Whoops - a Xenforo XSS vulnerability bit us!

[CaffeineAddict]

Sure, they're terrible people, but you should give that back!

Sorry for false news, I was searching all I could online but I'm not entirely sure.
Posting anyones face without being 100% sure is wrong IMO.

If you go look at some YT videos searching for "warnight" you'll notice plenty of counter strike videos, hard to tell if it's theirs but plenty of videos are Turkish and also about match vs russian players.

Coincidence or not IDK, it could be, Russian servers are common in CS, hard to be sure.

 

[KGIII]

I was wondering what was up. I tried coming here and was greeted by a strange message. I searched the message and found a couple other forums/website displaying the same thing. Basically the internet equivalent of spray painting graffiti tags on a bunch of bus shelters.

That sums it up nicely. We can say, with a high degree of confidence, that there was an exploited bug in the forum software that we use. That bug has, hopefully, been squashed. It looked a bit like session hijacking and an XSS exploit.

 

[Condobloke]

I was searching for a YT video to explain how to drag n drop.

That is when the 'hacking' began

I have just accessed my history to recover the links i used in that post. Needless to say I wont be accessing the youtube page again.

 

[Rob]

I've updated the original post to include more info on how it was done. Prior to nuking the db, we were able to see what the user did after creating the malicious widget as well.

 

[KGIII]

Sorry for false news, I was searching all I could online but I'm not entirely sure.

Oh, my reply was just a joke. You said you had their face. (My next-to-watch movie is actually Face/Off. I haven't seen it in years.)

As for hunting the person(s) down online, that's just an exercise in futility. Nothing is going to come of it. We didn't properly maintain a chain of custody for the evidence. They likely live in a 3rd World Craphole. It won't be serious enough to be a news item. Etc... (I could go on...)

Needless to say I wont be accessing the youtube page again.

I can say, with a very high degree of confidence, that your visiting a YouTube page had no bearing on the defacement of Linux.org's forum. If there was any session hijacked, it was probably mine. (No, I'm not compromised in any other ways.)

We can also deduce that they did not somehow manage to hack my password manager. Plus, there's no indication of any 2FA. If they'd hacked my password manager, they'd have to be dumb/crazy. I would only face limited losses, but my PayPal password is in my password manager. I've got a few thousand bucks sitting in PayPal right now, and they didn't touch it.

Plus, I'd know if they had used my 2nd factor. Which is comforting...

I've updated the original post to include more info on how it was done.

I made a post in the moderator section -- but I'm going to add another question to that.

 

[CaffeineAddict]

As for hunting the person(s) down online, that's just an exercise in futility.

Usually it is, but people are often not careful and reveal stuff about them online in funny ways.
Was once hunting for a person online and managed to find way too much about them...

btw. the guy deleted his github account, it was there when you posted the code, now it's either private or deleted.
He may be reading this thread right now lol.

 

[KGIII]

the guy deleted his github account,

@f33dm3bits also reported the account.

Usually it is, but people are often not careful and reveal stuff about them online in funny ways

You might find something amusing about them, I suppose. I'd like to hope that they made no money on this.

Me? I refuse to pay a criminal to not commit crimes against me. (No jokes about police or politics!) So, they wouldn't get a dime from me. I'd burn the entire thing to the ground before I paid them any money.

Well, if it involved a human life, I'd pay for that. You're not really supposed to, but I'm just going to give them the money and I'll let the cops know after the fact. But, no... No, I'd not pay to get my site recovered. I keep copies of my important data, and some of those copies are air-gapped. So, yeah, I'd pay if you kidnapped a close friend or family. But I'm ot going to pay to get my data back.

 

[MikeWalsh]

lol.... some of those people will take that as a personal affront and disappear into the ethers !

Can't be helped

crap happens

Heh. Yeah; the modern younger generations are "in yer face" about pretty much anything these days. And to them, this is perfectly normal behaviour, it seems....?

Sheesh. (The funny thing is, it's A-OK for them to invade YOUR 'personal space'.....but woe betide anyone that 'tries it on' with them...)


Mike.

 

[Rob]

I'd like to hope that they made no money on this.

Ha, not from us! I didn't even read it to see what they were after. That's what backups are for.

 

[KGIII]

Ha, not from us! I didn't even read it to see what they were after. That's what backups are for.

Technically, I'm speculating. They had a Discord address that I did not visit. I assume they wanted money. I don't actually know if they wanted money, at least not 100% certain. But, that's what they do these days.

I have the Discord address.

I am not going to share the address at this time, but it is obvious. Give me a bit before folks visit the address. I have an idea.

 

[MzQ1NjExN2]

Technically, I'm speculating. They had a Discord address that I did not visit. I assume they wanted money. I don't actually know if they wanted money, at least not 100% certain. But, that's what they do these days.

I have the Discord address.

I am not going to share the address at this time, but it is obvious. Give me a bit before folks visit the address. I have an idea.

They posted a youtube video. I actually was on the site when hack happened and looked up linux.org on youtube with filter set to videos posted for today to see if there was any information.

 

[wizardfromoz]

Well, I got a good night's sleep, lol.

Credit where credit is due, to @Rob , @KGIII andd @f33dm3bits

Wiz

 

[f33dm3bits]

@f33dm3bits also reported the account.

I got an email from Github that they have taken appropriate action , the account was removed by Github as the repo and the user aren't available anymore.

 

[Trml]

Credit where credit is due, to @Rob , @KGIII andd @f33dm3bits

I'd like to second that. Thanks guys, that must have been very hectic hours power working! Also, thanks for the swift postmortem, reassuring to read.

What a deplorable, useless form of hacktivism.
FWIW I tried to login during the defacement as well, rebooted and turned off javascript. That's when I could see you guys online and wanted to alert you - just in case. However, I had to realise the Xenforo widget for passkey login does not work without js and while briefly contemplating how to circumvent that in the situation, you had already brought nginx down 521 behind cloudflare.

 

[f33dm3bits]

Details of the Operation
According to a statement by WarNight Hack Team, a total of 112 websites operating in various fields in Turkey were accessed. Messages left on the websites drew attention to students and animals who lost their lives.
Purpose and Message
The group stated that the attack was not carried out for any financial gain or personal interest, but solely to raise social awareness. The statement included the following remarks:
“We seek justice and awareness for students and animals. We targeted 112 websites to ensure this voice is heard. We stand with those who cannot make their voices heard.”

They posted a youtube video. I actually was on the site when hack happened and looked up linux.org on youtube with filter set to videos posted for today to see if there was any information.

Not sure what the point is for defacing/hacking a tech website is then and they didn't even mention anything about animals or students in the page that was loaded. I don't believe in social justice defacing/hacking. It's just an excuse to talk yourself out of having done something bad to someone else claiming it was for good.

 

[f33dm3bits]

We were mentioned on the FreeBSD forums, as they are running the same forum software.

Forum Outage

Hi guys, sorry that the FreeBSD Forums were offline for a couple of hours. We were hit by an exploit against a slightly outdated XenForo version that we were still running. The same exploit hit quite a number of XenForo installations today, including linux.org. The FreeBSD Forums showed a...

forums.freebsd.org

 

[fruqal22]

But, you appear to be a student and posting from school.

Yup, had some free time on my hands during class and I thought I'd check the forum again.

 

[The Duck]

Credit where credit is due, to @Rob , @KGIII andd @f33dm3bits

Wiz

Thanks guys.

 

[Rocketing-warp9]

Yup, had some free time on my hands during class and I thought I'd check the forum again.

Yep, same for me but after class. I was going mad trying to alert someone about it until.. for some reason, The main page came through (Albeit, temporarily) on my Mac. I was frantically looking for it back and fourth...
Also gave me a wakeup-call on my own security setups at the moment too...
Too much unsecured things cross platform on my devices.
Welp, Glad it's all good now. Good Job!

 

[Rob]

Haven't ever really had a 'status' page for the site, but now there's one linked in the footer:

Linux.org Status

It'll check reachability and whether nginx is running, but also we can put in manual incidents like upgrades/maint, etc..