Page 1 of 9 1234 ... LastLast
Results 1 to 25 of 213
  1. #1
    Join Date
    Jun 2001
    Location
    Kalamazoo
    Posts
    33,412

    WHT Data - Q&A Information

    What do we know about the damage done?

    This attack was very deliberate, sophisticated and calculated. The attacker was able to circumvent our security measures and access via an arcane backdoor protected by additional firewall. We are still investigating the situation, but we know the attacker infiltrated and deleted the backups first and then deleted three databases: user/post/thread. We have no record or evidence that private message data was accessed. Absolutely no credit card or PayPal data was exposed.


    Do we know the motivation behind the attack?

    We don’t know enough at this time, so any insight would be purely speculative in nature. WHT is a platform where positive and negative information is shared and exposed about business and individuals. Under TOS policy, we cannot edit or remove user-generated content at the request of an unsatisfied third party. Therefore, WHT tends to become the target for disgruntled individuals and businesses.


    Have we been able to restore more recent back-ups?

    The offsite backup, the onsite backup and the operational data were destroyed by the attacker, so we’ve resorted to a physical back-up of last resort. Unfortunately, we are experiencing difficulty restoring from our most recent physical backup. At this point, October is the most recent backup that we were able to restore. We continue to work to extract data from a more recent set of DVDs.


    What is WHT focused on doing now?

    The first priority, which kicked in immediately upon discovering the hack while in process, was locking down the infrastructure to avoid further damage and restoring the site. We also had to block the potential for a repeat attack. Now we are working on investigating how much prior data is restorable, reinstating premium memberships, contacting business partners, and communicating with the community members. We are also doing everything possible to identify the attacker and bring them to justice. Disappointments happen – we are working hard to restore trust among community members and to bring things back to normal.


    Is WHT doing anything different due to this attack?

    WHT has been targeted before and our infrastructure has withstood previous attacks. However, following this well-planned and targeted attack, we will be altering aspects of our architecture to ensure that this type of attack does not happen again. Needless to say, we have learned from this situation and will address any discrepancies accordingly.

    We had three, protected data back-up units with one offsite behind a firewall and a fourth physical data back-up layer. We evaluated our disaster recovery plan as recent as late-2008, and carefully reviewed how to recover from a disaster situation. The attacker appeared to have deliberately targeted our data back-up systems, a scenario that our disaster recovery plan did not fully anticipate. We have implemented changes to our data backup and disaster recovery plans to address this weakness. And we advise others to consider a scenario of deliberate, malicious data destruction in their backup and recovery plans.


    What should members do now?

    The password encryption technology we use is strong for securing non-financial data. However, we suggest that members change their passwords frequently and do not use the same user name and password for the forum as they may use for more sensitive services like online banking. If a member feels more comfortable changing their password, then we recommend that they do what makes them feel more secure.

    A concern is that members may receive more spam because the attacker posted stolen email addresses on file sharing sites. I haven’t personally seen an increase in the amount of spam I usually receive to my email address, but it is a risk that we cannot easily alleviate. As we become aware of specific file sharing sites with these email addresses, we are requesting that the emails be removed promptly. So far, most have been quick to comply.

    What if I can’t use my WHT account?

    We are temporarily using a version of the database from October 2008. This means that if you joined WHT after October 2008, you’ll need to register again to post now. We may still be able to recover your account, but we don’t know yet. Please register with the same username you used before.

    If you joined WHT before October 2008 and get a password error, the system is probably asking for the password you were using in October 2008. If you don’t remember your previous password and have access to the email address for your WHT account in October 2008, please use the password recovery tool.

    For help accessing your account, please open a helpdesk ticket.

    If you’ve subscribed to a Premium or Corporate membership prior to October 2008, someone from iNET has contacted you by now. If you’ve subscribed (or re-subscribed) since October 2008 and haven’t heard from iNET, please contact us on the helpdesk.

    Moving forward ...

    We take the protection of user-contributed data very seriously, and we strongly regret what happened. iNET has a sophisticated infrastructure with advanced security. Yet even institutions that spend millions of dollars a year on Internet security are exploited. Anyone recall NASA being hacked some years back?

    It’s not what you’ve done, it’s what you do. And from this day forward, we continue.

    We’ve been overwhelmed by all the offers of help and support we’ve received from our members. What can I say about that beyond my heartfelt thanks? I love this community!
    Last edited by SoftWareRevue; 03-24-2009 at 03:40 PM. Reason: Durned typos
    There is no best host. There is only the host that's best for you.
      0 Not allowed!

  2. #2
    Join Date
    Oct 2003
    Location
    Scotland, UK
    Posts
    2,916
    Great to see these questions all answered in one place.

    Here's hoping the data can be recovered.
    Alasdair
    Long time ex-host, ex-billing software owner/developer/support staff. Recent lurker.
      0 Not allowed!

  3. #3
    Join Date
    May 2004
    Location
    Singapore
    Posts
    374
    Google cache or archive.org could be used to restore the missing part of WHT if all attempts fail.
      0 Not allowed!

  4. #4
    Just when you think you have all the technology in place for security, along comes "social engineering". So, with that in mind, there is no such thing as 100% secure. We live, and we learn. I hope to someday have a site as popular and valuable as this one someday so I can set out to make it 100% secure. That is always the goal. Dave
      0 Not allowed!

  5. #5
    Join Date
    Feb 2006
    Location
    Buffalo, NY
    Posts
    1,501
    So was this purely a exploit / software based intrusion or was there social engineering or the sorts involved?
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.
    Official Let's Encrypt Sponsor
      0 Not allowed!

  6. #6
    Join Date
    Jun 2001
    Location
    Kalamazoo
    Posts
    33,412
    Quote Originally Posted by citricsquid View Post
    Not advanced enough, clearly. We know what happened was regrettable or whatever, but trying to say WHT was secure is treating us as fools.
    I won't have any trolling in this thread. If you want to simply complain and state that a seemingly secure network cannot be vulnerable to a determined thief, go somewhere else. I'm pretty sure we all get it.
    Last edited by SoftWareRevue; 03-24-2009 at 04:36 PM.
    There is no best host. There is only the host that's best for you.
      0 Not allowed!

  7. #7
    Join Date
    Dec 2002
    Location
    Los Angeles
    Posts
    559
    Once the monkeys get into your tree it's difficult to shake them out permanently. You can bet that it was the same person or persons who got in last year, if not them, someone who worked with them or used their information for the second (?), more comprehensive strike.

    But to lay blame at the feet of the company that manages this monster is pointless. No one is prepared for every eventuality. No one. Back in the day they used to say the only way to really protect a networked server is to remove it from the network. And not much has changed since then.

    You don't have to trust these guys. It's a forum, last time I checked, participation was voluntary. If your trust has been shattered and the foundations of your very existence rocked by this tragedy, then go someplace safe and warm and forget about this beehive. I don't think anyone was cast into a pit of financial ruin or driven to the brink of suicide by this episode. In the grand scheme of things, what's the worst possible outcome? People lose some posts? Your premium membership is unavailable for a few days? Oh my, how will we ever survive?

    With everything collapsing and crumbling around the world (hello Iceland!) bitching about this just makes you look like someone with way too much time on their hands. Take a deep breath, pull your socks up, get over it.
    datapimp - You only get one soul, ya dig?
      0 Not allowed!

  8. #8
    Join Date
    May 2001
    Location
    Dayton, Ohio
    Posts
    4,977
    Quote Originally Posted by CodyRo View Post
    So was this purely a exploit / software based intrusion or was there social engineering or the sorts involved?
    There have been no signs that any information was gathered by social engineering and everything points to this being software exploit based.

    Of course there is the nagging question, how did they find our backup cluster! I'm still investigating that, and it does make you wonder, but very few people even inside of iNET knew of the off site cluster, and even fewer knew where or how to access it. The company hosting the off site backup doesn't even know the contents of our servers. So those facts make me think that social engineering is not part of this equation.
    Last edited by Mat Sumpter; 03-24-2009 at 04:55 PM.
      0 Not allowed!

  9. #9
    Join Date
    Nov 2007
    Location
    India
    Posts
    843
    This is the hard time to WHT,now we have to help the community admins to over come the hardtime.
      0 Not allowed!

  10. #10
    Join Date
    Jan 2004
    Location
    NJ, USA
    Posts
    288
    Was wondering why my old thread had gone MIA.

    Looks like you guys are doing everything you can to prevent something like this from happening again, as well as trying to recover as much information as possible.
      0 Not allowed!

  11. #11
    Hi Everyone,

    To the team working on restoring the site i just want to say good work so far and don't forget to get some rest
    Ijan Kruizinga
    Crucial Paradigm - Reliable, Professional• 24/7 Support • Web Hosting • Reseller Hosting • Virtual Dedicated Servers • Dedicated Servers • Remote Backup
      0 Not allowed!

  12. #12
    Join Date
    Mar 2009
    Posts
    1,161
    iNet is trying their best to help rectify the issues at hand, complaining about it will not help this situation at all.

    Thank you for the brief Q/A as I'm sure many visitors will find this helpful.
      0 Not allowed!

  13. #13
    Join Date
    Feb 2006
    Location
    Buffalo, NY
    Posts
    1,501
    Quote Originally Posted by The Prohacker View Post
    There have been no signs that any information was gathered by social engineering and everything points to this being software exploit based.

    Of course there is the nagging question, how did they find our backup cluster! I'm still investigating that, and it does make you wonder, but very few people even inside of iNET knew of the off site cluster, and even fewer knew where or how to access it. The company hosting the off site backup doesn't even know the contents of our servers. So those facts make me think that social engineering is not part of this equation.
    That's exactly why I was curious about social engineering (or "inside job" but that's a bit too conspiracy like for me ) - just seemed like for the perfect storm to happen it had to be a mix of things.

    Thanks for the information
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.
    Official Let's Encrypt Sponsor
      0 Not allowed!

  14. #14
    Join Date
    Nov 2003
    Location
    Amidst several dimensions
    Posts
    4,324
    im sure there are numerous people in this community who would be able to easily hand the attacker's ass over to him/her/them if any trackable info about the attacker is released to public.

    its stupid to attack internet communities. noone would care about hacking of fbi, cia, nasa sites, some even may approve. but attacking community sites is rather dangerous. i wouldnt do that.
      0 Not allowed!

  15. #15
    Join Date
    Jan 2006
    Location
    Athens, Greece
    Posts
    1,481
    May I ask as per thread title,
    is there any chance that there are any traces left from the attackers?
      0 Not allowed!

  16. #16
    Quote Originally Posted by unity100 View Post
    im sure there are numerous people in this community who would be able to easily hand the attacker's ass over to him/her/them if any trackable info about the attacker is released to public.

    its stupid to attack internet communities. noone would care about hacking of fbi, cia, nasa sites, some even may approve. but attacking community sites is rather dangerous. i wouldnt do that.
    Amen.

    I learned how much I depend on and ENJOY this Forum and I am just the most humble beginner hoster. Passion, hobby, hopefully someday a business

    I will be upgrading to Premium soon. A. To learn as much as possible. B. To show my support.
      0 Not allowed!

  17. #17
    Join Date
    Jun 2001
    Location
    Kalamazoo
    Posts
    33,412
    Quote Originally Posted by Steve_Arm View Post
    May I ask as per thread title,
    is there any chance that there are any traces left from the attackers?
    We haven't completed a total audit yet. But we're closer to him than he wishes.
    There is no best host. There is only the host that's best for you.
      0 Not allowed!

  18. #18
    Join Date
    Mar 2009
    Location
    Here Today - Gone to Maui
    Posts
    9,962
    Quote Originally Posted by SoftWareRevue View Post
    We haven't completed a total audit yet. But we're closer to him than he wishes.
    Well, I cetainly wish you God Speed.

    - Steve
      0 Not allowed!

  19. #19
    Join Date
    Nov 2002
    Location
    Lakeport CA, Clear Lake
    Posts
    1,856
    Thanks for starting this thread and clearing up some of the issues .
    Everyone is entitled to MY opinion.
    CatfishEd.com
      0 Not allowed!

  20. #20
    Join Date
    Jul 2002
    Location
    Directadmin Core
    Posts
    770
    SWR ... your tenacity and dilligent approach to this is to be commended. Thanks also for your twitter updates through the ordeal.

    Good luck tracking the bastards down. Let's move forward and make sure this doesn't happen again. If all the arm chair quarterbacks would stop looking behind them and instead look forward to how to improve things (maybe take into account their own security/backup measures) we can once again become a productive community.

    Joe
    http://www.hostpc.com
    DirectAdmin servers for hosting, resellers and your dedicated needs.
    Hosting, Resellers, Dedicated Managed and Unmanaged servers
    Hosting since 11/98 - Specializing in DirectAdmin since 8/03
      0 Not allowed!

  21. #21
    Join Date
    Sep 2006
    Location
    Cardiff - United Kingdom
    Posts
    1,569
    Out of interest, the "Recent WHT down time" thread recently moved onto encryption and Harzem shown that simply having the password hash and salt cannot actually be a security flaw.

    Hence I'm wondering how the hacker was able to login to someone else's account and post on it, considering that there's apparently no way to to login to an account just by knowing the hash?

    Were some of the vBulletin software files therefore hacked and changed too?
      0 Not allowed!

  22. #22
    Join Date
    Oct 2008
    Posts
    2,253
    . I just made a database deleted it and got it back with system restore just with the post count corrupted for an old forum db to bad wht cant do this.


    and one question. the hacker had to hack the forum before the backup servers right? how would the hacker know the backup servers ip or any information as I dont think its mentioned anywhere.
    Last edited by darkeden; 03-24-2009 at 07:02 PM.
    Leader of the new anti sig spamming club.
      0 Not allowed!

  23. #23
    Hello.

    I just joined after reading this thread.

    Someone must have been adversely affected by the research you guys did.

    This indicates you have a habit of being on the right track.

    I don't know how I can assist but in light of the fact that my own forum was also attacked just over a month ago, I'm happy to help out.

    Keep up the good work.

    SiL / IKS / concerned citizen
      0 Not allowed!

  24. #24
    Join Date
    Mar 2009
    Location
    Toronto, Canada
    Posts
    2,570
    Thanks for the update and the information in one post.

    I have remade an account, unfortunately I was registered on WHT in January 2009.

    Hopefully my account along with many others will be restored soon.
      0 Not allowed!

  25. #25
    Join Date
    Aug 2008
    Posts
    2,469
    IMO, no offense it sorta sounds like an inside job. I think this because I don't think anyone would know the details for the iNet backups and such unless they've dealt or worked for iNet past and or present.
      0 Not allowed!

Page 1 of 9 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •