• Welcome to Talking Time's third iteration! If you would like to register for an account, or have already registered but have not yet been confirmed, please read the following:

    1. The CAPTCHA key's answer is "Percy"
    2. Once you've completed the registration process please email us from the email you used for registration at percyreghelper@gmail.com and include the username you used for registration

    Once you have completed these steps, Moderation Staff will be able to get your account approved.

  • TT staff acknowledge that there is a backlog of new accounts that await confirmation.

    Unfortunately, we are putting new registrations on hold for a short time.

    We do not expect this delay to extend beyond the first of November 2020, and we ask you for your patience in this matter.

    ~TT Moderation Staff

Disclosure: a recent attack on the forums

Bongo

excused from moderation duty
(he/him)
Staff member
First of all, let me be clear that No user data appears to have been put at risk as a result of this attack. If we learn otherwise, we will notify you.

Recently, many users have experienced intermittent errors involving a message like "Cannot modify header information." Aside from preventing users from using forums features because their request was interrupted, these errors seem to be harmless. However, they began happening at the same time that a piece of malware was installed on the server.

The malware in question is a known cryptocurrency miner, with the objective of using our host's CPU rather than try to find any user data on the server. However, the attack that installs the malware also seems to cause the instability that we have observed.

It appears to have been a random attack, not a targeted one.

We cleaned out the affected area and restarted the server, but the attack was repeated a few hours later. Then we cleaned and restarted it again, this time taking steps to prevent the reinstallation of the malware, but we do not know whether they will be effective in also preventing the instability. At this time, we are still investigating what vulnerability was exploited for the attack. Once we have identified that, we can close it off more decisively.

I ask for your continued patience with these intermittent errors until the issue is resolved.
 
Last edited:

WildcatJF

I will not be stopping
(he / his / him)
thanks for the update Bongo! Thanks to you and the other mods/staff working hard behind the scenes to sort this all out!
 

Mogri

Round and round I go
(he)
Staff member
It is a clever attack with a clever attack vector, and if we weren't in the crosshairs, you might kinda admire it.
 

DANoWAR

(Wheeee!)
Oooh, I'm interested. Which CVE was exploited? PHP security leak? Something in the underlying OS? Webserver? /obviously curious
 

Bongo

excused from moderation duty
(he/him)
Staff member
Oooh, I'm interested. Which CVE was exploited? PHP security leak? Something in the underlying OS? Webserver? /obviously curious
We may be able to answer these questions when we are able to do a post-mortem, but right now we're not post- anything.
 

Destil

Red Mage
(he/him)
Staff member
Well that was fast.

Bongo and I both kicked it out and it came back in ~10 and ~3 minutes, respectively.
 

Kirin

Summon for hire
(he/him)
Huh. Must be a fascinating exploit since it's presumably being done without even having a login on the server, given all our 2-factor auth stuff. Thanks for keeping on top of it!
 

Bongo

excused from moderation duty
(he/him)
Staff member
Anyway, it seems to have been a remote code execution attack, enabled by a simple configuration error which we have corrected. Our use of containers sharply limited the damage that can be done (the attack wasn't able to do anything but install the miner process and the secondary process that brings the miner back when killed), though it did make it more difficult for us to identify the cause of the attack.

Specifically, we were vulnerable to the attack because we left a port open unnecessarily on the Docker image that runs the forum software. All sorts of bots are out there scanning servers for open ports known to be used with vulnerable software. The forums are now only accessible through our web server, which we were already using because it blocks this kind of attack (so long as you don't leave the side door unlocked).
 

Mogri

Round and round I go
(he)
Staff member
I hear several of you thanking the tech team, and I want you to know that while I and others dabbled in it, this really was at least 90% Bongo.
 
Top