Server compromised, expect downtime - Discussion
Server compromised, expect downtime
Daniel M Ingram, modificado 3 Anos atrás at 24/11/20 00:05
Created 3 Anos ago at 24/11/20 00:05
Server compromised, expect downtime
Postagens: 3278 Data de Entrada: 20/04/09 Postagens Recentes
Dear DhO,
Our server on Hetzner is compromised, they tell me, so will shut this server down shortly until we can get this sorted, I think.
Apologies for the interruption.
Best wishes,
Daniel
Our server on Hetzner is compromised, they tell me, so will shut this server down shortly until we can get this sorted, I think.
Apologies for the interruption.
Best wishes,
Daniel
Chris M, modificado 3 Anos atrás at 24/11/20 07:17
Created 3 Anos ago at 24/11/20 07:17
RE: Server compromised, expect downtime
Postagens: 5406 Data de Entrada: 26/01/13 Postagens RecentesDaniel M Ingram, modificado 3 Anos atrás at 24/11/20 10:37
Created 3 Anos ago at 24/11/20 10:37
RE: Server compromised, expect downtime
Postagens: 3278 Data de Entrada: 20/04/09 Postagens Recentes
Ok, the warnings went away when a WordPress site that is also hosted there was updated, so may have been that simple. Will hopefully know more today and will check around to make sure all is well. Let's presume all is well for the moment, but will keep you all updated. If the DhO does need to go down for maintenance and the like, I will post something on my Twitter account @danielmingram about what is going on and when it might be back up.
Chris M, modificado 3 Anos atrás at 24/11/20 11:10
Created 3 Anos ago at 24/11/20 11:10
RE: Server compromised, expect downtime
Postagens: 5406 Data de Entrada: 26/01/13 Postagens RecentesDaniel M Ingram, modificado 3 Anos atrás at 24/11/20 11:11
Created 3 Anos ago at 24/11/20 11:11
RE: Server compromised, expect downtime
Postagens: 3278 Data de Entrada: 20/04/09 Postagens Recentes
Ok, was wrong, not fixed, heck. Got a message last night saying was ok, now a new message that it is not.
Hopefully, Simon will be able to sort it.
Thanks for your patience!
Hopefully, Simon will be able to sort it.
Thanks for your patience!
Daniel M Ingram, modificado 3 Anos atrás at 24/11/20 11:48
Created 3 Anos ago at 24/11/20 11:48
RE: Server compromised, expect downtime
Postagens: 3278 Data de Entrada: 20/04/09 Postagens Recentes
Ok, after Simon was kind enough to do some excellent tech support, it appears that the problem is Liferay, so it will need to be upgraded to Liferay 7, and the last time we tried this we failed completely, so I will engage some paid expertise to sort this out. If people wonder what I do with the little bit of money I make on MCTB2, it is this sort of thing.
Thanks for your patience.
Expect DhO instability in the coming days. Save large new posts that you care about in a text file or something like that.
We have backups through today, so that's good.
Best wishes,
Daniel
Thanks for your patience.
Expect DhO instability in the coming days. Save large new posts that you care about in a text file or something like that.
We have backups through today, so that's good.
Best wishes,
Daniel
Angel Roberto Puente, modificado 3 Anos atrás at 24/11/20 12:04
Created 3 Anos ago at 24/11/20 12:04
RE: Server compromised, expect downtime
Postagens: 281 Data de Entrada: 05/05/19 Postagens RecentesPapa Che Dusko, modificado 3 Anos atrás at 24/11/20 12:13
Created 3 Anos ago at 24/11/20 12:13
RE: Server compromised, expect downtime
Postagens: 3048 Data de Entrada: 01/03/20 Postagens RecentesAngel Roberto Puente:
Chris Marti:
Were any of our credentials compromised?
LOL Priceless!
Linda ”Polly Ester” Ö, modificado 3 Anos atrás at 24/11/20 12:33
Created 3 Anos ago at 24/11/20 12:33
RE: Server compromised, expect downtime
Postagens: 7134 Data de Entrada: 08/12/18 Postagens RecentesJ W, modificado 3 Anos atrás at 24/11/20 15:02
Created 3 Anos ago at 24/11/20 15:02
RE: Server compromised, expect downtime
Postagens: 692 Data de Entrada: 11/02/20 Postagens Recentes
Am I reading this correctly, that someone hacked the server?
Why would someone ever do that, lol... there's nothing in that database that isn't visible, it's a public forum.
Why would someone ever do that, lol... there's nothing in that database that isn't visible, it's a public forum.
J W, modificado 3 Anos atrás at 24/11/20 16:21
Created 3 Anos ago at 24/11/20 16:21
RE: Server compromised, expect downtime
Postagens: 692 Data de Entrada: 11/02/20 Postagens Recentes
I guess the only thing would be passwords (hopefully they were encrypted).
Guess we should all be watching our accounts and report here if anyone gets hacked.
Guess we should all be watching our accounts and report here if anyone gets hacked.
Z , modificado 3 Anos atrás at 24/11/20 17:14
Created 3 Anos ago at 24/11/20 17:13
RE: Server compromised, expect downtime
Postagens: 201 Data de Entrada: 16/03/18 Postagens RecentesJ W:
I guess the only thing would be passwords (hopefully they were encrypted).
Guess we should all be watching our accounts and report here if anyone gets hacked.
Guess we should all be watching our accounts and report here if anyone gets hacked.
Am I reading this correctly, that someone hacked the server?
Why would someone ever do that, lol... there's nothing in that database that isn't visible, it's a public forum.
Why would someone ever do that, lol... there's nothing in that database that isn't visible, it's a public forum.
Some hackers just like to break in to sites for sport, though they could be after user credentials. Since we don't know yet if credentials were comprimised, if you re-use your DhO account password on any other service/app/site, it'd be a good idea to change your password there.
Z , modificado 3 Anos atrás at 24/11/20 19:52
Created 3 Anos ago at 24/11/20 17:15
RE: Server compromised, expect downtime
Postagens: 201 Data de Entrada: 16/03/18 Postagens RecentesAngel Roberto Puente:
Chris Marti:
Were any of our credentials compromised?
Haha, was the hacker able to access any jhanas?
Siavash ', modificado 3 Anos atrás at 24/11/20 17:17
Created 3 Anos ago at 24/11/20 17:17
RE: Server compromised, expect downtime
Postagens: 1697 Data de Entrada: 05/05/19 Postagens Recentes
Don't worry! No one would pay for DhO passwords. It should be something that you could sell it, or something that could open the doors to find something that you could sell it, or gain some power on something or someone and etc. DhO data should not be in those categories, normally!
(Passwords are usually hashed and are not easy to retrieve, if you could do it at all.)
(Passwords are usually hashed and are not easy to retrieve, if you could do it at all.)
Papa Che Dusko, modificado 3 Anos atrás at 24/11/20 23:40
Created 3 Anos ago at 24/11/20 23:40
RE: Server compromised, expect downtime
Postagens: 3048 Data de Entrada: 01/03/20 Postagens RecentesZachary:
Angel Roberto Puente:
Chris Marti:
Were any of our credentials compromised?
Haha, was the hacker able to access any jhanas?
LoL This is getting better Hacker tried but failed; apparently couldn't manage to crack the password: niMiTTa
Pawel K, modificado 3 Anos atrás at 25/11/20 00:16
Created 3 Anos ago at 25/11/20 00:16
RE: Server compromised, expect downtime
Postagens: 1172 Data de Entrada: 22/02/20 Postagens RecentesZachary:
Angel Roberto Puente:
Chris Marti:
Were any of our credentials compromised?
Not two, not one, modificado 3 Anos atrás at 25/11/20 02:08
Created 3 Anos ago at 25/11/20 02:08
RE: Server compromised, expect downtime
Postagens: 1047 Data de Entrada: 13/07/17 Postagens RecentesPapa Che Dusko:
Angel Roberto Puente:
Chris Marti:
Were any of our credentials compromised?
LOL Priceless!
Lol. very good! Also a promising shortcut, if attainments could be gotten rid of that easily.
Chris M, modificado 3 Anos atrás at 25/11/20 07:57
Created 3 Anos ago at 25/11/20 07:57
RE: Server compromised, expect downtime
Postagens: 5406 Data de Entrada: 26/01/13 Postagens Recentes
Since we're not getting any detailed information about this incident or just what has been compromised, I would suggest that a DhO password change is in order, especially if you use your DhO password for anything else.
Pawel K, modificado 3 Anos atrás at 25/11/20 08:15
Created 3 Anos ago at 25/11/20 08:15
RE: Server compromised, expect downtime
Postagens: 1172 Data de Entrada: 22/02/20 Postagens RecentesChris Marti:
Since we're not getting any detailed information about this incident or just what has been compromised, I would suggest that a DhO password change is in order, especially if you use your DhO password for anything else.
Chris M, modificado 3 Anos atrás at 25/11/20 08:19
Created 3 Anos ago at 25/11/20 08:19
RE: Server compromised, expect downtime
Postagens: 5406 Data de Entrada: 26/01/13 Postagens RecentesLewis James, modificado 3 Anos atrás at 25/11/20 11:05
Created 3 Anos ago at 25/11/20 11:05
RE: Server compromised, expect downtime
Postagens: 155 Data de Entrada: 13/05/15 Postagens Recentes
Once a software vulnerability is made public and widely available people will set up bots to scan through sites looking for known insecure versions and compromising them / injecting a backdoor / etc on the off-chance they find something valuable.
Looking at the HTTP response headers, the site is running Liferay CE 6.2 GA2 (6.2.1). You can find a list of known vulnerabilities on the Liferay site here:
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/categories/113763930?p_r_p_categoryId=113763930
A bunch of cross-site scripting issues, which can range from fairly minor (think: adding a script to the page that says "Daniel Ingram is a doodoohead"... whether that's minor or not depends on who you are I guess) to pretty annoying (think: adding a bitcoin miner in the background of the page, or redirecting you to a phishing site). The attacker generally won't gain access to the *server*, but may be able to run arbritary scripts in the user's browser. Thankfully if you're using a modern browser there are plenty of security features to stop them from doing anything too bad.
However I would recommend everyone download and use the NoScript browser extension for now and enable it for this site in case any dodgy code has been injected into the site.
There is also a known RCE (remote command execution) exploit for Liferay < 6.2.5, though it seems the details aren't completely public so I don't know if this is a risk, or if so, how much of a risk it is:
https://www.cvedetails.com/cve/CVE-2019-16891/
This kind of exploit can allow an attacker to run whatever program they like on the actual server hardware, which could be a problem and may compromise database info. Passwords should be hashed with, according to the Liferay docs, "PBKDF2--WithHmac--SHA1/160/128000" which basically means passwords are encrypted by a random function run an arbritrary number of times, and encoded using a specified SHA algorithm. However, if that algorithm is SHA1, that has known weaknesses and its use is strongly discouraged these days. Additionally, a note on the Liferay docs says that if a site is upgraded from a prior version to 6.2, they may enable "legacy" password support, which likely uses plain SHA1, which would be even weaker.
Basically in the event that an attacker gained database access they wouldn't get your passwords, but may get hashed versions which may be possible to either brute force (less likely) or look up in a table of known password hashes (if it's SHA1, and you're using a password that can be found in such a table, either using a common word or a password that's previously been leaked, that's quite likely).
Without more info from the hosting provider and/or Daniel's tech team it's hard to say what the actual risk is, though they may not want to disclose that information until it's secured to prevent copycat attacks.
Looking at the HTTP response headers, the site is running Liferay CE 6.2 GA2 (6.2.1). You can find a list of known vulnerabilities on the Liferay site here:
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/categories/113763930?p_r_p_categoryId=113763930
A bunch of cross-site scripting issues, which can range from fairly minor (think: adding a script to the page that says "Daniel Ingram is a doodoohead"... whether that's minor or not depends on who you are I guess) to pretty annoying (think: adding a bitcoin miner in the background of the page, or redirecting you to a phishing site). The attacker generally won't gain access to the *server*, but may be able to run arbritary scripts in the user's browser. Thankfully if you're using a modern browser there are plenty of security features to stop them from doing anything too bad.
However I would recommend everyone download and use the NoScript browser extension for now and enable it for this site in case any dodgy code has been injected into the site.
There is also a known RCE (remote command execution) exploit for Liferay < 6.2.5, though it seems the details aren't completely public so I don't know if this is a risk, or if so, how much of a risk it is:
https://www.cvedetails.com/cve/CVE-2019-16891/
This kind of exploit can allow an attacker to run whatever program they like on the actual server hardware, which could be a problem and may compromise database info. Passwords should be hashed with, according to the Liferay docs, "PBKDF2--WithHmac--SHA1/160/128000" which basically means passwords are encrypted by a random function run an arbritrary number of times, and encoded using a specified SHA algorithm. However, if that algorithm is SHA1, that has known weaknesses and its use is strongly discouraged these days. Additionally, a note on the Liferay docs says that if a site is upgraded from a prior version to 6.2, they may enable "legacy" password support, which likely uses plain SHA1, which would be even weaker.
Basically in the event that an attacker gained database access they wouldn't get your passwords, but may get hashed versions which may be possible to either brute force (less likely) or look up in a table of known password hashes (if it's SHA1, and you're using a password that can be found in such a table, either using a common word or a password that's previously been leaked, that's quite likely).
Without more info from the hosting provider and/or Daniel's tech team it's hard to say what the actual risk is, though they may not want to disclose that information until it's secured to prevent copycat attacks.
Siavash ', modificado 3 Anos atrás at 25/11/20 15:48
Created 3 Anos ago at 25/11/20 15:48
RE: Server compromised, expect downtime
Postagens: 1697 Data de Entrada: 05/05/19 Postagens RecentesChris Marti:
Since we're not getting any detailed information about this incident or just what has been compromised, I would suggest that a DhO password change is in order, especially if you use your DhO password for anything else.
If someone is using their DhO password in other websites/apps/services, I think the thing they should do is to change their passwords on those websites/apps/services, and more importantly be sure that they have a recovery method for their passwords in those systems that they can use if they lost their passwords. Changing DhO password, I don't think is very helpful. The passwords in the database are likely safe.
If someones has access to parts of the server (I mean if they still have access), reading and monitoring the input data on a password change generally should be easier than retrieving the current passwords stored in the database.
Chris M, modificado 3 Anos atrás at 25/11/20 16:10
Created 3 Anos ago at 25/11/20 16:08
RE: Server compromised, expect downtime
Postagens: 5406 Data de Entrada: 26/01/13 Postagens RecentesChanging DhO password, I don't think is very helpful.
Yes, that's right. I've changed my DhO password even though I use a strong password generator (1Password) for all my passwords. I plan to change it often until we know what's up. Also, I just don't trust that anything is "probably safe." I have found that skepticism surrounding cybersecurity issues is a good way to proceed.
Siavash ', modificado 3 Anos atrás at 25/11/20 16:11
Created 3 Anos ago at 25/11/20 16:11
RE: Server compromised, expect downtime
Postagens: 1697 Data de Entrada: 05/05/19 Postagens Recentes I use a strong password generator (<This_is_part_of_the_credentials>) for all my passwords.
Mentioning what you use for your password generation would change my options if I wanted to attack you! ;)
Siavash ', modificado 3 Anos atrás at 25/11/20 16:17
Created 3 Anos ago at 25/11/20 16:13
RE: Server compromised, expect downtime
Postagens: 1697 Data de Entrada: 05/05/19 Postagens RecentesAlso, I just don't trust that anything is "probably safe." I have found that skepticism surrounding cybersecurity issues is a good way to proceed.
Just in the context of DhO. If it was a bank for example, that would be a completely different story. Also if there are personal interests/conflicts, that can change it too. I am just emphasizing priorities for an attacker and for the server.
Pawel K, modificado 3 Anos atrás at 25/11/20 16:54
Created 3 Anos ago at 25/11/20 16:54
RE: Server compromised, expect downtime
Postagens: 1172 Data de Entrada: 22/02/20 Postagens RecentesSiavash:
If someones has access to parts of the server (I mean if they still have access), reading and monitoring the input data on a password change generally should be easier than retrieving the current passwords stored in the database.
I do not worry about my account too much. It is not my self and is impermanent anyway.
Siavash ', modificado 3 Anos atrás at 25/11/20 18:34
Created 3 Anos ago at 25/11/20 16:58
RE: Server compromised, expect downtime
Postagens: 1697 Data de Entrada: 05/05/19 Postagens RecentesThat is why I patiently wait until the white borderless box disappear.
Yes. I think this is the right thing to do for most DhO members on DhO currently (Assuming they do the basics: Using firewalls, updating their operating system, updating their browser to its latest version, having security settings on browser at standard or ahigher level, using browser' safety checks, checking ssl lock icon on their browser address bar, not sharing same passwords among different apps...). And considering that DhO uses Single SignOn, and most users do not login each time they use DhO, and instead of actual password, a token is sent to the server that is stored by the browser and the operating system.
Chris M, modificado 3 Anos atrás at 26/11/20 09:01
Created 3 Anos ago at 26/11/20 09:01
RE: Server compromised, expect downtime
Postagens: 5406 Data de Entrada: 26/01/13 Postagens RecentesMentioning what you use for your password generation would change my options if I wanted to attack you! ;)
Sure.
Daniel M Ingram, modificado 3 Anos atrás at 29/11/20 11:40
Created 3 Anos ago at 29/11/20 11:40
RE: Server compromised, expect downtime
Postagens: 3278 Data de Entrada: 20/04/09 Postagens Recentes
Simon The Oak has patched what we think was the problem, installed software to scan for files and programs that shouldn't be there, but, still, this version of Liferay is old and has known vulnerabilities, as pointed out above, so Manish is currently trying to upgrade the platform: may his noble efforts go well!
Many thanks to the volunteer support team!
I don't think at this point that the DhO itself was compromised, but that they managed to get access to the server through it and use it to attack other sites, which is still a serious problem, as Hetzner, where we are currently hosted, has a very low tolerance for that sort of thing, so the primary threat to the DhO was them shutting the server down, I think. More updates as they become available.
Many thanks to the volunteer support team!
I don't think at this point that the DhO itself was compromised, but that they managed to get access to the server through it and use it to attack other sites, which is still a serious problem, as Hetzner, where we are currently hosted, has a very low tolerance for that sort of thing, so the primary threat to the DhO was them shutting the server down, I think. More updates as they become available.