

Then I fixed and it was hit again in the evening!

I remain eminently satisfied with the host. But in the process of recovering ownership, the tech initiated an automated password regeneration which resulted in reprovisioning the entire account. The result is everything was cleared and the latest backup available was Monday, February 8. We are going back in time to the same day MOULagain was released. Odd, that, and in this case not terribly pleasant.

I realize the work that was done since Monday was precious. Please do the best you can restoring anything you posted to the site. But there's no more recent backup available. Again, I'm sorry about this..
Last edited by JWPlatt on Mon Mar 22, 2010 3:28 pm, edited 1 time in total.
Reason: Enough time has passed to move topic from global announcement to regular administration forum

User avatar
Mac_Fife
Member
Posts: 1227
Joined: Fri Dec 19, 2008 12:38 am
Location: Scotland
Contact:

Re: ACCOUNT HIJACKED - SITE/FORUMS RESTORED FROM MON, FEBRUARY 8

Post by Mac_Fife » Sat Feb 13, 2010 11:20 am

These things happen. I have to say I don't take regular backups of my websites, and instead rely on the hosting services daily backup procedure. The only time Igo out of my way to create backups is when I'm going to do something "dangerous" like update the software!

We've lost a couple of recent signups on the wiki, but no data, so far as I can tell. Quite a few forum posts have gone though, along with a fair number of new logins. Such is life, in the face of people with nothing more productive to do with their time.
Mac_Fife
OpenUru.org wiki wrangler

User avatar
Nalates
Member
Posts: 437
Joined: Mon Dec 22, 2008 7:50 pm

Re: ACCOUNT HIJACKED - SITE/FORUMS RESTORED FROM MON, FEBRUARY 8

Post by Nalates » Sat Feb 13, 2010 5:59 pm

I've had a MSSQL server high-jacked... back doors implanted... it was a miserable recovery. That was from the hosting company not keeping things up to date. It was a commercial site and data so we eventually just moved to a new account and started over.

Life goes on...
Nalates
GoW, GoMa and GoA apprentice - Guildmaster GoC - SL = Nalates Urriah

User avatar
JWPlatt
Member
Posts: 1097
Joined: Sun Dec 07, 2008 7:32 pm
Location: Everywhere, all at once

Re: ACCOUNT HIJACKED - SITE/FORUMS RESTORED FROM MON, FEBRUARY 8

Post by JWPlatt » Sun Feb 14, 2010 3:40 am

Mac_Fife wrote:These things happen.
I have a favorite quote about that from the classic movie, "It's a Mad, Mad, Mad, Mad World:"
Mrs. Marcus wrote:Now what kind of an attitude is that, these things happen? They only happen because this whole country is just full of people, who when these things happen, they just say these things happen, and that's why they happen! We gotta have control of what happens to us.
Well, I could have done better. But thanks, Mac. Most times that I logged into the account I thought to myself that I should secure that password better. I never remembered or got around to it until now. Too late. Well, I hope you folks aren't too mad at me. I know how long it takes to write a good post and some of those lost from just this week were pretty long and thoughtful. And your work to open the HyperGrid sections was accelerating. I hope it wasn't too dispiriting to lose that progress. After yesterday, I haven't logged on except to pick up a PM just because yesterday was all such a bummer. That and it stole away some critical time I needed to get other things done. Anyway, Nalates has said she saves her posts locally at times, so I've been hoping for that.

The thing that really got to me was the second time. I didn't understand that at first, because the new password was as secure as they come. My only thought was a key-logger on my end. But I have protections and it just seemed unlikely. Then after the second recovery I got an email from the host system providing me with my password reminder. And no, I didn't order it. It was then I realized that the tech initiated the password and reprovisioning after the first hijacking before I had a chance to reset all my account info (the hijacker changed everything), including the email address used for password reminders. So before I had the chance to change all that contact info, which I did, the hijacker probably had detected my recovery and clicked on the "Forget Password" button, sending the new password right back. But the second time I manually I changed the contact info first, THEN changed the password myself. Yeah, order of operation matters.

By the way, the password reminder was initiated by an IP on the Register.com block. And the action performed by the hijack was to install a MySQL database named "rum" and vBulletin. So everything smells like a hosted script. I don't think this came from anywhere in the community.
Perfect speed is being there.

Christian Walther
Member
Posts: 294
Joined: Sat Dec 13, 2008 10:54 am

Re: Thinking about infrastructure

Post by Christian Walther » Mon Feb 15, 2010 7:44 pm

(I meant to post this over there but it seems I can't without applying to join a user group.)

I have a partial archive from the Atom feeds. Would that be helpful in recovering some of the text of the lost posts? Vienna keeps it in a SQLite database and I can look into getting it into a more human-readable format.

(See? This is one of the reasons why I would prefer to have all posts in the feeds.)

User avatar
Mac_Fife
Member
Posts: 1227
Joined: Fri Dec 19, 2008 12:38 am
Location: Scotland
Contact:

Re: Thinking about infrastructure

Post by Mac_Fife » Mon Feb 15, 2010 8:00 pm

That sounds like a useful offer, to me :)

I can merge your post above into the preferred location - I'll do that later in case you want to reply here. It's probably best to deal with JW on this: As admin he can recreate the posts and set the correct Poster for each.
Mac_Fife
OpenUru.org wiki wrangler

User avatar
JWPlatt
Member
Posts: 1097
Joined: Sun Dec 07, 2008 7:32 pm
Location: Everywhere, all at once

Re: Thinking about infrastructure

Post by JWPlatt » Mon Feb 15, 2010 8:06 pm

Wow, this would be awesome! Thanks, and yes, whatever I can do - you'll be my hero.

Christian Walther, you are in the Members group, so you should be able to post to the Hijack discussion. Mac_Fife, can you move these posts once he replies? Thanks. I'll check for why he can't post there.

Edit: Ok, Christian, the reason you couldn't reply to the Hijack thread is because you tried to reply to it here. Global topics inherit the permission settings for each forum in which it is displayed. So if you are not a member of a forum displaying a global topic, you can always use a forum where you can reply to posts. One such is the Administration & Management forum at:
viewforum.php?f=13
Last edited by JWPlatt on Mon Feb 15, 2010 8:23 pm, edited 2 times in total.
Reason: Update on global announcement permissions
Perfect speed is being there.

Christian Walther
Member
Posts: 294
Joined: Sat Dec 13, 2008 10:54 am

Re: Thinking about infrastructure

Post by Christian Walther » Mon Feb 15, 2010 8:31 pm

I have no idea why I can’t post in the MO:UL section – I assumed I’d have to be a member of the MOUL Project group, which “is an open group, members can apply to join”, which I was too lazy, too impatient, or too afraid of commitments to do. :)

Anyway, here’s what I got by selecting the displayed posts in Vienna, pasting them into TextEdit, and saving as HTML. There are duplicates because some of the feeds I’m subscribed to overlap. If someone wants to do something more automated with it, I can try to get more “raw” data out of the database.

Edit: Ah, thanks for the info. I came to that topic via the View unread posts search and actually wondered why it was in the MO:UL section and not something more central. I didn’t realize it was a global topic (or such a thing even existed). So, please move these posts if you consider them more appropriate over there.

User avatar
JWPlatt
Member
Posts: 1097
Joined: Sun Dec 07, 2008 7:32 pm
Location: Everywhere, all at once

Re: Thinking about infrastructure

Post by JWPlatt » Mon Feb 15, 2010 8:46 pm

This is wonderful, Christian! Yes, all the raw data you have will surely brighten everyone's spirits. Wow, there was a lot going on. Bad week to have all this happen.

We just need to make sure all the posts are recreated in order to peserve the context. And I can change authors to match. So please dump all the raw data you can get, and we'll reassemble it.

My proposal is to create a single reassembly thread where all the posts are recreated in any order and edited in place so there are no duplicates. Once that's complete, I can use that thread to copy and repost all of them in the correct time order and author. Within the reassembly thread, note the datetime for the original post so I can reorder them.

The only catch is the posts that have happened sicne will come before the original posts. We can live with that as the price of restoration I think.

Huge :D
Perfect speed is being there.

Christian Walther
Member
Posts: 294
Joined: Sat Dec 13, 2008 10:54 am

Re: Thinking about infrastructure

Post by Christian Walther » Mon Feb 15, 2010 9:34 pm

Oh – I just see that you’ve already started that. I thought you’d wait for the “raw data” so you could automate it.

What about this? It’s in SQL format so you database guys should feel right at home. Sorted by time and with duplicates (based on message ID = link) removed. The date column is in seconds-since-1970, the rest is hopefully self-explaining.

Post Reply

Return to “Domain Development”

Who is online

Users browsing this forum: No registered users and 1 guest