Are you aware that the threat actor is claiming to have compromised more than the forum/forum databases?
(shoutout to @Creen)
How exactly did you find the root cause / confirm that the threat has been contained / ruled out lateral movement to other systems/assets?
With proper backend setup you could have avoid that very easily. But I already explained that a bit in my email, haven't received any reply tho
Based on screenshot, that file was present for at least couple of hours.
I've sent a ticket for a comment:
1. Link to the website with alleged database has been removed after 10 minutes of being published in official forums.
What are your plans regarding this? Is this database from productive server?
2. What was the cause of the breach? As we might have seen, attacker used PHPShell probably uploaded by Forum Software you are using and got access to the server. What he might seen, copy and/or change. What data has been compromised?
3. When did the breach happen? As we might have seen dates of the file being uploaded on server was 2020-10-13 12:29:18. It's been few days already.
4. Did attacker gain root access to the server? As we might have seen on the list of the files there have been files tied to dirtycow exploit. CVE-2016-5195.
5. Was the operating system affected by this vulnerability (Kernel CVE-2016-5195)?
6. What are your plans to avoid this situation in the future?
7. When can we expect OTP 2FA for the website and for the game client?
8. Who did you get in contact with regarding "Yes, we are in the process of compiling a comprehensive report for the authorities. ", when can we expect more details about it?
Sent 2 days ago, still waiting for answer (understandable)
edit: AD 1 - link has been removed, link to the web.archive containing read only version of phpshell script also has been taken down.
discord.com/invite/syKykHg --- AOLoot Logger | Discord BOTs: RegearBOT, AOServerStatus, Doorkeeper, Killbot, Battlebot
The post was edited 1 time, last by Wydoyolo ().