TFF HACKED Last Night, Sorry for Downtime

[Fuzz]

TFF was professionally hacked last night... and no it wasn't the stupid little Phish image that just replaced the index.html... this was far more elaborate.

Someone uploaded fake bank pages to TFF and redirected Barclay bank users to our servers IP to get financial information and other secure data... this is otherwise known as "Pharming". It is rather popular, especially to larger sites.

I was even contacted by Cyota, which is the world's largest financial anti fraud firm. I sent them a .zip file of ALL the hacked files that were uploaded so they can hopefully track who did this. They told me hundreds of sites daily get Pharmed and it is quite the online epidemic.

I have already changed FTP passwords and the CP password and other precautionary steps so this will not happen again.

Just wanted to say sorry for the inconvenience and trouble. This is probably the most serious hack TFF has had in the 5 years we have been online. This will not happen again!

I dont know why my host put up that 'excessive resources' message, because that wasn't the case... it was in fact b/c we were hacked... but TFF is having server usage issues that I am still working on. If I can't bring it down I will move TFF to a new server that has 'semi-dedicated' servers so we can move TFF to a server with more resources.

More information on Pharming can be read here:
http://www.azcentral.com/arizonarepu...harming19.html

I'm still a noob to all of this and my apologies... I got the damn site up as QUICK as i could... even skipped 2 classes today.

I gave everyone 250 gold pieces! enjoy

[Blacksmith]

Do we have to change our passwords too? And that is GAY! Goddamn hackers, they should die. No one hurts my TFF and gets away with it, *Rips off shirt revealing BoD tattoo*, ARGH MATEY!

P.S. - I <3 you got getting it back up. Let's help protect our beloved forum

§ Artist of blood stained walls

[Azuteor]

It's alright Fuzz at least I know TFF is safe now. When I tried getting into TFF there was this link that showed up, I think you have already found it by now, but I just want to tell you just in case.

http://www.sputnik.lunarpages.com

After the slash mark it had something like 'suspended page'. I'm not too sure about it, but I think you can find out what it means. I hope this helps.

[T.G. Oskar]

So that's what happened, eh? I thought TFF had kicked the bucket for good, I had a real scare there. But, they're messing with us, so I assume we should mess real bad with 'em, right?

To get it right, they used the second style of pharming, the "DNS poisoning", I assume? So that the users of TFF were sent somewhere else while the bank's users were sent here and then the info would be picked up by the hackers. C###, that's real bad... Besides, it affected both the main page and the forums. In my case, redirection was to a stargate.lunarpages, I think.

I wasn't affected that much, tho. Different time zone.

[Fuzz]

Yeah, sputnik.lunarpages.com is our current server node, so that would make sense... I believe the stargate address is just where suspended accounts get redirected to, not sure though.

Regardless, it is all worked out now. I even tracked the IP of the SOB that did this from the server logs and reported it to Cyota. It was a well done hack and it happens to a lot of sites, but I hope they can figure out some of the larger sources of these hacks.

T. G - yeah, it was DNS Poisioning Pharming for sure... meaning they will change the IP or DNS entries on a real banking site and have the user be redirected to TFF to finish the account in a 'fake' database that was nested here.

Really strange stuff for sure, took most of the day to fix.

EDIT: No we dont have to change any forum passwords. I just had to change the admin control panel and main FTP account passwords, so don't worry about it, we're safe.

[Sasquatch]

I have no idea what the hell you just said.

But hey. Damn good work getting it back up, and hopefully (though doubtfully), they'll track down who did it.

And thanks for the gold!

[LocoColt04]

Heh, it's funny too, because I freaked the shit out of him this morning.

I called him while he was still sleeping or busy or something. It was about 10am. I saw the bandwidth exceeded notice, so I thought I would give Fuzz a call to let him know, right? I left a message explaining what I saw, and then I got a call back a couple hours later while I was at work. We weren't busy, so I answered it, and you all should have heard the string of profanities which left Fuzz's mouth. It was quite out of character, but I'll be damned if I wouldn't have reacted the same way myself.

Anyway, he said he'd have the place back up and running before I got home from work, and sure enough, he was right. Props to Fuzz for sorting this shit out.

[Fuzz]

hahaha, yeah, Cesar heard the 'mad' Fuzz this morning.

I woke up and saw I missed a call from Cesar, so I knew right away something was up... because I figured he wasn't calling to say whats up at 10:00 in the morning. So i check TFF and of course it is down, then I have 5 different e-mails from my host, support guy, and a financial fraud firm located in the UK! I knew something serious happened... Took me 5 hours to get through all the e-mails, phone calls, and reorganizing all the files.

I called you in a panic in the middle of all this, so I'm sure you heard some pretty fouuul language ^^ I was absolutely heated.

[Azuteor]

Must have been hard on you Fuzz, lol. I have never seen this side of Fuzz before, could you and Loco do a reanactment of what had happened? What kind of things would happen to TFF if the hacker had time to put some weird stuff on the forum? I'm just curious since I'm not really familiar with these kind of stuff.

[Ultima]

I was wondering what happened, I totally freaked this Morning when the site was'nt working. Thanks for telling us fuzz, we should all work together to protect our forum from hackers!

[LocoColt04]

Quote:

Originally Posted by Suzu Kitamura

I have never seen this side of Fuzz before, could you and Loco do a reanactment of what had happened?

Well, there's no need for Fuzz and I to explain our phonecall, since it's not really public information to begin with. But, to give you an idea of the level of how pissed off we both were, imagine the feeling you would have if I came up to you, smashed your face in with a bat, and then broke all of your toes. Yes, we were that pissed. Especially him. I, personally, have never heard him sound so worried and frustrated all at once. At the same time, he was strangely calm.

Quote:

Originally Posted by Suzu Kitamura

What kind of things would happen to TFF if the hacker had time to put some weird stuff on the forum?.

Then we'd have to restore the forum from its last backup. I think we would have lost seven or eight days' worth of posts. I'm not sure when the last archive was. Fairly recent, but far enough back to greatly disrupt the flow of the forum.

[Chez Daja]

That error page that kept showing up, I was actually going to comment about in the Highbridge as soon as the forums were back up, but when I saw this, I knew it was okay now.

Well done on getting the forums back on track. Big up to Cesar and Fuzz on being knowledgable web-lunatics.

[LocoColt04]

Quote:

Originally Posted by Chez Daja

Big up to Cesar and Fuzz on being knowledgable web-lunatics.

Most of the time I have something to do with these things, but this time it was ALL Fuzz. I don't want to take the credit for something he fixed, you know. I was at work all day long, serving concessions at outrageous prices. We're just lucky that he didn't have to work