Home – New Forums Tech talk tracking a hacker

  • This topic is empty.
Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #988628
    Greg_M
    Member
    • Total posts: 1,691
    Up
    0
    ::

    Hmnn … not sure what to do with this one, could be paranoia, possibly coincidence … but I doubt it.

    My signature site was hacked this afternoon at exactly the time I was putting up some posts on FS.

    One of the advantages of using real time app monitoring with Newrelic and server logs with Papertrail, is it gives some pretty fine grained data about who and what hits the site.

    The hack was not a major, and it was my fault for being sloppy in the way I protected the URL’s. I was testing the implementation of an “articles” page and only had one test post sitting “live” … post was deleted, and a couple of new ones created … not automated as far as I can tell … there was mention of the words “testicle” and “boobies” (very original, if somewhat puerile).

    Apart from the fact I have the exact time and what URL’s were accessed, IP addresses and the browser (IE), and all the post data,the country of origin was Aus. which seems to reinforce the possibility of it originating here. The site has only just been indexed and not more than about a week old on this domain.

    What really surprised me is that of the two IP’s that hit the site, one is a South Australian Government IP address … the other masked, and out of Hong Kong but has a poor track record for this stuff.

    So what really peeves me off is that it’s likely someone on a SA government payroll is having a bit of fun on taxpayers money … or am I wrong.

    This stuff is not my area, but is it possible to track and prosecute with this much info?

    Anyway, if the responsible person reads this … cheers for the lesson … I’m back to encrypted, salted and hashed references for passwords.

    Cheers

    #1168159
    help4bis.com
    Member
    • Total posts: 268
    Up
    0
    ::

    Ok I won’t do it again….

    Just kidding.

    “My signature site was hacked this afternoon at exactly the time I was putting up some posts on FS.”

    I assume you mean with FS being Flying Solo…. ? Pretty sure that is rubbish, close to the point that I might feel offended by that being a FS follower.

    You use ECWID as your shop thingy (Not going into the discussion about integration or something like that). My best bet is that there is where you starting point might be.. Shopping Carts, Payment Details etc that what key is.

    “So what really peeves me off is that it’s likely someone on a SA government payroll is having a bit of fun on taxpayers money … or am I wrong.”
    I’d say you are.

    Done a source code view on your site… lots of bootstrapping an CDN, which means that possibly most of your code is not on your server in the first place, so it could come from anywhere…

    Re security… well there is a big CyberCrime course for the cops going in Spain atm so perhaps they used your site as example.

    Anyways… good luck finding the curlpit. Pretty sure it is not from FS, if it is let me know because I do not want to be part of such a group.

    #1168160
    MatthewKeath
    Member
    • Total posts: 3,184
    Up
    0
    ::
    help4bis.com, post: 194793 wrote:
    Pretty sure that is rubbish, close to the point that I might feel offended by that being a FS follower. I don’t think Greg was actually accusing the community as a whole of conspiring to hack his site, so no reason to get offended.

    Hope to get to the bottom of it, but I learn to make sure the site is secure and hacker free, and then move on.

    Hackers are the bane of my business…

    #1168161
    help4bis.com
    Member
    • Total posts: 268
    Up
    0
    ::
    MatthewKeath, post: 194795 wrote:
    I don’t think Greg was actually causing the community as a whole of conspiring to hack his site, so no reason to get offended.

    Agree, but the people I have interacted with (in my short stay here) are all topnotch, nice and honest. There was no mention of a specific person, but FS in general… that includes me.

    I do not know how public this forum is if you have to be a member or paying member to be able to see the posts. I do not know, anyways I think that it is rubbish. I hope he finds the clown.

    #1168162
    Greg_M
    Member
    • Total posts: 1,691
    Up
    0
    ::

    It doesn’t need to be FS member, it was not my intention to imply that, but there’s lots of people view the site that aren’t members.

    And given the amount of time and number of posts I’ve put up here, I doubt many would suspect me of inferring it anyway.

    Seemed strange that the source is Aus in the same time frame that I’m posting, especially on a site that’s so new it virtually gets no traffic from anywhere else.

    Ecwid has been turned off for a week or more.

    The only code thats not on the server is Bootstrap and associated Javascript CDN.

    Any other caching is Rack middleware.

    There’s no code exposed in the “view”

    The logs show a South Aus .gov.au IP accessing /POST, /PUT, /DELETE , /NEW
    repeatedly.

    Usually a hack is an automated bot, or similar looking for low fruit, the nature of the post indicated an individual having some fun …

    Excerpt from the log;

    [ATTACH]706.vB[/ATTACH]

    IP address203.1.252.5
    Hostnamehttpgate3.sa.gov.au

    Maybe I’m just having a venting session, or I’m missing something obvious.

    Cheers

    PS there’s no doubt it’s my bad not securing it better … whoTF wants to even do this stuff.

    #1168163
    Peter – FS Administrator
    Member
    • Total posts: 1,889
    Up
    0
    ::

    Hi Greg,Thanks for the note about this, only just spotted it.
    On initial review this does appear to be coincidental, but our techs are reviewing this further so I’ll let you know if we can shed further light on it.
    The local source is unusual for this sort of activity.
    I’ll post further once we have had a deeper review.
    Cheers,
    Peter

    #1168164
    Greg_M
    Member
    • Total posts: 1,691
    Up
    0
    ::
    FS Administrator, post: 194885 wrote:
    Hi Greg,Thanks for the note about this, only just spotted it.
    On initial review this does appear to be coincidental, but our techs are reviewing this further so I’ll let you know if we can shed further light on it.
    The local source is unusual for this sort of activity.
    I’ll post further once we have had a deeper review.
    Cheers,
    Peter

    Thanks Peter,

    My initial post was perhaps badly worded … I was more interested in knowing whether, or how much info is needed to pin down and follow up on this stuff, rather than imply FS contributed in any way.

    It came across (the hack) as a bit of a schoolboy prank, not particularly malicious, just letting me know I’d blown it (and I had) … cheap lesson really.

    Given the nature of it (and the timing was perfectly aligned), plus the site is barely indexed, it did seem likely that someone picked up the link from my signature, but that could be any casual reader with time to play around.

    I don’t think any of it has anything to do with FS itself, and hacks on small sites with no real return are usually automated … this one doesn’t appear to be.

    Done and dusted this end.

    Cheers

    #1168165
    help4bis.com
    Member
    • Total posts: 268
    Up
    0
    ::

    I am impressed you were on to it so fast as it is :-).

    Had a look at some of the tools you use… might have to look a bit further into that.

    Otway, a nice part of the world, but my goodness can it blow a gale there. Went to the lighthouse. Getting in was ok, getting out… well my daughter (7 at the time) walked out first…. one minute she was there, the next she was gone.. Blown into the railing LOL.
    Funny now, not then as it is a bit of a drop down :-).

    #1168166
    Greg_M
    Member
    • Total posts: 1,691
    Up
    0
    ::
    help4bis.com, post: 194893 wrote:
    I am impressed you were on to it so fast as it is :-).

    Had a look at some of the tools you use… might have to look a bit further into that.

    Otway, a nice part of the world, but my goodness can it blow a gale there. Went to the lighthouse. Getting in was ok, getting out… well my daughter (7 at the time) walked out first…. one minute she was there, the next she was gone.. Blown into the railing LOL.
    Funny now, not then as it is a bit of a drop down :-).

    I’m on the inland edge … 20 minutes Lorne, so not quite as windy, bloody cold and wet though atm.

    Gave up on conventional servers a while back, Heroku and Openshift are all I normally use.

    Newrelic is very impressive for real time monitoring, I can’t do much with it as yet … but it’s actually a free add-on at Heroku and total overkill for this site, but it enables a handy trick shot.

    Heroku gives you one dyno (ram allocation) for zip … downside is that site “idles” unless getting traffic and is slow to spin up. I use Newrelic to “ping” the site and stop it idling … yes I’m a chiseller, but the next dyno is $40 per month (not worth it for this site).

    Papertrail is good too … fully searchable logs.

    Have to give Ruby and Sinatra a plug too :)

    Cheers

    #1168167
    Peter – FS Administrator
    Member
    • Total posts: 1,889
    Up
    0
    ::
    estim8, post: 194888 wrote:
    Thanks Peter,

    My initial post was perhaps badly worded … I was more interested in knowing whether, or how much info is needed to pin down and follow up on this stuff, rather than imply FS contributed in any way.

    It came across (the hack) as a bit of a schoolboy prank, not particularly malicious, just letting me know I’d blown it (and I had) … cheap lesson really.

    Given the nature of it (and the timing was perfectly aligned), plus the site is barely indexed, it did seem likely that someone picked up the link from my signature, but that could be any casual reader with time to play around.

    I don’t think any of it has anything to do with FS itself, and hacks on small sites with no real return are usually automated … this one doesn’t appear to be.

    Done and dusted this end.

    Cheers

    No worries at all, thanks for that (no implication taken) :) It’s always good to check these things. We’ve checked out that IP address further and nothing unusual or malicious has been hitting Flying Solo.

    More generally, and for others reading, we have investigated a couple of spam reports over the years where people claim to be associated with Flying Solo (or other known Australian sites) even though they are not members or associated with these sites.

    What some of these spammers do is trawl popular sites on the internet looking for email addresses or contact details that are posted online and then claim to have some affiliation. As you say perhaps someone found your web address.

    While there is no way for them to access member data in our system, they can scrape content on public web pages.

    To avoid this on Flying Solo and similar forums, rather than publish your email address online you can ask users to send you a Private Message or email via the forum’s messaging system. That way they can send you a message but not access your contact details and you won’t need to disclose your email address publicly.

    If you get any unwanted/spam private messages just hit the ‘report’ link and we can easily identify these members and block them. Alternatively you can link to the contact form on your website.

    Publishing your web link is generally considered ok and a regular part of spreading the word, it’s that balance between making yourself easily accessible to genuine connections and keeping website security tight!

    Thanks again for letting us know and if you spot anything else odd do let us know.

    Cheers,
    Peter

    #1168168
    niknah
    Member
    • Total posts: 20
    Up
    0
    ::

    You should send the logs and mention what they did to the people who own those IP addresses.

    People use sites/computers that they have access to. Like if they found some way to get access to your site’s shell they could use your site to access other sites. Your IP address will appear on other people’s logs as the hacker.

    #1168169
    Greg_M
    Member
    • Total posts: 1,691
    Up
    0
    ::
    niknah, post: 194920 wrote:
    You should send the logs and mention what they did to the people who own those IP addresses.

    People use sites/computers that they have access to. Like if they found some way to get access to your site’s shell they could use your site to access other sites. Your IP address will appear on other people’s logs as the hacker.

    One of the reasons I posted was to see if there was a protocol in dealing with this stuff and how difficult it is to act … and is there any point?

    Given the platform its on, I don’t know how the shell access stuff could be done.

    Guess anythings possible if your smart enough.

    Cheers

    #1168170
    uwannawat
    Member
    • Total posts: 26
    Up
    0
    ::

    Try contacting: https://www.cert.gov.au/
    They may be able to help

    Cheers
    Graham

Viewing 13 posts - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.