[Skydiver]

Probably not everything is protected with prepared statements. Some of us succumb to that temptation of "I'll just do a string concat here. It's a low risk area." Low risk until somebody finds an exploit.

I was reading about an old IPBoard exploit that uses a SQL injection attack, but the attack only works in the setup mode of IPBoard. In IPBoard's shoes, that bug would probably be a lower priority since it's only the admin who should have access at setup time. The board should not be public yet at that time. But the mere fact that such an attack was possible means that not all the code uses prepared statements.

If a few months later somebody goes, "hey that code does exactly what I need, I'll just call it from the public facing part of IPBoard". Unless somebody does a code review of not only the new code the calls the function, and reviews the old function as well, the a public vulnerability has just been opened up. Some code reviewers don't bother looking at the old function because "It's been shipping for years. It must be okay to use it."

[Dogstopper]

Duckington, on 01 August 2012 - 05:25 PM, said:

Dogstopper, on 01 August 2012 - 09:18 PM, said:

It appears that we had a malicious malcontent who though it'd be funny to hack our site. I do believe it was a SQL injection even through IPB and with PreparedStatements. When I tlaked to Chris, he said the server guys found the problem, so whatever it was, let's hope we don't get it again.

However, we lost most, if not all of today's posts.

I thought the whole point of prepared statements was that they seperated the instructions from the data, making it impossible to inject anything....

I know that's the point. But what I'm saying is that somehow it happened. Not sure on the details.

[Mossypne]

Mossypne, on 01 August 2012 - 02:35 PM, said:

Do a scan guys. I only redirected nothing loaded or anything but i've ran Malware Bytes and got 1 detected Item. It's still mid scan so i'm not sure if it's this yet but just in case.

Wasn't anything. Crisis Averted.

[smohd]

Can we do a "reply joke" to them also?
May be by advising visitors here not to use their tools!!!

[Dogstopper]

It is a federal crime to hack commercial sites. I hope that whatever happened today is taken care of.

[jared.deckard]

atraub, on 01 August 2012 - 02:36 PM, said:

Someone, please explain to this young lad...

I personally find it funny, but I meant the exploit seemed like less of a prank and more of a targeted attack.

When I said "they know what they did" I really meant "I'm not sure how they did it" and "WTF, look at this crazy exploit"

Do you think DIC was a vulnerable blip on their radar, or do you think they targeted DIC?

[GunnerInc]

A skiddie probably gotten banned because we wouldn't help with his malicious code.

[Skydiver]

Looks like he ran his script again. Is there an IPBoard hot patch that can be applied?

Or are the server guys playing whack-a-mole and banning IP addresses as they see the attacks happen?

[Curtis Rutland]

Skydiver, on 01 August 2012 - 04:39 PM, said:

Probably not everything is protected with prepared statements. Some of us succumb to that temptation of "I'll just do a string concat here. It's a low risk area." Low risk until somebody finds an exploit.

I used to, until I realized that it's literally just as easy (often easier) to always use prepared statements, or an ORM that uses them for you. I haven't written a single SQL statement with string concatenated parameters in something like five years now.

[fromTheSprawl]

When I logged in I lost a PM, I never thought someone attacked this site.
I hope this doesn't happen anymore, who knows how much answered questions were lost due to this attack. Lots of stuff seemed to be lost, is there any way to bring them back, or are they deleted?

[modi123_1]

Quote

who knows how much answered questions were lost due to this attack

I am certain there is someone who knows..

Spoiler

[skyhawk133]

There was a file with incorrect file permissions that was modified using an injection in a vulnerable script. I'm out of town and didn't have access to a computer and just had our server management guys do a full restore while they worked on identifying the vulnerability. It's fixed up now as far as I can tell and they are running full scans on the server to identify and secure any additional issues.

[skyhawk133]

The NOC made some additional adjustments to tighten security on the server, if you notice problems uploading files, or anything of that nature, please let me know.

[strawhat89]

I seem to have lost 2 rep points I got yesterday. Just letting you know.

Wow and also 20 posts!

This post has been edited by strawhat89: 01 August 2012 - 09:47 PM

[modi123_1]

That's bound to happen with a roll back. Don't worry - be happy.