hi justin
It looks like the truth about wht being compromised finally came out.
It’s good to see that they admitted to what happened, though there is still some denial about the possibilities of what happened.
It turns out, I was right about a majority of what happened. Wiki vulnerability exploited by somebody. Not sure if it was masteritx who was responsible for it, but I’m fairly sure he’s at least partly involved.
I’m ok with it, I guess. I don’t really wanna kick sand in the face of their mods, but it was handled in a less than honest manner, by at least one party. I don’t really believe dennis, jan, writespeak, or anyone other than mat are really knowledgeable of what happened, but I do believe that if mat gave the others the information that they were posting, than he probably handled it in a less than honest manner, possibly to save his credibility.
The main issue is, we don’t have any evidence of what happened. They say that the attacker didn’t have access to the database, but he could have easily gained the credentials by opening the forum’s config.inc.php file with the phpshell he managed to get onto the servers originally. Additionally, he could have used the same methods to install phpmyadmin, configure with the same login credentials he obtained via config.inc.php, and then browse the database that he was writing user logins to. They could have also removed the files that they put there in order to erase their tracks. If wht did log, they might have evidence of what happened, but since the hack can be dated back as early as august, they probably don’t have logs dating back that far.
But, they’re forcing users change their passwords, so that’ll help. Hopefully nobody used the same password for multiple websites, but something tells me they were.
Another problem is that, they say:
This occurred only when logging into WHT through the wiki, not through the standard vBulletin (homepage) login
Which isn’t true, as I was recieving the error when logging in via the homepage on their dev server while the original thread was happening.
But, I don’t know. I’m not overly concerned about it, at least they’re not denying it completely anymore.
OK - I am more than irritated now. In the “Jacuzzi” (Mod) forum, it has clearly been stated that the attacker DID have access to the database, and that he was storing credentials IN THE DATABASE! It has also been stated, officially, that users were vulnerable when logging in from the forum view and the wiki.
The circle of (half) lies continues.
Comment by Hmph — Thu, Oct 30th, 2008 @ 12:31 am
Okay, here’s what bugs me. I went to the dev forum at http://dev.webhostingtalk.com, logged in directly from the homepage, the same way hundreds of other people login on the normal site, and I received the 403 fopen error. It was displaying my password in plain text in the get query that was accessing the previously mentioned mystery .jpg file.
That would have to mean that the vbulletin md5 hasher was not properly encrypting my password after I hit submit, the way it has always functioned. This means that the attacker had access to edit the login form templates.
Comment by mikey — Thu, Oct 30th, 2008 @ 2:53 am
And if the attacker had access to create a table on the database, he would obviously have access to read it as well.
Comment by mikey — Thu, Oct 30th, 2008 @ 3:07 am
The hacker DID edit the templates. He gained direct access to the database, and edited the VB templates there. Because he did it this way, VB never changed the “Last Changed:” date on the templates in the admincp.
Comment by Hmph — Thu, Oct 30th, 2008 @ 10:10 am
Well, I’ve officially lost my staff position at WHT. Apparently they didn’t receive my resignation when this fiasco first started…
Comment by Hmph — Thu, Oct 30th, 2008 @ 10:20 am
that sucks man.
who are you again?
Comment by mike bailey — Fri, Oct 31st, 2008 @ 9:59 am
I’d actually rather not put my name out here, in case this comments section is stumbled upon by a future employer. Just trust that there is 1 less community guide at WHT these days….
Comment by Hmph — Fri, Oct 31st, 2008 @ 10:12 am
dude I never even noticed this but please tell me the “hi justin” bit is referring to me
THAT WOULD BE SO FUCKING TIGHT
obama 08
Comment by Zasp — Wed, Nov 5th, 2008 @ 6:10 pm