Do you know whether we use a shared hosting account or not? If so then changing the software isn't going to necessarily fix anything. It certainly seems like something a web bot may have planted via a server/software vulnerability. Fortunately I missed all of it by not visiting for a few days.
According to: Yougetsignal.com (on of the available reverse lookups online) 9 domains on that server * 4 of which are sciforums related. ** questionable content *** potential for State funded exploitation? (Should really put that in Conspiracies) Obviously the forums should be on a Dedicated and should really use SSL (Just to reduce middle man attacks, not that it secures it much further than that)
I haven't been too involved in this latest situation but I tend to believe that the owners have over reacted to the hack that occurred. The point that needs to be made very clear is that all web sites, domains or any online content is vulnerable to all sorts of hacking. Changing software packages to support 30,000 members with out proper consideration can lead to even further loss and a massive increase in vulnerability. (unknown outcomes) I understand that the ransom ware attack was frightening in it's implications etc. A terrible wake up call to any one who believes that the net offers some sort of certainty. (which is it REALLY struggling to provide) Opinion: I would suggest that the owners roll back if possible to the original web fora platform with out the ransom ware and then seriously consider the options available. This Xen Fora package is potentially a disaster waiting to happen (if not already) given the immediate problems displayed. If the owners are serious about security then a dedicated server would be essential. If on a shared server certain steps can be taken to minimize (not remove) loss. The need for constant "backing up" working on the premise of "complete loss" being possible is the only way to secure against nearly all hacking attempts by robots and hacks on the fly so to speak. To be able to easily restore the site is the key to maintaining an ongoing presence. To be able to clean the root directory entirely and fresh install with clean data easily To acknowledge that the site is always vulnerable regardless of software used. To ensure members know that profile information and PM's are never as secure as one might believe. To ensure members are kept informed when the site is gong through a restore procedure. ( to minimize member frustration, educate and solicit support) To maintain an "independent of site" mailing list of members so that issue communication is possible Basically it is about accepting that the net is fundamentally insecure and working up procedures on that basis. I had a site that was constantly being taken down by variant methods, and the only way I managed to survive the constant barrage of take downs was to work on the basis of complete loss and work up a system of fresh re-installs (from disc if necessary) with clean data. Ensure latest security upgrades to all core, modules and plugins etc where performed. The site lasted about 7 years before I deliberately decided to let it go ( total take downs over 60 - shared server environment)
and now we hear of a fundamental server vulnerability that apparently is almost impossible to fix... re: Shell shock - UNIX/LINUX http://krebsonsecurity.com/2014/09/shellshock-bug-spells-trouble-for-web-security/
Quantum - the problem that finalized the migration was one unique to the previous software - the senior development team for said software had, in general, left and were no longer working on updating the software and patching out such vulnerabilities... thus, there was no remedy forthcoming for it.
Do you know if the owners have a complete back up of the hacked fora? (including data base) If I recall correctly, the hack only involved the index page. Going direct to a post via link avoided it. This indicates, to me at least, a relatively "trivial" hack that could occur on any platform. Domain name root specific.
Interesting thing is that the attack occurred close to the 17th this month. It is now the 30th of same month. Searching the web has shown little to no reference to this particular scam targeting the specific VB software. Normally I would have thought , if it were a bot delivered hack thousands of similar fora would be infected with in 48 hours and there would be heaps of reference to it on the net by now. There appears to be no indication that it is a "global" threat.
I'll keep you guys posted. We will nail this down once and for ALL. Shryder...he is on the case. I always feel confident when shryder is on the case.
Of course one can improve on the known vulnerabilities, but how many server staff lack the technical nous to properly support their BASH? The reason I mentioned "almost" impossible to rectify is directed more at the vast number of server platforms that do not see the tech support needed and the possibly huge number of potential platforms already corrupted and that the patches supplied are not entirely effective. [According to some security experts] Regardless I stand by my suggestion that an effective procedure for restoring sites by using adequate securely stored back ups etc is the only effective way to deal with the constant threat of hacking and secure the platform as I believe all platforms are vulnerable to various degrees.
Tbh, I'm a great advocate of taking the word "Legacy" and "Obsoleting" it. Originally I was all for Legacy, however in recent years the major exploits to any system are often related to old underlining obsolete codes/methods that are still available due to legacy support and legacy support sucks up a huge amount of time and effort to try and deal with.
SF should be secure at this time - part of the issue is, that security comes at a loss of functionality. Right now, the ones with more knowledge on this than I (I'm no programmer heh) are working to achieve a good balance and get everything functional again.
