I just checked my backups and noticed some older ones missing. I usually keep 4 and delete oldest when I ad a new one. My latest one appears to be the one I created after updating my site, but it falls within the time frame listed (11-15-2014, 06:17 PM EST). I don't see an admin log referencing deleting the older backups. Also, my most current backup shows as being created, not downloaded, is that the same or different.
(2014-11-18, 01:50 AM)sinbad Wrote: [ -> ]I just checked my backups and noticed some older ones missing. I usually keep 4 and delete oldest when I ad a new one. My latest one appears to be the one I created after updating my site, but it falls within the time frame listed (11-15-2014, 06:17 PM EST). I don't see an admin log referencing deleting the older backups. Also, my most current backup shows as being created, not downloaded, is that the same or different.
Just realized I was looking at database backups in the Tools & Maintenance portal. Once I went to the Database Backups I see all the correct backups.
(2014-11-17, 08:32 AM)frostschutz Wrote: [ -> ] (2014-11-17, 07:39 AM)Cameron:D Wrote: [ -> ]prevent external scripts/assets being loaded by default.
It probably wouldn't have helped. It wasn't an external script; the 'external' part was handled by PHP, in the HTML output the javascript was local...
I was under the impression that it just included an external piece of JavaScript (the analytics.php from the random compromised server) that did all the dirty work client-side. The CSP example I posted would stop both the inclusion of external JS as well as sending AJAX requests to any external sites.
(2014-11-17, 11:22 PM)Pirata Nervo Wrote: [ -> ]We've contacted the attacking website and they have taken down the malicious script. Apparently someone was taking advantage of them too. Unfortunately we didn't contact them sooner to stop even more progress.
So what does this mean in regards to the data that was stolen from my site and others? Has it been transferred from the attacking website to yet a malicious site/person? Has the attacking website agreed to destroy the stolen data? The user data stolen from my site is sensitive and it feels very unpleasant to know it is out there.
We're not sure what has happened to the data. The third party website informed me via email that they had removed all foreign objects from their servers, but did not specifically list which files they were. It would be best to assume you were compromised and to reset all passwords and login keys.
(2014-11-17, 11:22 PM)Pirata Nervo Wrote: [ -> ]The attack is now fully terminated
We've contacted the attacking website and they have taken down the malicious script. Apparently someone was taking advantage of them too. Unfortunately we didn't contact them sooner to stop even more progress.
All boards that are still affected by the malicious code should not be in any harm anymore because the script has been removed. However, we still advise you to follow the procedure we posted on the blog article.
Thank you for the update, I have three questions if you don't mind.
- Who was the attacking website?
- Is there any chance of something like this happening again from MyBB side?
- What precautions can we take from our end to stop this ever happening again?
(2014-11-18, 09:37 AM)sarisisop Wrote: [ -> ] (2014-11-17, 11:22 PM)Pirata Nervo Wrote: [ -> ]The attack is now fully terminated
We've contacted the attacking website and they have taken down the malicious script. Apparently someone was taking advantage of them too. Unfortunately we didn't contact them sooner to stop even more progress.
All boards that are still affected by the malicious code should not be in any harm anymore because the script has been removed. However, we still advise you to follow the procedure we posted on the blog article.
Thank you for the update, I have three questions if you don't mind.
- Who was the attacking website?
- Is there any chance of something like this happening again from MyBB side?
- What precautions can we take from our end to stop this ever happening again?
1. The script came from hub.org
2. I can't tell you that for certain, for obvious reasons. We're all running 2FA on GitHub now and we're considering to do the same here on the forums.
3. You? Probably none, against this type of attack. That's where we come in. We're currently discussing internally what should be implemented into 1.8.3 to mitigate possible attacks to the AdminCP / admin users. We've already come up with the following;
https://github.com/mybb/mybb/issues/1622 https://github.com/mybb/mybb/issues/1623 https://github.com/mybb/mybb/issues/1617
(2014-11-18, 10:00 AM)Pirata Nervo Wrote: [ -> ]1. The script came from hub.org
2. I can't tell you that for certain, for obvious reasons. We're all running 2FA on GitHub now and we're considering to do the same here on the forums.
3. You? Probably none, against this type of attack. That's where we come in. We're currently discussing internally what should be implemented into 1.8.3 to mitigate possible attacks to the AdminCP / admin users. We've already come up with the following; https://github.com/mybb/mybb/issues/1622 https://github.com/mybb/mybb/issues/1623 https://github.com/mybb/mybb/issues/1617
Thank you for the swift answers Pirata Nervo, keep up the good work.
No problem. We're also thinking that we should add ACP PIN confirmation (in case a PIN is set in config.php) for the following actions:
- Delete Users
- Delete Groups
- Delete Forums
- Backup Database
This way, even if someone takes advantage of an XSS vulnerability in the ACP, they'd need to know the ACP PIN in order to cause any real damage or take database dumps.
(2014-11-18, 09:24 AM)Euan T Wrote: [ -> ]We're not sure what has happened to the data. The third party website informed me via email that they had removed all foreign objects from their servers, but did not specifically list which files they were. It would be best to assume you were compromised and to reset all passwords and login keys.
All login keys have been reset. We have encouraged all members to change their passwords. Yet it is still uncomfortable to know the data may be out there.