Forum Vulnerability Discussion Thread

    • DartheIncarnate wrote:

      Are you aware that the threat actor is claiming to have compromised more than the forum/forum databases?


      twitter.com/UnderTheBreach/status/1317561761579569156

      (shoutout to @Creen)


      How exactly did you find the root cause / confirm that the threat has been contained / ruled out lateral movement to other systems/assets?
      Basic PHP Shell script. Like... u know, people used in back in 2010 to deface websites a lot. Since then, any serious software and web server configuration is deface proof.
      With proper backend setup you could have avoid that very easily. But I already explained that a bit in my email, haven't received any reply tho ;)

      Based on screenshot, that file was present for at least couple of hours.

      I've sent a ticket for a comment:

      1. Link to the website with alleged database has been removed after 10 minutes of being published in official forums.
      What are your plans regarding this? Is this database from productive server?
      2. What was the cause of the breach? As we might have seen, attacker used PHPShell probably uploaded by Forum Software you are using and got access to the server. What he might seen, copy and/or change. What data has been compromised?
      3. When did the breach happen? As we might have seen dates of the file being uploaded on server was 2020-10-13 12:29:18. It's been few days already.
      4. Did attacker gain root access to the server? As we might have seen on the list of the files there have been files tied to dirtycow exploit. CVE-2016-5195.
      5. Was the operating system affected by this vulnerability (Kernel CVE-2016-5195)?
      6. What are your plans to avoid this situation in the future?
      7. When can we expect OTP 2FA for the website and for the game client?
      8. Who did you get in contact with regarding "Yes, we are in the process of compiling a comprehensive report for the authorities. ", when can we expect more details about it?


      Sent 2 days ago, still waiting for answer (understandable)


      edit: AD 1 - link has been removed, link to the web.archive containing read only version of phpshell script also has been taken down.
      discord.com/invite/syKykHg --- AOLoot Logger | Discord BOTs: RegearBOT, AOServerStatus, Doorkeeper, Killbot, Battlebot

      The post was edited 1 time, last by Wydoyolo ().

    • New

      DartheIncarnate wrote:

      Ohh, since you put that into a ticket/mail I didn't see that :) Hopefully we get the answers to your questions (that basically answer everything i asked as well) here in this thread instead of your email (please do post them if you get them :) )

      Sure. There you go:


      Thanks for contacting us.

      Please understand that this is still an ongoing investigation, so all the information we have, we actually share it openly with everyone in our forum post here: Forum Vulnerability Discussion Thread.

      Hope this helped!

      So, let me ask here then:
      1. Link to the website with alleged database has been removed after 10 minutes of being published in official forums.
      What are your plans regarding this? Is this database from productive server?
      2. What was the cause of the breach? As we might have seen, attacker used PHPShell probably uploaded by Forum Software you are using and got access to the server. What he might seen, copy and/or change. What data has been compromised? - we know it was caused by forums software vulnerability.
      3. When did the breach happen?
      As we might have seen dates of the file being uploaded on server was 2020-10-13 12:29:18. It's been few days already.
      4. Did attacker gain root access to the server?
      As we might have seen on the list of the files there have been files tied to dirtycow exploit. CVE-2016-5195.
      5. Was the operating system affected by this vulnerability (Kernel CVE-2016-5195)?
      6. What are your plans to avoid this situation in the future?
      7. When can we expect OTP 2FA for the website and for the game client?
      8. Who did you get in contact with regarding "Yes, we are in the process of compiling a comprehensive report for the authorities. ", when can we expect more details about it?
      discord.com/invite/syKykHg --- AOLoot Logger | Discord BOTs: RegearBOT, AOServerStatus, Doorkeeper, Killbot, Battlebot