Admin Notice Security breach - Ski.com.au CMS (MODx)

Discussion in 'Announcements' started by Richard, Oct 31, 2018.

Thread Status:
Not open for further replies.
  1. Richard

    Richard Maintenance Dept Administrator

    Joined:
    Mar 14, 1995
    Messages:
    12,591
    Likes Received:
    10,470
    Location:
    Newcastle
    Firstly, don't panic.

    There is no evidence (yet) that this forum was compromised.

    However, in the interests of transparency I'm notifying of a compromise of the Content Managment System that runs Ski.com.au content. (homepage, cams, reports, weather) which occurred late Friday night 26 Oct 2018.

    I first became aware late yesterday afternoon and have spent the last day cleaning it up.

    The CMS that ski.com.au runs on is called MODx and we run on the version called Evolution, our version is the most current version available and the attack vector appears to be our own custom code used for snow reporting. It appears to have been an escalation of privilege contained within the MODx path using bruteforce xml-rpc attack. However, on all this I am not entirely certain.

    What I can tell with a fair degree of confidence is that the attackers did not appear to be able to traverse up the directory structure on the server and compromise the subdomains or other applications (ie not gain access to xenforo).

    I do recommend that changing your passwords for this forum would be prudent.

    Anyone with tech security skills is welcome to PM me with more questions and/or advise or suggestions on how to thoroughly audit the log files.

    thank you
    Richard
     
  2. markopolo

    markopolo Naughty Corner Resident Ski Pass: Gold

    Joined:
    Jun 1, 2005
    Messages:
    73,557
    Likes Received:
    13,298
    Location:
    Caloundra
    Russians?
     
    JoeKing and crackson like this.
  3. TOFF

    TOFF Im kind of a big deal Ski Pass: Gold

    Joined:
    Aug 10, 2004
    Messages:
    44,052
    Likes Received:
    18,183
    Location:
    Somewhere between right and wrong
    I hope they don’t access my account and start posting nice stuff on here.
    The TOFF brand is one I have worked hard to build and I would be very upset if hackers affected that
     
    Sadie, Apresski, derwent and 19 others like this.
  4. Richard

    Richard Maintenance Dept Administrator

    Joined:
    Mar 14, 1995
    Messages:
    12,591
    Likes Received:
    10,470
    Location:
    Newcastle
    Chinese
     
    nfip, JoeKing, Chaeron and 1 other person like this.
  5. CarveMan

    CarveMan Pool Room Ski Pass: Gold

    Joined:
    May 12, 2000
    Messages:
    75,940
    Likes Received:
    40,390
    Location:
    Les Hautes Montagnes
    At least the hackers could have deleted @Doonks and JOTD

    In other news my NAS has had a lot of attempted log in activity lately. I'm buying a better firewall today.
     
    Sadie, DidSurfNowSki, JoeKing and 2 others like this.
  6. Doonks

    Doonks Let's cook! Moderator Ski Pass: Gold

    Joined:
    Jul 17, 2000
    Messages:
    62,941
    Likes Received:
    8,409
    Location:
    Mulgrave, VICTORIA
  7. Richard

    Richard Maintenance Dept Administrator

    Joined:
    Mar 14, 1995
    Messages:
    12,591
    Likes Received:
    10,470
    Location:
    Newcastle
    ubiquity??
     
  8. CarveMan

    CarveMan Pool Room Ski Pass: Gold

    Joined:
    May 12, 2000
    Messages:
    75,940
    Likes Received:
    40,390
    Location:
    Les Hautes Montagnes
    Yeah USG for home. Will report.
     
    Vermillion and Richard like this.
  9. bomber

    bomber One of Us Ski Pass: Gold

    Joined:
    Jun 3, 2001
    Messages:
    4,189
    Likes Received:
    930
    Location:
    Brisbane
    Finally explains the crap DJOTD
     
    cold wombat, Claude Cat and me tun like this.
  10. VSG

    VSG Crayon Master Moderator Ski Pass: Gold

    Joined:
    Jan 1, 1998
    Messages:
    68,776
    Likes Received:
    5,121
    Location:
    Port Macquarie NSW
    Mmm. I think it was simply the Hammo style sheet resurfacing...
     
  11. Pink

    Pink One of Us

    Joined:
    Mar 25, 2014
    Messages:
    1,508
    Likes Received:
    569
    nfip, cold wombat, Chaeron and 2 others like this.
  12. Zimbooo

    Zimbooo One of Us

    Joined:
    Nov 20, 2017
    Messages:
    2,200
    Likes Received:
    2,452
    What's with the link on the main page, top left "wholesale nfl jerseys from china"?
    I have not clicked on it, just noticed it now.
     
  13. Billy_Buttons

    Billy_Buttons A Local Ski Pass: Gold

    Joined:
    Mar 25, 2011
    Messages:
    5,767
    Likes Received:
    3,778
    Good spotting!
     
  14. gareth_oau

    gareth_oau Pool Room Ski Pass: Gold

    Joined:
    Dec 27, 2008
    Messages:
    48,398
    Likes Received:
    18,800
    Location:
    Canning Vale, Perth
    I had my credit card scammed on Friday. I’m betting tthey got my details from here
     
    Richard likes this.
  15. Billy_Buttons

    Billy_Buttons A Local Ski Pass: Gold

    Joined:
    Mar 25, 2011
    Messages:
    5,767
    Likes Received:
    3,778
    We PayPal everything.
     
  16. Bogong

    Bogong Part of the Furniture Ski Pass: Gold

    Joined:
    Jun 16, 2005
    Messages:
    11,936
    Likes Received:
    2,285
    Location:
    The pointy end, fully reclined
    Last night a friend asked me about skiing in the Mt Reynard area, so I Googled it and found a Wikiski article on the subject at http://www.wikiski.com/wiki/index.php/Snowy_Plains. However upon clicking the link, I got the message: Not secure. 403 Forbidden.

    Now I haven't looked at Wikiski for years, so I'm not sure if it is still an active site. But if it's supposed to be still working... well, it isn't.
     
    Chaeron likes this.
  17. Chaeron

    Chaeron One of Us Ski Pass: Gold

    Joined:
    Jun 24, 2014
    Messages:
    3,788
    Likes Received:
    5,270
    Location:
    Glen Iris, Melbourne
    Wikiski root page the same
     
  18. Billy_Buttons

    Billy_Buttons A Local Ski Pass: Gold

    Joined:
    Mar 25, 2011
    Messages:
    5,767
    Likes Received:
    3,778
  19. Richard

    Richard Maintenance Dept Administrator

    Joined:
    Mar 14, 1995
    Messages:
    12,591
    Likes Received:
    10,470
    Location:
    Newcastle
    I have removed wikiski from being served (cut from Nginx) so I could eliminate it as a potential entry point - the software that runs wikiski is not as up to date as it should be - so I'm going to move it and sandbox it from ski. I've learnt so much about AWS this last 12 months I would not set up wikiski the way I did 18 months ago.

    I could not find any compromised files but I just turned it off to be sure. Back in a couple of days.

    Surprised anyone even noticed. Such a poor cousin is wikiski.
     
    Bogong and currawong like this.
  20. Chaeron

    Chaeron One of Us Ski Pass: Gold

    Joined:
    Jun 24, 2014
    Messages:
    3,788
    Likes Received:
    5,270
    Location:
    Glen Iris, Melbourne
    Wikiski - an awesome resource!!

    @Richard Happy to help with taking the “best of” posts from BC to consolidate into a wikiski update
     
    Bogong and Majikthise like this.
  21. Zimbooo

    Zimbooo One of Us

    Joined:
    Nov 20, 2017
    Messages:
    2,200
    Likes Received:
    2,452
    Looks like the website is being compromised again.
    www.ski.com.au = error
    click on the ski logo on top left of page on the forum = error
     
  22. telecrag

    telecrag Old n' Crusty Ski Pass: Gold

    Joined:
    Oct 12, 2007
    Messages:
    25,711
    Likes Received:
    29,387
    The site is working on my phone, but not PC with Chrome
     
  23. Billy_Buttons

    Billy_Buttons A Local Ski Pass: Gold

    Joined:
    Mar 25, 2011
    Messages:
    5,767
    Likes Received:
    3,778
    Homepage not working on PC.
     
  24. Zimbooo

    Zimbooo One of Us

    Joined:
    Nov 20, 2017
    Messages:
    2,200
    Likes Received:
    2,452
    To clarify I'm on a mac / laptop both safari & chrome = "error" on homepage.
    If going directly to a forum page URL it works, but then if I select the "ski" logo at top left on the forum page to go back to home page and same "error" occurs.
    This was happening the other day as well before @Richard posted this thread.
     
  25. hipo

    hipo One of Us Ski Pass: Gold

    Joined:
    Jun 23, 2011
    Messages:
    2,650
    Likes Received:
    3,916
    Location:
    Here & there
    Yep, getting the same on the home page and all the top line tabs.
    Could only get in via a saved forum URL
    same using 3 x PC -win 10 Firefox, tablet
    OK on Samsung phone with android and Firefox
     
  26. hipo

    hipo One of Us Ski Pass: Gold

    Joined:
    Jun 23, 2011
    Messages:
    2,650
    Likes Received:
    3,916
    Location:
    Here & there
    Just posted having the same problem but the post disappeared and I can now access the the top line of Tabs.
    Edit Update: logged out and back in again via the homepage boomark OK
    Whoa.. logged back in again the the post above re-appeared
     
  27. Zimbooo

    Zimbooo One of Us

    Joined:
    Nov 20, 2017
    Messages:
    2,200
    Likes Received:
    2,452
    Yep, all working again as normal for me.
    This happened the other day as well........same errors, then back to normal.
    I notice that the random link "wholesale nfl jerseys from china" that was on the homepage this morning is now gone?
     
  28. Richard

    Richard Maintenance Dept Administrator

    Joined:
    Mar 14, 1995
    Messages:
    12,591
    Likes Received:
    10,470
    Location:
    Newcastle
    I'm fighting a war here and I think the other side has more guns.

    Rebuilding the whole infrastructure for ski.com.au and I keep breaking things.
     
    Charlie, cold wombat and Chaeron like this.
  29. Billy_Buttons

    Billy_Buttons A Local Ski Pass: Gold

    Joined:
    Mar 25, 2011
    Messages:
    5,767
    Likes Received:
    3,778
    Oh dear! How much damage have they done?
     
  30. currawong

    currawong Old but not so Crusty Ski Pass: Gold

    Joined:
    Sep 17, 2003
    Messages:
    30,792
    Likes Received:
    14,152
    Location:
    Kiewa Valley
    If only you could weaponise DJOTD
     
    cold wombat, skifree, Chaeron and 6 others like this.
  31. Marty_McSly

    Marty_McSly What a plonker. Ski Pass: Gold

    Joined:
    Jul 12, 2011
    Messages:
    8,215
    Likes Received:
    8,484
    Location:
    Hunter Valley Whine Country, NSW
    Lobbing a few bad jokes over the firewall would deter any hacker LOL
     
    Chaeron, currawong and Zimbooo like this.
  32. Zimbooo

    Zimbooo One of Us

    Joined:
    Nov 20, 2017
    Messages:
    2,200
    Likes Received:
    2,452
    I asked a Chinese girl for her number. She said, "Sex! Sex! Sex! Free sex tonight!" I said, "Wow!" Then her friend said, "She means 666-3629."
     
  33. Majikthise

    Majikthise Sage Moderator Ski Pass: Gold

    Joined:
    Jan 1, 1970
    Messages:
    30,078
    Likes Received:
    13,309
    Location:
    Blue Mts
    I vote to send in @TOFF as negotiator.
     
    cold wombat, Chaeron and currawong like this.
  34. Marty_McSly

    Marty_McSly What a plonker. Ski Pass: Gold

    Joined:
    Jul 12, 2011
    Messages:
    8,215
    Likes Received:
    8,484
    Location:
    Hunter Valley Whine Country, NSW
  35. Billy_Buttons

    Billy_Buttons A Local Ski Pass: Gold

    Joined:
    Mar 25, 2011
    Messages:
    5,767
    Likes Received:
    3,778
    He already fears that his persona has been compromised. LOL
     
    Marty_McSly likes this.
  36. currawong

    currawong Old but not so Crusty Ski Pass: Gold

    Joined:
    Sep 17, 2003
    Messages:
    30,792
    Likes Received:
    14,152
    Location:
    Kiewa Valley
    Why use infantry when you have @Vermillion and the waffle stomp artillery
     
  37. nfip

    nfip Part of the Furniture Ski Pass: Gold

    Joined:
    Jul 24, 2006
    Messages:
    18,855
    Likes Received:
    18,365
    Location:
    South Co.
    no send @JoeKing that'll **** em.
    literally. ;)
     
    cold wombat, Zimbooo, Seafm and 7 others like this.
  38. nfip

    nfip Part of the Furniture Ski Pass: Gold

    Joined:
    Jul 24, 2006
    Messages:
    18,855
    Likes Received:
    18,365
    Location:
    South Co.
    I have a friend with experience dealing with this exact issue.
    tho on a much larger scale.
    he related to me an issue at the time he had as .... of a certain organisation fighting the same foe.
    he used this as why not being able to ski with me on the weekend as his excuse... ..
     
    Chaeron likes this.
  39. Chaeron

    Chaeron One of Us Ski Pass: Gold

    Joined:
    Jun 24, 2014
    Messages:
    3,788
    Likes Received:
    5,270
    Location:
    Glen Iris, Melbourne
  40. Taipan

    Taipan Old n' Crusty Ski Pass: Gold

    Joined:
    Jul 5, 2001
    Messages:
    26,158
    Likes Received:
    2,830
    Location:
    Currently NSW North Coast
    Thanks Richard. Password changed
     
  41. JoeKing

    JoeKing Old n' Thrusty Ski Pass: Gold

    Joined:
    Jul 24, 2011
    Messages:
    24,319
    Likes Received:
    11,600
    Location:
    a galaxy far, far away.
    Can I just say..

    Thanks to @Richard for the tireless efforts of keeping the lights on and thanks also in particular for the candour regarding this issue.

    I know the stakes are different but I think it's important to point out the glaring difference the way in which such an incident is handled compared to for example, the recent breach on the Perth Mint.
     
    Hyst, cruisin along, hipo and 8 others like this.
  42. nfip

    nfip Part of the Furniture Ski Pass: Gold

    Joined:
    Jul 24, 2006
    Messages:
    18,855
    Likes Received:
    18,365
    Location:
    South Co.
    password changed btw...
     
    currawong likes this.
  43. D-eye

    D-eye Photographer and skier Moderator

    Joined:
    Jan 21, 2001
    Messages:
    33,382
    Likes Received:
    2,733
    Location:
    Canberra
    Since it isn't winter would it be worth temporarily replacing a few key pages with a static html page then rebuilding the rest in a separate environment before swapping? It might buy you some time.
     
    nfip likes this.
  44. parkmonkey

    parkmonkey Old n' Crusty Ski Pass: Gold

    Joined:
    May 20, 2005
    Messages:
    35,921
    Likes Received:
    14,843
    Location:
    On a wave or mountain face near you.
    Imagine someone from China used your login and predicted the right date for the GFC2
     
    Zeroz, Born2skii and Chaeron like this.
  45. Seafm

    Seafm Too far from the snow Ski Pass: Gold

    Joined:
    Jun 5, 2014
    Messages:
    4,333
    Likes Received:
    3,808
    Location:
    Cairns, Queensland
    Updated.
     
  46. TOFF

    TOFF Im kind of a big deal Ski Pass: Gold

    Joined:
    Aug 10, 2004
    Messages:
    44,052
    Likes Received:
    18,183
    Location:
    Somewhere between right and wrong
    I don’t negotiate with terrorists
     
  47. Astro66

    Astro66 Still looking for a park in Thredbo Ski Pass: Gold

    Joined:
    Jul 27, 2009
    Messages:
    17,103
    Likes Received:
    11,514
    Location:
    Eastern Subs Syd
    So can I just add. The reason peeps hack password accounts, is because some people use the same password for several accounts. So accessing this password, may give them access to other accounts you have, which may help someone fake your identify or steal something.

    So if you are one of these people :

    1) Stop using the same password. Use a password generation program.
    2) Change any other account's password, where you have used this sites password .
     
  48. Taipan

    Taipan Old n' Crusty Ski Pass: Gold

    Joined:
    Jul 5, 2001
    Messages:
    26,158
    Likes Received:
    2,830
    Location:
    Currently NSW North Coast
    In England at the moment, and an interesting programme last night on deplorable free to air TV.

    Scammers identify your mobile phone and then go into a mobile phone company pretending to be you, get a new SIM card and get your mobile number assigned to them. [Photo I’d is required but some shops/providers don’t check]. They then get access to your bank accounts and clean you out.

    Monkey, you may recall, that I’ve been saying for years, get out debt, get of the system, and get out of the Banks. Consequently I have very little in the banking system for them to steal.

    Security is something I try to be up on, and a reason why I almost exclusively post in the culture vulture area of the forum.

    As Astro says. Keep different passwords. I try and have a hierarchy of passwords, from unimportant sites, to more valuable sites where personal information is involved and/or use a password generator.

    Here, years ago, realising that somebody had tried to break into my account, I upped the strength of my password to strong. Never had a problem since.
     
    Astro66 likes this.
  49. parkmonkey

    parkmonkey Old n' Crusty Ski Pass: Gold

    Joined:
    May 20, 2005
    Messages:
    35,921
    Likes Received:
    14,843
    Location:
    On a wave or mountain face near you.
    It was a light hearted joke but hopefully your long response helps someone out as its good info, i did also change my PW yesterday when i saw the thread
     
    Taipan likes this.
  50. Billy_Buttons

    Billy_Buttons A Local Ski Pass: Gold

    Joined:
    Mar 25, 2011
    Messages:
    5,767
    Likes Received:
    3,778
    ...also changed pword as soon Richard gave sage advice.
     
    currawong likes this.
Thread Status:
Not open for further replies.