We are requiring all members to update their passwords.
On 10-21 we had two hard drives fail that were part of a raid array. This server hosted the code base for WHT. We had to restore some files from backup.
After the site was restored, a member noticed a suspicious error and started a thread about that here (http://www.webhostingtalk.com/showthread.php?t=730805).
As I stated in that thread, our dev team looked into the suspicious code and determined that it did nothing of concern.
They did continue to dig into the issue. When they reviewed archived copies of WHT, they discovered that, at one point, the code was doing something that did cause concern.
Here's what we know...
At some point, the script was writing user names and passwords to a table in our database.
This occurred only when logging into WHT through the wiki, not through the standard vBulletin (homepage) login
We can find no evidence or method to externally access the username/password table that this script created
Even though we can find no evidence that usernames and passwords were compromised, we are taking the precautionary measure of forcing a reset of every user's password.
Again, this is purely a precautionary measure. We don't have evidence that usernames and passwords were compromised. And the security hole in MediaWiki that allowed the code to be injected has been fixed.

So, I take the forced password change as admittance that WHT was compromised? There are blog comments mere hours before hand suggesting that the force password change was going to happen tonight due to being compromised.

Thanks for the announcement about the password. As I was surprised to see that I was forced to change the password.

Thanks for the update! :)

Nowonder I a notice to change password, I thought the database is hacked and hackers want to have our password so I changed to a random password :S
How can we check our member's database from MySQL?

Over the past several days the developers and myself have been reviewing the information posted here and digging through log files and code. At no point in our investigation have we found any credible proof that any data has been compromised. The HTML form posted earlier did not send any information to any other source than the default vBulletin login.php but to avoid any future confusion we have removed the code from that page. The code was not malicious and from my best recollection was used to troubleshoot the login procedure and should have been removed after the troubleshooting process.
We have not, do not, and would not ever store your passwords in clear text on our servers. It's not in our best interest and frankly there isn't a good reason to do so. Also we take the security and integrity of our communities very seriously.
And just to reiterate what Dennis just said:
There is no cover up. There is no conspiracy. There is no compromise.
So this was total BS.
To be perfectly honest, you make me sick. What I highlighted is an outright LIE.
It is a bad day when you go out of your way to tell everyone they are wrong rather than just admit the truth. Atleast we know the truth now.

Your Password is 1023 days old
I guess it was about time anyway. :D

Your Password is 1023 days old
I guess it was about time anyway. :D
I got the same message.

Your Password is 1023 days old
I guess it was about time anyway. :D
I didn't even joined for a month!

What I highlighted is an outright LIE.
There is a huge difference between telling a lie and telling the truth to the best of your knowledge at a point in time.
Atleast we know the truth now.
I appreciate the fact that we were told about the issue once it was known.
Lois

I got the same message.
It must of been a default message then, but funnily enough that's about how long it's been since i changed it.
My WHT pass is unique to here, so they would only be able to post nonsense.. which nobody would distinguish from my regular posts. :stickout:

There is a huge difference between telling a lie and telling the truth to the best of your knowledge at a point in time.
You can spin it however you want but you and I both know it was a lie. Mat is not stupid and simply reading that thread would have known for a fact that it was not "development code". So please stop making yourselves look like bigger idiots than you already are.

Shocker...

Your Password is 1023 days old
I guess it was about time anyway. :D
Everyone's says that, I changed my password the other day when all this started and I was told my password was 1023 days old too.
They've pushed the last password change date back for every member to force vBulletin to trigger the message you see.
There is much shame in admitting you were hacked. But there is even more shame involved in trying to cover it up despite several members posting evidence contrary to what you're saying, locking the thread to shut them up, and then doing a triple back flip like you've just done.
If you go back and read the other thread (http://www.webhostingtalk.com/showthread.php?t=730805), you'll see people believed you and even defended you telling other people to drop the whole cooked up "conspiracy theory". The experienced members here tried to tell you, and you covered it all up and effective called them liars (much like yourself). Shame on WHT.
There is a huge difference between telling a lie and telling the truth to the best of your knowledge at a point in time.
That's called convenience. :)

You can spin it however you want but you and I both know it was a lie.
Uh, no.
You are going to believe what you have chosen to believe no matter what anyone says. But I will state here for everyone that it wasn't a lie. The information posted was the truth according to the information that was available at the time. Not a spin...just the truth.
Lois

Uh, no.
You are going to believe what you have chosen to believe no matter what anyone says. But I will state here for everyone that it wasn't a lie. The information posted was the truth according to the information that was available at the time. Not a spin...just the truth.
Lois
Yes that's right, and I said on closing the thread that Dennis or Mat would post if anything came up, which it has and they have.

To be perfectly honest, you make me sick. What I highlighted is an outright LIEPlease do not talk to the staff like this!!
THEY ARE JUST TRYING TO HELP THE MEMBERS HERE AND TO PROTECT THIER DATABASE FROM INTRUSION!!

Shocker...
Steven, Thanks for the heads up. :agree:

Uh, no.
You are going to believe what you have chosen to believe no matter what anyone says. But I will state here for everyone that it wasn't a lie. The information posted was the truth according to the information that was available at the time. Not a spin...just the truth.
Lois
I chose to believe that it was a lie rather than the alternative which is that your "developers" and "system administrators" are stupid.
Are you seriously telling me that people who do not even have access to your systems know more about them than you do?
In fact lets flick back to that thread, someone informed it was saving plain text passwords to a file,
Warning: fopen(http://www.webhostingtalk.com/store/images/126928744_lg.jpg?user=calamine&pass=xxxxxx&email=xxxxxx%40gmail.com):
failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /includes/functions.php(2651) :
eval()'d code(1) : eval()'d code on line 5
You "investigated" it and determined what exactly? What about the above does note tell you that you have been compromised?
I then responded to the above thread 2 days later showing that the vbulletin authentication was modified to remove client side hashing of the passwords,
http://www.webhostingtalk.com/showpost.php?p=5373237&postcount=33
So lets assume what you say is true and that you didn't know what the problem is and that it should be ignored. Are you then honestly trying to say that after reading the information I posted that you didn't put two and two together.......
Please tell me how it is even possible to not know you were compromised by this point.
How about another one, with that information in hand again please tell me how it is possible to take 9 days to finally determine that you were compromised.
Lastly you never did answer what "development" you were doing that made you assume that the changes to the login, which were quite blatantly relating to a compromise, were relating to work you did. Instead you did the typical thing and close the thread when your lies get caught out.

It doesnt seem to have affected ANYONE so please lay off the staff!
THEY CORRECTED IT,IS THIS NOT ENOUGH??

I chose to believe that it was a lie rather than the alternative which is that your "developers" and "system administrators" are stupid.
Are you seriously telling me that people who do not even have access to your systems know more about them than you do?
In fact lets flick back to that thread, someone informed it was saving plain text passwords to a file,
You "investigated" it and determined what exactly? What about the above does note tell you that you have been compromised?
I then responded to the above thread 2 days later showing that the vbulletin authentication was modified to remove client side hashing of the passwords,
http://www.webhostingtalk.com/showpost.php?p=5373237&postcount=33
So lets assume what you say is true and that you didn't know what the problem is and that it should be ignored. Are you then honestly trying to say that after reading the information I posted that you didn't put two and two together.......
Please tell me how it is even possible to not know you were compromised by this point.
How about another one, with that information in hand again please tell me how it is possible to take 9 days to finally determine that you were compromised.
Lastly you never did answer what "development" you were doing that made you assume that the changes to the login, which were quite blatantly relating to a compromise, were relating to work you did. Instead you did the typical thing and close the thread when your lies get caught out.
I think it's reasonable for you and others to get upset over this. I appreciate those experienced users (yourself included) who tried to forewarn the staff in the other thread. I am also irked at the fact that a thorough investigation was not conducted before the sys admin concluded that WHT was not hacked. I don't believe anyone was trying to sweep it under the rug, however, there was surely a rush to conclusion.
With that all said though, at this point, I am not sure what you are going to gain further with more rude "I told you so!" remarks.

When I saw that my password had expired I thought that meant WHT had been compromised and that someone tried to steal my password. However, after looking carefully at links and any flaws, I couldn't find any and just decided to give in :P.

oh my god..
better change the password.
--
joseph

I think it's reasonable for you and others to get upset over this. I appreciate those experienced users (yourself included) who tried to forewarn the staff in the other thread. I am also irked at the fact that a thorough investigation was not conducted before the sys admin concluded that WHT was not hacked. I don't believe anyone was trying to sweep it under the rug, however, there was surely a rush to conclusion.
With that all said though, at this point, I am not sure what you are going to gain further with more rude "I told you so!" remarks.
For what it's worth I don't think they tried to cover up a compromise what I am upset about is the fact we were lied to in that thread about the reason the authentication was changed.
However way you look at that particular part you have two choices,
- It was compromised (Which we now know is true).
- It was altered to remove client side hashing for "development purposes", what does iNET need our plain text passwords for? There is no valid reason so make your own mind.
About "told you so", I couldn't give a damn about point scoring, I do however about being lied to.
As members of this community we expect iNET to do right by us and again no matter how you look at it, they failed miserably.
The compromise part isn't a huge deal, these things happen to the best of them, but how can you trust a company that takes 9 days to determine something that is very obvious? Something which was spelled out in a public thread...... I don't get it.
How several members in this (http://www.webhostingtalk.com/showthread.php?t=730805) thread were treated like they are all out to get iNET and are all wrong is unforgivable.

On 10-21 we had two hard drives fail that were part of a raid array. This server hosted the code base for WHT. We had to restore some files from backup.
After the site was restored, a member noticed a suspicious error and started a thread about that here.
It would seem reaonable to conclude that the archived copy was the culprit. For whatever reason, the code was in an archive copy, was removed, (sounds a lot like what a tester would do).
Problem was, it existed in the backup. With no one to remember to remove it.
Is it a disaster of mind blowing proportions? Not really.
It's a freakin' bulletin board!
Unless you're in the habit of archiving credit card info in your pm inbox, there is nothing of value there.

I am not a techie, and I didn't do any of the investigating. Mat (The Prohacker) posted at a point in the investigation that those who did the investigation had found no credible proof that any data had been compromised. That's the truth.
Being thorough types, they continued looking, and when they found more information (although still no evidence that usernames and passwords were compromised), the decision was made to have everyone change their passwords just as a precautionary measure. That's also the truth.
My prediction before Dennis started this thread was that some members would be appreciative of the new information and precautions and that some others would continue to insult the iNET team no matter what we said. I wish I hadn't been right about the second part. But there isn't anything I can say to satisfy those in the latter group, so I'll just thank those in the former group for their consideration. :)
Lois

. . . Is it a disaster of mind blowing proportions? Not really.
It's a freakin' bulletin board!
Unless you're in the habit of archiving credit card info in your pm inbox, there is nothing of value there.
So true. Seems much ado about nothin' :erm:

I am not a techie, and I didn't do any of the investigating. Mat (The Prohacker) posted at a point in the investigation that those who did the investigation had found no credible proof that any data had been compromised. That's the truth.
Being thorough types, they continued looking, and when they found more information (although still no evidence that usernames and passwords were compromised), the decision was made to have everyone change their passwords just as a precautionary measure. That's also the truth.
My prediction before Dennis started this thread was that some members would be appreciative of the new information and precautions and that some others would continue to insult the iNET team no matter what we said. I wish I hadn't been right about the second part. But there isn't anything I can say to satisfy those in the latter group, so I'll just thank those in the former group for their consideration. :)
Lois
I know you didn't which is why I never pointed anything directly at you or the other moderators for that matter.
My points are all relating to the fact that any self respecting system administrator would have known immediately something was up. If iNET thinks that how long it taken to realize there was an issue and brushing off people who had legitimate questions then that speaks volumes.
This whole attitude of anyone who questions how some things are handled that they are out to get you is very frustrating. It's always the same response or it ends up with posts being deleted, threads being locked, people being banned, it's pathetic.
Again this (http://www.webhostingtalk.com/showthread.php?t=730805) thread was moderated god knows how many times and eventually locked without the key question being answered because there was simply no way to answer it without looking stupid or being shown to be a liar.
I know I am wasting my time because you cannot have a plausible answer to why it took so long after having such obvious information to determine you had been compromised. Even after being persistently told something was wrong by members of this community it was still assumed that everyone was wrong? Do you really have that little respect for anyone that doesn't roll over and agree with everything you say?
The funny part now it's too late and you can't say anything otherwise but atleast anyone with the faintest idea of how these things work will realize how totally implausible and downright incompetent what you have stated is.

Looking at all the Hacked pages in Google (http://www.google.com/search?complete=0&hl=en&q=site:webhostingtalk.com+inurl:rack.php&start=0&sa=N&filter=0) some have encrypted code snippets, a partial decode looks like it has a "Please Enter your Password" and sending them out to an email.
Whether it worked or not i don't know, you would have to replace your email in the exploit and login and see if your pass got sent to you. No doubt the WHT admin tried this.

Many thanks to the admins for their considerate and hard work. It was about time I changed my password for the first time on WHT :D

What? It was the first time that I had to log out :D
Many thanks to the admins for their considerate and hard work. It was about time I changed my password for the first time on WHT :D

What? It was the first time that I had to log out :D
First time I ever logged out too!

I kept my password the same - no worries here. :)

Thanks for everyone's cooperation.
Just to reiterate, this is simply a precautionary measure. There is little chance any information was gained by this. But, because we can't prove there wasn't, we are having everyone update their password.
Well, not quite everyone. I haven't updated mine. :blush:

Thanks for the update on this one. Since this didn't create any serious trouble to anyone else, it should be closed at this point.
If someone has any trouble with this (as is shown by someone in this thread by insulting the staff), they seriously need to close their wht account and move to some other "more secure" forums (if they find any!) and never visit here!

Thanks for the update on this one. Since this didn't create any serious trouble to anyone else, it should be closed at this point.
If someone has any trouble with this (as is shown by someone in this thread by insulting the staff), they seriously need to close their wht account and move to some other "more secure" forums (if they find any!) and never visit here!
I agree with you.
In my opinion he is just doing it to say I'm better system administrator than wht staff, and to flash his Linux admin signature/business.

I agree with you.
In my opinion he is just doing it to say I'm better system administrator than wht staff, and to flash his Linux admin signature/business.
Damn, you caught me. How did you know?
[/sarcasm]
You don't even deserve an actual response. [I would insert some words here but they will be moderated]

Damn, you caught me. How did you know?
[/sarcasm]
...because HostOrca has kinda common-sense...:wavey:

now THAT's a security hole.... I changed my pass to something new, logged in, went to my admin panel and changed it back to my old pass. :) ofcourse, just for testing purposes.

Scott.mc; I believe you over WHT staff, and I shouldn't, but from what I've seen - WHT administrators not actually providing a believable reason for what happened, whereas you have - I do think you're right, however, I won't bother complaining, it does appear they've tried, I don't appreciate being lied to, but if they were to say "We've been hacked" they'd lose a lot of members.
I agree with you.
In my opinion he is just doing it to say I'm better system administrator than wht staff, and to flash his Linux admin signature/business.
<<snipped>> When you care about something, you pursue it. Scott clearly cares about security and it bothers him that WHT are trying to cover something up, whether or not he wishes to pursue this, that's up to him, don't try and make him out to be after business, or whatever you're trying to claim. He's clearly got brains. Grow up. That's the one thing that irritates me about WHT members, a lot are so arrogant :|
<<<removed>>>

Thanks for everyone's cooperation.
Just to reiterate, this is simply a precautionary measure. There is little chance any information was gained by this. But, because we can't prove there wasn't, we are having everyone update their password.
Well, not quite everyone. I haven't updated mine. :blush:
If you would have simply listened to us the first time, you wouldn't have scott being all upset. This is what we do for a living, you cant BS us.

If you would have simply listened to us the first time, you wouldn't have scott being all upset. This is what we do for a living, you cant BS us.We did listen to you. If we hadn't been listening, we wouldn't have kept digging. It is because of people like you insisting there was more than we first found that encouraged us to not simply close out this issue. Thank you for your feedback.

WoW, I take a week or two off from WHT, and all hell breaks loose! Fun stuff!
If you would have simply listened to us the first time, you wouldn't have scott being all upset. This is what we do for a living, you cant BS us.
My points are all relating to the fact that any self respecting system administrator would have known immediately something was up. If iNET thinks that how long it taken to realize there was an issue and brushing off people who had legitimate questions then that speaks volumes.
Maybe the both of you need to actually stop and think about how you're coming across and posting, rather than attacking WHT mods/admins themselves. While (admittedly), the first post declared something was off and wrong, and that something must be done to resolve it, not everyone works at the pace you do, and not everyone is going to respond exactly how you want. Attacking those that don't (which is most likely why your posts got removed in the first place) will get you nowhere at all, except on a downhill spiral here.
With that all said though, at this point, I am not sure what you are going to gain further with more rude "I told you so!" remarks.
That's just Scott, he does it all the time.
My prediction before Dennis started this thread was that some members would be appreciative of the new information and precautions and that some others would continue to insult the iNET team no matter what we said. I wish I hadn't been right about the second part. But there isn't anything I can say to satisfy those in the latter group, so I'll just thank those in the former group for their consideration. :)
I was kind of surprised at this myself last night, but at least you made an announcement about it. While I'm unimpressed with the initial assessment (come on, a first year student should have known something was up there), critiquing Matt and WHT is not my job, so, I'll leave that to those that apparently have taken it upon themselves to do this. Thank you for the post and warning, however!
now THAT's a security hole.... I changed my pass to something new, logged in, went to my admin panel and changed it back to my old pass. ofcourse, just for testing purposes.
Not a "security hole" per se, but in this case it could be a problem. Changing your password back to a previous password (I did, but I hadn't used that password here in years) is not a security hole. Changing your password to your USERNAME is, which is why that was disabled in 3.7.2 (or was it 3.7.3?)

Maybe the both of you need to actually stop and think about how you're coming across and posting, rather than attacking WHT mods/admins themselves. While (admittedly), the first post declared something was off and wrong, and that something must be done to resolve it, not everyone works at the pace you do, and not everyone is going to respond exactly how you want. Attacking those that don't (which is most likely why your posts got removed in the first place) will get you nowhere at all, except on a downhill spiral here.
Very well said!
Sirius

WoW, I take a week or two off from WHT, and all hell breaks loose! Fun stuff!
You're disbarred from leaving WHT ever again. ;)
Just my two cents, but it really doesn't hurt to have a system in place for forums like WHT. Change your password occasionally and for heaven sakes don't use mission critical passwords employed elsewhere. It just seems like common sense to me, but they do call me crazy.
The brains here at WHT are doing their part. If you disagree with the result, there are ways to handle it. Otherwise, thanks to them for addressing the situation!

Just my two cents, but it really doesn't hurt to have a system in place for forums like WHT. Change your password occasionally and for heaven sakes don't use mission critical passwords employed elsewhere. It just seems like common sense to me, but they do call me crazy.
That's quite right - I don't understand how anyone could even consider using their server, banking or any other important service password as their forum password.

Glad to see this finally cleared up.
I was upset to see the original thread closed but atleast action was taken as a response so I am happy.
Good job WHT.

WHT was compromised? :S

WHT was compromised? :S
What? Prove it! I don't buy it for a second!
/me rushes off to make sure he hid his tracks
:dgrin:
We'll never know the full story, and that's a good thing, but it sounds like compromised might be a bit harsh. Something was definitely wrong, but we'll never fully know what caused what.

... We'll never know the full story ...The only thing I'm sure of is, I haven't updated my password.
But then I don't keep my credit card info here either. :blush:

I don't come to WHT often enough and just saw my view of the forums main page said my password expired. I thought perhaps it was a compromise then, but looked and saw it was legit and I honestly don't care. If someone compromises a forum I use online, it doesn't really affect me. No one should be using any passwords similar or the same as other sites or logins, and it would be foolish to have sensitive information on your account that someone could access.
Worse case scenario is that someone removes your posts or posts as you, and that would quickly be resolved by the site admins if so. I don't know enough about this situation and what happened to offer my opinion, other than to say that I don't see the big deal. If anyone has an issue with it, just don't use WHT.
There's always a risk when using bloated software like VBulletin and people run and configure it in different ways, so you take the risk of using a site (if you want to call it a risk). Hell, just for the sake of saying something humorous and ironic; back in 2000 or 2001, I was actually accused of "hacking" WHT myself (I'm serious).
Anyway, it's just a forum, don't worry about it. If something happens, the admins will restore data or they'll let everyone know who is really who if someone tries to impersonate someone else. I don't think WHT is interested in hiring any of us to review their security or the situation, so don't sweat it. It's a trivial matter anyway, and it doesn't really matter if people behind the scenes are forthright and if you worry about what's happening behind the scenes at WHT to worry enough to not use it, then don't use it... or just realize there's really no threat regarding a forum being compromised, let's be honest, so none of it should make any difference.

We'll never know the full story, and that's a good thing, but it sounds like compromised might be a bit harsh.
Depends on your version of compromised, my version says Yes. (http://www.google.com/search?complete=0&hl=en&q=site:webhostingtalk.com+inurl:rack.php&start=0&sa=N&filter=0)
But i don't doubt what the mods have said for one second, those cached pages were from Aug/Sep and if the attackers did successfully extract personal information they would of done something with it by now. They wouldn't just use it for bed time reading, but nothing has happened.. Not even a single post by an impersonator.
My pass is unique here, so even if they did get it there's not much they could do that couldn't be fixed so no biggie.

The only thing I'm sure of is, I haven't updated my password.
But then I don't keep my credit card info here either. :blush:
Same here :wht:

I haven't updated mine. :blush:
I kept my password the same - no worries here. :)
Why people post such nonsenses? Ta make cool impression? Worries or not, there's always some possability that things goes wrong and such bragging around look rather immature than anything else.
And please, don't get me wrong, I didn't post this to participate in some WHT bashing but rather as comment about "it can't happen to me" immature personal approach. Some of you are admins here, you should be example of responsible "preventive rather than curative" acting instead blind sloppy belief that things can't go wrong and safety measures aren't needed.
I would expect that you changed admin password in first moment, even before investigation result (is that hard?) proved that nothing happens instead bragging around how you still keeping old password.
Well, I don't worry either, because I use unique pass for every login (boards, mails, servers..), however I still changed my pass because "you never know.." and I think that you should too.

Why people post such nonsenses? It certainly wasn't in an effort to encourage anyone to 'not' change their password, because you don't have a choice.
I'll just link to Tim's post (http://www.webhostingtalk.com/showthread.php?p=5385539#post5385539).

As the Devil's Advocate I can only say this.
The Mouse told us SWR would get back to us and he has indeed done so.
It would have been easier just to let it get swept under the rug but come on folks....the guy's done what Mouse said he would.....what do some people want....Blood??? or bolts of lightning from his eyes and flames shooting from his A*s??? (not a pretty sight I'd imagine) :)
Can't we just show the team a little more respect as well as support and move on...for Christ's sake it's almost Xmas and the festive spirit's nearly upon us.
I think Dennis and the rest of the team have acted accordingly so please show some sense of fair play and move on and have faith in the great team we have here on WHT.
Get into the party mode. :santa2:
owm

Your Password is 1023 days old
I guess it was about time anyway. :D
I didn't even joined for a month!

i got "Your password is more than 365 days old":D
i just joined in the last month :D:D:D

or bolts of lightning from his eyes and flames shooting from his A*s??? (not a pretty sight I'd imagine) :)

Reversing above sounds more interesting !

or flames shooting from his eyes and bolts of lightning from his A*s??? (not a pretty sight I'd imagine) :)