2014-11-17, 07:02 PM
[IMPORTANT] GitHub Account Attack
|
2014-11-18, 01:13 AM
Hi Pirata Nervo. I admin 2 boards, and they have this in update_check
Begincaos
---@@@---
2014-11-18, 09:31 AM
Looks like you're OK @begincaos
2014-11-18, 11:13 AM
(2014-11-17, 05:38 PM)Pirata Nervo Wrote:(2014-11-17, 05:23 PM)Maechlis Wrote: Then as I said above it makes sense to adopt your blog recommendation to that case. Because I think there are lots of people now who read the post, go to their ACP and have the malicious code executed, like I had it.I'm not sure I'm following you. I mention in the blog post to clear the cache entry. Are you suggesting that I suggest people to delete the backup module first? I'm fairly sure there is a language barrier here. The poster is asking why you originally recommended people to logon to ACP if that's what triggers the hack... What is being done to keep this from happening in the future? Why would such a security hole exist in the first place? It seems almost fantastical. If there's no way to close the hole, perhaps auto version checks should not be happening at all. Just securing your GitHub accounts seems an extremely weak measure. Now that I'm done griping... Mine reads: Array ( [dateline] => 1406476664 ) Does that mean I'm good to go? If so, is there anything else I need to do to secure myself?
2014-11-18, 11:22 AM
Please read here: http://community.mybb.com/thread-162862-page-5.html
Yes, you're safe. And I recommended people to go to the ACP because I either recommended them to go there and rebuild their cache or I'd tell them to open up PHPMyAdmin, go to the datacache table and empty the update_check entry. I'm sure most of the users would complain - as always, people will complain if you say X and people will complain if you say Y.
All my plugins are available for free at MyBB Extend and on my GitHub. MyBB-Plugins.com has been closed and none of my plugins are officially maintained or supported.
2014-11-18, 11:34 AM
This user has been denied support.
(2014-11-18, 11:13 AM)DrXotick Wrote: The poster is asking why you originally recommended people to logon to ACP if that's what triggers the hack... I don't think anyone realized right away the extent of this hack (that it got stuck in the cache). At the time the blog post was made it was believed to be safe (because the malicious GitHub change had been reverted) but as it turned out later it wasn't the case because of the cache. MyBB 1.8 even has a task to update that cache regularly but the way it is implemented, it took in the malicious code but never got rid of it even after it was removed from GitHub, since it only updates with version increments.
2014-11-18, 11:39 AM
^Yeah that's right. I guess we could have waited a few more days and investigate the issue more deeply but that would cost our users time and would give our attacker more time to attack our users. We preferred to alert everyone of the fixing steps we knew about without knowing the full extent of the problem, rather than knowing the full extent of the issue and not allowing people to prevent themselves during that time. In the end, I guess we'll never know which one was the best.
All my plugins are available for free at MyBB Extend and on my GitHub. MyBB-Plugins.com has been closed and none of my plugins are officially maintained or supported.
2014-11-18, 02:46 PM
(This post was last modified: 2014-11-19, 05:51 PM by Destroy666.)
(2014-11-18, 11:13 AM)DrXotick Wrote: If there's no way to close the hole, perhaps auto version checks should not be happening at all. Just securing your GitHub accounts seems an extremely weak measure. 1. Who said there is no way to "close the hole"? 2. If you read few posts here, you'll notice it's not the only countermeasure.. (2014-11-18, 11:22 AM)Pirata Nervo Wrote: And I recommended people to go to the ACP because I either recommended them to go there and rebuild their cache or I'd tell them to open up PHPMyAdmin, go to the datacache table and empty the update_check entry. I'm sure most of the users would complain - as always, people will complain if you say X and people will complain if you say Y. Strange. I wonder why the MyBB staff fails to understand that the current recommendation in the blog post forces at least some admins to themselves trigger the malicious download of their database, given that there's that cache problem in place. Take my example (sorry!) once again. We know that my DB was not stolen during 14-15th (because I was not in my ACP those days). Very well. The problem has been fixed on the GitHub side since then. So the reasonable outcome would be that after 15th I would be safe against the problem, if following your recommendations. Now what was the actual outcome was that I did follow your recommendations and thus got my DB stolen yesterday - this exclusively because the recommendations were incomplete - they did not take that cache issue into account. OK, what's done is done, we discussed the matter yesterday and realized that it was the cache issue that led to that unfortunate result. But why do you not correct your recommendations to account for that cache issue? Why are you still actually recommending people: "Go to your ACP and trigger your own DB to be stolen" ??? I think the recommendations should be corrected asap. UPD: I read in the parallel thread that the malicious code has been removed from its URL, so now it does not matter whether the recommendations are corrected or not. Anyway, please excuse me, but they were poorly and inadequately engineered. If I did not follow them yesterday, I would not have been compromised. Security should be in the first place, all possible "user inconvenience" of going into phpmyadmin should be in the second. Those guys might have been millionaires by now if they prepared a bit better to this attack and ventured to download complete databases, not just the "users" table. Thanks God that attackers have limited aspirations. |
« Next Oldest | Next Newest »
|
Users browsing this thread: 1 Guest(s)