/operate/ - Endchan Operations

Let us know what's up

Posting mode: Reply

Check to confirm you're not a robot
Drawing x size canvas

Remember to follow the rules

Max file size: 350.00 MB

Max files: 5

Max message length: 4096

Manage Board | Moderate Thread

Return | Magrathea | Catalog | Bottom

Expand All Images

odilitime Board owner 09/08/2016 (Thu) 05:12:04 [Preview] No. 4983
I had a development server breached that I had an old development copy of the Endchan database (without media).

All users are advised to change their passwords ASAP.

Development server was breached used an redis/ssh exploit. Redis was installed and usually ran as a user but recently doing some development work, I accidentally started it up as root to look something up and left it running. Redis then can write to your ssh keys and insert unwanted keys and allow root access. All files in /root and /home were removed and a note was left:

>Hi, please view here: http://pastebin.com/raw/vadfLyDS for information on how to obtain your files!

Luckily I have bandwidth logs on that box and I can see there was nothing transferred out of the box. So my guess is they just deleted the files. The nature in which they left the machine leads me to believe this was an automated attack (plenty of other meaningful data directories were left alone).

The copy of Endchan's data is left untouched on this development server. However the dump that was used to transfer the copy was still likely in the /root directory that was deleted. I will get the date of the data copy as soon as I can do some data recovery on that machine, I estimated the copy to be an early 2016 Q2 dump. This server is now offline.

At Endchan, we want to be as transparent as we possibly can and even though we do not believe anything was leaked, we cannot rule out nothing happen with 100%. And even if we could be certain that nothing was at risk, we still want to report anything of this nature to our users.

I fucked up, I'm sorry for any troubles this may and has caused any of you.

Please let us know any questions you may have.

Anonymous 09/10/2016 (Sat) 02:35:16 [Preview] No. 4986 del
smh OdiliTime

Anonymous 09/11/2016 (Sun) 10:39:43 [Preview] No. 4989 del

Balrog Board volunteer 09/11/2016 (Sun) 14:59:35 [Preview] No. 4998 del
(3.60 MB 320x180 Dude Sex hacking.gif)
This wasn't our web server. This was OdiliTime's personal server that OdiliTime happened to have transferred a backup to while we were doing maintenance on the endchan server just in case something went wrong. SSL or a lack thereof wasn't involved.

In any case, we got lucky and I've made sure to rip OdiliTime a new asshole over this shit. I'm guessing that the attack was either a scam by a script kiddie or a greyhat trying to spook people into securing their shit. Like OdiliTime said, nothing was uploaded, so the odds strongly favor no DB leak occurring. The notification to change your passwords is more out of paranoia (e.g. some crazy NSA shit transmitting the data offsite without the transmission being logged by the external monitoring equipment; not likely) than anything else.

In other words, shit got fucked up, but odds are it'll be fine.
Edited last time by Balrogwashere on 09/11/2016 (Sun) 15:01:24.

Anonymous 09/18/2016 (Sun) 02:00:08 [Preview] No. 5011 del
>since april 9th 2016

I'm a bit curious about how it took you 5 months to notice.

Anonymous 11/29/2016 (Tue) 09:52:50 [Preview] No. 5343 del
Why is/was your development/test server accessible online? Can't keep >>4986 over this mishap. Could you check the logs if a mod volunteer like >>>/pol/23993 was in the logs of potential account takeovers?
>crazy NSA shit transmitting the data offsite without the transmission being logged by the external monitoring equipment; not likely) than anything else.
Highly possible with state actor attacks we've seen as of late.

Leaking PizzaGate really did a number, worldwide.
You do still have a copy of that old DB, right?

odilitime Board owner 11/29/2016 (Tue) 11:16:02 [Preview] No. 5344 del
>Why is/was your development/test server accessible online?
because we needed public testers.

>Could you check the logs if a mod volunteer like >>>/pol/23993 was in the logs of potential account takeovers
Not sure how to figure that out, let me talk with Lynx.

>You do still have a copy of that old DB, right?
No I don't.

Anonymous 11/29/2016 (Tue) 23:46:32 [Preview] No. 5380 del
Then make a mock test site, not a duplicate, yesh.
>No I don't.
This is bad. M8, when you can, study up on Sysadmin. Rule 37 of "After an attack" is to keep an archive of the exploit. You want to retrospect on how malicious attacks are growing, so you proactively scope those vulnerabilities.

Anonymous 12/07/2016 (Wed) 18:30:32 [Preview] No. 5430 del
As long as you archive and properly mock the test server from hither on, you will form a basis to document changes dependent on the master branch. Usually it is cheaper to VPN the server in a locked virtual environment, so you see a full scope of the system. Vulnerabilities are getting scarier and efficient, thanks in part to manufacturers leaving vulnerabilities in the hardware/UEFI/BIOS/firmware. Right now, the biggest threat are GPUs with DMA and their undocumentation: enormous processing power that when clustered, can replicate innumerable vulnerabilities in one machine before the next cycle hits the CPU to address the bus.

Anonymous 04/27/2018 (Fri) 19:49:04 [Preview] No.8946 del
>mod volunteer like >>>/pol/
What? I'm the Vol at /pol/. Are you trying to suggest I took an account? If I could do that, I wouldn't have put in claims for boards.

Anonymous 04/27/2018 (Fri) 19:51:45 [Preview] No.8947 del
Oh wait. Disregard. I noticed the date from that post. I wasn't even Vol 11/29/2016

Anonymous 05/09/2018 (Wed) 14:57:41 [Preview] No.9059 del
And this is why I always backup all my files OFFLINE, routinely. People who run imageboards should be doing the same.

So, here's the question. Can I re-upload any of my files that are now dead within the server!?

Anonymous 05/10/2018 (Thu) 00:22:16 [Preview] No.9060 del
Apparently not yet unless you adjust images by a pixel, one letter for .pdf and any text file edits, or videos trimmed by a millisecond. New names for all. The corrupted old caches? Hashes? They really need to be purged somehow.

Anonymous 05/10/2018 (Thu) 12:59:00 [Preview] No.9068 del
I am not tech savvy enough to do all that with my media files, so until the site owner purges the junk caches I won't be posting any media format other than some basic memes. This sucks for me because I contributed a ton of videos to /spoon/ a couple months back. Real good stuff and a lot of time uploading completely wasted. I'll be reposting elsewhere when I find a reputable hosting source.

odilitime Board volunteer 05/11/2018 (Fri) 21:40:31 [Preview] No.9074 del
I'm working on a tool that will allow you to fix broken images. Hopefully will be ready by Monday. The idea as new photos are made with missing images, they'll replace the broken images.

Anonymous 05/15/2018 (Tue) 20:11:42 [Preview] No.9085 del
Thank you. Let us know when this gets finished and when we can fix these issues. I would gladly re-upload all my video content (all very informative videos) as I have offline backups. Looking forward to this problem being fixed.

Anonymous 05/17/2018 (Thu) 00:01:39 [Preview] No.9089 del
Can the same fix be done for all media files in the near future?

odilitime Board volunteer 05/17/2018 (Thu) 00:04:06 [Preview] No.9090 del
fix is in place.

No sure what you mean but we don't have all media files. Users need to reupload what they want online.

Anonymous 05/22/2018 (Tue) 21:58:48 [Preview] No.9094 del
Does this mean we're capable of now uploading what has been uploaded in the past without image and file corruption?

Anonymous 05/23/2018 (Wed) 08:41:32 [Preview] No.9095 del

Top | Return | Magrathea | Catalog | Post a reply