The Great Breach Has Been Repelled!

[Quickleaf]

We still have to do a full stock take, but the following things are *definitely* gone for now: dice roller, campaign manager, gamers seeking gamers, wiki, OGRE, a slew of news features, and a handful of miscellaneous bits and pieces like our XP system and things like that. Plus some behind the scenes stuff like mod and admin tools and other backend things.

Wow, it was bad... All things considered you got the site back up and running in record time! And with an autosave feature to the forums, not bad

Bad news is I may have run across another feature that was lost: Managing Attachments.

When I attempt to add an upload from my computer (a 1.8 mb PDF), I receive an error:

413 [IOErrorEvent type="ioError" bubbles-false cancelable-false eventPhase=2 text="Error #2038"]

 

[jeffh]

One thing I haven't found a way to do that I don't see mentioned above is download the subscriber content (e.g. the Zeitgeist adventures).

 

[Morrus]

One thing I haven't found a way to do that I don't see mentioned above is download the subscriber content (e.g. the Zeitgeist adventures).

Hey Jeff - I'm a bit confused by the question. That's one thing that hasn't been broken (thank goodness!) so it hasn't changed. Are you experiencing problems?

 

[freyar]

I would dearly appreciate a post of the urls that generated the warnings. We had a few of them related to a similar issue with High Moon media and a signature, removed offending signature and the warnings stopped, just fyi. Note that I don't believe that ENWorld's breach and High Moon Media's were directly related.

I'm actually still getting the attack warning page on my home computer as of now (9PM CST 9 Dec) for http://www.enworld.org (not any pages there once I ignore the warning), http://creaturecatalog.enworld.org/, and the CC admin page as well. I don't believe my work computer was getting those as of 8 Dec. Both are running firefox 17.0.1.

 

[darjr]

Google has the enworld clear as of now. I'm not sure the cc was ever marked but it might have been blowback for the whole domain. I suggest first trying to dump cache and also check with another browser. If that doesn't clear it up I'll take a closer look. Let me know.

 

[freyar]

Google has the enworld clear as of now. I'm not sure the cc was ever marked but it might have been blowback for the whole domain. I suggest first trying to dump cache and also check with another browser. If that doesn't clear it up I'll take a closer look. Let me know.

Sorry for the bother: I'm still (as of now) getting the warning page for EN World, the CC, and the CC admin page. I've cleared my cache, offline website data, cookies, history, and active logins, and I've also tried turning "block attack pages" off and then on again. No help. The only other browser (epiphany 3.4.1) I have on this computer does not get the warning, but I'm honestly not sure if it has the capability to get the google warnings in the first place. I will try all this again from work.

Just for more information, the warning I get on www.enworld.org is

What is the current listing status for www.enworld.org?

This site is not currently listed as suspicious.

Part of this site was listed for suspicious activity 7 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 960 pages we tested on the site over the past 90 days, 29 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-12-06, and the last time suspicious content was found on this site was on 2012-12-02.

Malicious software includes 26 scripting exploit(s), 15 exploit(s). Successful infection resulted in an average of 6 new process(es) on the target machine.

Malicious software is hosted on 12 domain(s), including digitalspointsstorys.net/, highmoonmedia.com/, igitalspintssorysmen.net/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including kattycatyd.org/.

This site was hosted on 2 network(s) including AS30221 (T3COM), AS15169 (Google Internet Backbone).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, www.enworld.org did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

and on creaturecatalog.enworld.org is

What is the current listing status for creaturecatalog.enworld.org?

This site is not currently listed as suspicious.

What happened when Google visited this site?

Of the 7 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-12-03, and suspicious content was never found on this site within the past 90 days.

This site was hosted on 1 network(s) including AS30221 (T3COM).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, creaturecatalog.enworld.org did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

This is really more of an annoyance than anything (since I can just click through), but I figure it's good for you to know about it. If you have more suggestions for my end, I'm happy to give them a try.

 

[Alzrius]

I realize this may be a naive question, and likely an impossible one to answer...but why would someone (that is, these hackers) do this? What's their motivation?

Is their some sort of profit in it for them? Or do they just find fun in tearing something down? For that matter, do they actively try and breach sites like this, or do they have programs that locate vulnerable sites for them and then they go after them?

The whole thing just seems so...pointless, unless they have something to gain in destroying databases.

 

[SkidAce]

Sometimes it's as simple as bragging rights or establishing "street cred".

Sadly.

 

[Michael Morris]

I realize this may be a naive question, and likely an impossible one to answer...but why would someone (that is, these hackers) do this? What's their motivation?

Is their some sort of profit in it for them? Or do they just find fun in tearing something down? For that matter, do they actively try and breach sites like this, or do they have programs that locate vulnerable sites for them and then they go after them?

The whole thing just seems so...pointless, unless they have something to gain in destroying databases.[/QUOTE]

The motives of the people who write worms and XSS attacks are usually monetary. Most of the scams center around increasing page rank for sites. It rarely works for very long if it works at all. It isn't a personal direct attack.

 

[Morrus]

I realize this may be a naive question, and likely an impossible one to answer...but why would someone (that is, these hackers) do this? What's their motivation?

Is their some sort of profit in it for them? Or do they just find fun in tearing something down? For that matter, do they actively try and breach sites like this, or do they have programs that locate vulnerable sites for them and then they go after them?

The whole thing just seems so...pointless, unless they have something to gain in destroying databases.

Depends who they are. Sometimes it's organized botnets for use in spreading spam and malware. Sometimes it's script-kiddies doing it for entertainment. In this case, we think it was both - because some of our code was replaced with ASCI images and a signature by someone who calls himself "Dan LOL".