| 

Everything’s Fine With Nukezilla, Have a New Forum

A few days ago we were notified that a l33t hax0r had infiltrated our fort and was up to no good. After going over the extensive logs I feel satisfied that no personal info was leaked, discovered, hacked or otherwise excreted from the server. That password you use on every single other site out there is secure to live another day.

In celebration of everything being expectedly fine, Nukezilla has gotten itself a new forum! Check it out by going to forum.nukezilla.com.

The old forum is still available, but now in read-only mode. In a few days (once we’ve saved anything of value) it’ll be going offline. It will live on in our memories.

If you’ve been lurking around for a while, now is the perfect opportunity to head over to our new (very shiny) forum and say Hi. We even have a section just for that.

As I know I’d find it interesting, here’s a break down of just what happened:

28th November 2010, 7am server time: A hacker running a search for a specific exploit in Simple:Forum, the forum software we use, finds their way to Nukezilla. Their IP address places them in Yogyakarta, Indonesia.

They sign up to the site almost immediately (they’ve done this before) under the name asx0_0xsa. A quick search for that username turns up hundreds of different forums, all with the same exploit, with this user registered.

Once registered they use a bug in the avatar upload script used by Simple:Forum to upload a php file. This file is quite impressive; it’s like a Swiss army knife for server exploitation. It’s got parts in it for pretty much everything you’d want to do. Our hacker tests out the script then moves on, likely to their next site.

The file remains undetected on our server for ages. The hacker gets it to do mundane things (most likely send out spam and perform DoS attacks) on December the 2nd, 6th, 7th and 11th. On the 6th the file is used to set up a fake version of the National Australia Bank home page. Logs indicate it was never actually used for a phishing attack though.

On the 5th of this month Media Temple detected the file’s existence and acted to neutralise the issue. They made both the troubling files and the upload script with the bug unusable (by changing the file permissions). We got emailed and I wrote the post that went up yesterday, once there’s enough information to know the severity of the situation.

Today, I went over all the logs to find out just what happened (every single request to the NZ server is logged in surprising detail). At no point did the evil-doing script return large quantities of data (like a database dump of passwords), or anything to indicate the database was compromised. It looks like our server was less a target and more a tool used to attack other sites.

To reduce the chance of this happening again security on the site has been tweaked to be higher ( if you were logged in before, you were automatically logged out as we upped the encryption used in the cookies) and our forum software has been replaced. Whilst the old forum still exists, the files with the bugs in have been removed. We’ve done some other things too, but they’re quite boring.

New forum eh?

Comments

AlexDJones Says:
January 7th, 2011 at 7:20 am   (Reply)

That was…a surprisingly interesting read! Though I’m always interested in things I’m stupid at, like physics, abstract mathematics and stairs.

Also, shiny new forums are shiny and new. What jubilation.

Adushan Govender Says:
January 7th, 2011 at 6:05 pm   (Reply)

How did they get all this info? Short of his name, age and sex you seem to know everything! Makes me wonder how private I am out on the internet. I feel exposed..

January 8th, 2011 at 3:55 am   (Reply)

@Adushan Govender: I got most of this info. Whenever your browser requests anything (one request for every image, file, style sheet etc) a log is made with your IP, browser, operating system. The log files are huge (multiple gigs), but useful for situations like this,

Adushan Govender Says:
January 8th, 2011 at 3:58 am   (Reply)

Hmm. The only restriction is the time required to sift through the log files. And asking nicely to see an IP’s log file or ask what someone’s IP address did.

So how long till we place his ass behind bars?

January 8th, 2011 at 4:06 am   (Reply)

@Adushan Govender: Don;t need to ask nicely, every time you do anything online all that information radiates out of your browser without you having any control over it.

And this guy will never be caught. Just random script kiddies. It wasn’t a targeted attack at NZ, and stuff like this happens surprisingly often. It sucks, but that’s the realities of living on the web.

Adushan Govender Says:
January 8th, 2011 at 4:27 am   (Reply)

Well there’s always hope. And good security.

Has anyone commented that Nukezilla is more secure than Gawker media? Hmm? No one?

January 8th, 2011 at 4:33 am   (Reply)

@Adushan Govender: We’re probably not more secure (Gawker was hacked by somebody getting the main guy’s password), but our passwords are much better encrypted.

Adushan Govender Says:
January 10th, 2011 at 6:33 am   (Reply)

No no, Nukezilla>Gawker. In every way.


Leave a comment

You are not currently logged in. Comments by registered users are highlighted and are much more likely to be read. You can either login here, or register for Nukezilla here. It's also worth noting that if you're not registered and your comment contains a link, it will be marked as spam and may take a while to be manually approved.

 

For help with formatting and posting images click here. To edit your avatar click here (we use Globally Recognized Avatars so your avatar works on a bunch of different sites automatically).

because the games we love could be better