Security Breach Report

[Janus]

We have determine that a developer's account which had access to some forum Admin functionality recently had his password compromised. In the interest of transparency, here is the pertinent info on what was attempted:

• The attacker tried and failed to download a backup of the forum database through the forum admin panel, which is not possible on our forum.
• The attacker managed to upload a theme which they tried to insert a malicious script into, in another effort to gain deeper access.
• Due to problems in their code, it was not able to be successfully run on the server, and failed to accomplish anything.
• At most, it appears the only thing compromised was the developer's account and one page of their PMs.
• 4 users tried using the non-working theme, and were temporarily unable to access the forum as a result. Their accounts were not compromised, however, as the malicious code was inoperative and further would have been blocked from running anyway by an additional security measure we have in place. The affected users regained access to the forum yesterday when I removed the problem theme.

This has been determined by thoroughly trawling through the server logs and modified files on the server, cross-referencing everything, including a list of every page on the forum which the attacker accessed. Each attempt by the attacker to run the malicious script returned an error, which is how we know it was unsuccessful. We also of course have access to the files which were left on the server, which I have further analyzed and confirmed as inoperable. For reference, the purpose of the malicious code was (as expected) solely to gain deeper access to the database and files on the server.


We have taken various security measures on the server just to be on the safe side, and further restricted access to Admin functionality to fewer people, who we will make sure are using a unique password from this point on.
As above, there is no evidence whatsoever that any other account information was compromised beyond the one developer's account, and plenty of evidence to indicate the attacker was otherwise unsuccessful.

So: your accounts and information should be safe. For our more cautious users, it of course never hurts to play it safe, so you might consider changing your password on the forum and anywhere else where you use the same password.

 

[Austupaio]

That's kinda hilarious, who were the other three who got curious about the new theme?

 

[Janus]

That's kinda hilarious, who were the other three who got curious about the new theme?

I won't name names; they were random users, as you might expect.

 

[Austupaio]

Fair enough, I guess. I'm just amused because I only saw the new theme because I wanted to see how an image looked against the regular theme.

 

[Arvenski]

Thank goodness for stupid hackers.

 

[Dusk Voyager]

Was there any screenshot of the theme at all (on the themes page)?

 

[Janus]

Was there any screenshot of the theme at all (on the themes page)?

It had a preview image like the other themes, if that's what you're asking. It was initially a copy of the legitimate Ambassador SMF theme which the attacker had then added his own nonfunctional code onto.