• Welcome to Talking Time's third iteration! If you would like to register for an account, or have already registered but have not yet been confirmed, please read the following:

    1. The CAPTCHA key's answer is "Percy"
    2. Once you've completed the registration process please email us from the email you used for registration at percyreghelper@gmail.com and include the username you used for registration

    Once you have completed these steps, Moderation Staff will be able to get your account approved.

Disclosure: a recent attack on the forums

Bongo

Bongo

excused from moderation duty
(he/him)
Staff member
First of all, let me be clear that No user data appears to have been put at risk as a result of this attack. If we learn otherwise, we will notify you.

Recently, many users have experienced intermittent errors involving a message like "Cannot modify header information." Aside from preventing users from using forums features because their request was interrupted, these errors seem to be harmless. However, they began happening at the same time that a piece of malware was installed on the server.

The malware in question is a known cryptocurrency miner, with the objective of using our host's CPU rather than try to find any user data on the server. However, the attack that installs the malware also seems to cause the instability that we have observed.

It appears to have been a random attack, not a targeted one.

We cleaned out the affected area and restarted the server, but the attack was repeated a few hours later. Then we cleaned and restarted it again, this time taking steps to prevent the reinstallation of the malware, but we do not know whether they will be effective in also preventing the instability. At this time, we are still investigating what vulnerability was exploited for the attack. Once we have identified that, we can close it off more decisively.

I ask for your continued patience with these intermittent errors until the issue is resolved.
 
Last edited:
WildcatJF

WildcatJF

Let's Pock (Art @szk_tencho)
(he / his / him)
thanks for the update Bongo! Thanks to you and the other mods/staff working hard behind the scenes to sort this all out!
 
Mogri

Mogri

Round and round I go
(he)
Staff member
Moderator
It is a clever attack with a clever attack vector, and if we weren't in the crosshairs, you might kinda admire it.
 
DANoWAR

DANoWAR

(Wheeee!)
Oooh, I'm interested. Which CVE was exploited? PHP security leak? Something in the underlying OS? Webserver? /obviously curious
 
Bongo

Bongo

excused from moderation duty
(he/him)
Staff member
DANoWAR said:
Oooh, I'm interested. Which CVE was exploited? PHP security leak? Something in the underlying OS? Webserver? /obviously curious
Click to expand...
We may be able to answer these questions when we are able to do a post-mortem, but right now we're not post- anything.
 
Destil

Destil

DestilG
(he/him)
Staff member
Well that was fast.

Bongo and I both kicked it out and it came back in ~10 and ~3 minutes, respectively.
 
Kirin

Kirin

Summon for hire
(he/him)
Huh. Must be a fascinating exploit since it's presumably being done without even having a login on the server, given all our 2-factor auth stuff. Thanks for keeping on top of it!
 
Bongo

Bongo

excused from moderation duty
(he/him)
Staff member
Anyway, it seems to have been a remote code execution attack, enabled by a simple configuration error which we have corrected. Our use of containers sharply limited the damage that can be done (the attack wasn't able to do anything but install the miner process and the secondary process that brings the miner back when killed), though it did make it more difficult for us to identify the cause of the attack.

Specifically, we were vulnerable to the attack because we left a port open unnecessarily on the Docker image that runs the forum software. All sorts of bots are out there scanning servers for open ports known to be used with vulnerable software. The forums are now only accessible through our web server, which we were already using because it blocks this kind of attack (so long as you don't leave the side door unlocked).
 
Mogri

Mogri

Round and round I go
(he)
Staff member
Moderator
I hear several of you thanking the tech team, and I want you to know that while I and others dabbled in it, this really was at least 90% Bongo.
 
lincolnic

lincolnic

can stop, will stop
(he/him)
Thank you Bongo, if you're feeling generous please pass 10% of that thanks onto the rest of the team too!
 
You must log in or register to reply here.
Top