Spam Posts and Compromised Accounts
Some of you might have noticed that there have been some spam post from actual verified accounts lately.
As always, if you see something strange or that doesn't look right regardless of who might have posted it, please use the report button. And, of course, please do not click on suspicious links.
The issue is being investigated but overall the site itself should be secure.
Thanks.
EDIT: Also see the announcement on the top of the page. (I'll quote it here just in case.)
Quote:
Originally Posted by colo
Dear The Source users,
as has only recently come to my attention, The Source's user database was compromised and in part downloaded (usernames and password hashes) more than a year ago. The vulnerability that was used to gain system-level access to dump parts of the database is currently unknown, but I've taken precautions at a lower level that it is much less likely for someone to successfully abuse it again. As with all complicated things in life, success is not guaranteed.
Zilla's account was broken into most recently as far as I know, and I've since disabled/banned his account. He will be reinstated after I've sorted out this mess and managed to get ahold of him to talk over our next steps.
In the meantime, I've invalidated all current sessions, and beseech you to rotate your The Source account passwords at your earliest convenience.
Thanks very much, and sorry for the terrible inconvenience.
colo
PS: If you have any questions concerning this incident, please reach out to me by email at c0l0 at gmx dot at.
So, please change your password when you get a chance. Thanks.
Re: Spam Posts and Compromised Accounts
Is the issue related to the outdated version of vBulletin being used?
Re: Spam Posts and Compromised Accounts
I am not 100% sure what the vulnerability used to dump the hashes was, but I am rather confident I found it, and fixed it in the meantime. If true, it was a vulnerable configuration (conditional CGI execution enabled for a directory containing user-uploaded files with both their names and content under the attacker's control) that I unknowingly ported over to the new machine when we migrated The Source to a new server several years ago :(
