You are not logged in.
Do you want a new forum account? Send us an e-mail with your desired nick and we'll get it done! We recommend using a secondary, yet still actively used e-mail address - we're an old web and forum after all, so to be on the safe side just in case :-)
(If the link doesn't work for you, right-click on it and save the e-mail address for use in your e-mail client)
As some of you may have noticed, a few hours ago, someone "hacked" the RTSL forums and attempted to vandalize them.
Initially, I believed this was a (somewhat) sophisticated "SQL-injection" attack that took advantage of bugs in the forum software. Thankfully, it now appears that the actual attack vector was much simpler.
The attacker came into possession of the password for a member of our League Staff, who has administrator rights on our forum. Although we do not know exactly how this happened, it is likely that the username/password combination was obtained from a different website where the same credentials were used.
It does not appear as though the attacker ever had direct access to the database. Accordingly, there is no reason to believe that any user passwords were stolen (from this site, anyway).
Please let me know if you have any concerns I can address.
* * * * * * * * * *
UPDATE: It appears that a number AOE-related sites have been hacked. Any accounts here that use the same passwords on other forums are probably compromised. Again, it appears that at least one of our League Staff accounts (thankfully, not mine) is in this situation.
If you use the same password on your RTSL account and another AOE-related website, we advise that you change your RTSL forum password immediately.
Last edited by Pedestrian (2011-05-08 05:27:51)
Offline
My original post is here. Remember -- I no longer believe this is what happened. No passwords were stolen (thankfully).
Pedestrian wrote:
As some of you may have noticed, a few hours ago, someone "hacked" the RTSL forum software. The issue has been temporarily resolved (see below), and the vulnerabilities will be permanently resolved within a few days.
Since many of you are likely to have questions about what happened, I've put together a short list of answers for you, set forth below. If you have additional concerns after reading this, just reply to this thread and I'll do my best to address them.
So what happened, exactly?
Someone ran a pre-written, automated attack against our forum software (FluxBB). These scripts are available for every brand of popular forum software, and come with detailed instructions on how to use them (if you know where to look). This particular script likely took advantage of a SQL-injection vulnerability in the version of FluxBB we were running at the time.
In other words, this was not a sophisticated attack. (We call these people "script kiddies.")
Has the issue been fixed?
For now, yes. I keep regular, automated backups of every website I run. Once I noticed the problem this morning, the restore process took me about 10 minutes (and some of that was spent making coffee and letting the dog outside).
Long term, I am in the process of applying updates & patches to make sure this doesn't happen again. I also need to go through the forum plugins we use and review the code manually.
I'm not worried about code that I've written myself . . . it's the other stuff that I need to review for potential issues.
What happened to my posts?
The most recent known-good snapshot was taken on Friday, May 6 at 08:30 GMT. When I restored from that, we lost about 24 hours worth of posts. Sorry about that
Passwords -- were they stolen?
If you use a strong password, no. If you use a weak password, maybe. Here's the situation:
- FluxBB does not store clear-text passwords. Everything is encrypted with an SHA1 hash.
- On the other hand, you may have heard of something called "rainbow tables." Essentially, people have pre-calculated the SHA1 hashes of simple/weak passwords, like dictionary words, and passwords less than about 7 characters in length. On the other hand, it is not practical to calculate SHA1 hashes for strong passwords, since there are so many of them.
- If you use a strong password (more than 8 characters, letters+numbers+special characters, not a dictionary word) you are safe.
- If you use a weak password, I would recommend changing it (and you should know better!).
- You may also have heard that rainbow tables are useless if you "salt" the password before it is hashed. This is correct. Unfortunately, FluxBB does not salt the passwords, so the rainbow table attack described above may work. (Note that our separate operator login system, which I wrote, does salt the passwords before hashing them.)
I hope that covers it. Let me know if there are any questions that I failed to answer above.
Offline
