About 3:45 this afternoon I got an automatic message that there was a new post on the forum – and it included the text. It was clearly an attack, so I took immediate action to both remove the post and the poster. The irony, of course, is that I review each account before allowing people in – and this poster took the time to complete the information. I had a suspicious feeling, but went ahead and approved the account anyway.
We’ll call that the First Lesson Learned: trust your instincts
Well, I didn’t get to the board in time, and the hack was successful; we’re currently working now to cordon off the forums and are assessing the damage to the system. However, as we’re walking through the server, we’re noticing several mistakes that I/we have made in hardening our server.
So I have confirmed that even the slightest mistake or oversight allows an attacker with time and patience the opportunity to strike. I’m flattered that someone thought the work we are doing to be worth investing the time to manually subscribe to the board, pose as a legitimate user and then execute an attack against our forum software.
So what now?
Well, we’re completing our damage assessment. To be honest, we have no clue if anyone has direct access to the server or if this was an attack on the software only. Clearly, we’ll take the forums down for a few days. It’s upsetting since we were just picking up speed; during that time, we’ll be assessing the situation and determining if we continue with the Invision software or move to a different platform. Ideas, comments and suggestions are certainly welcome.
To be on the safe side, we consider the current server to be a total loss. We do make regular backups and will be securing and transitioning to a different server over the coming days… and maybe a bit longer. As usual, this never happens at a “good” time, but it points out that even security people are vulnerable. And the depth of information required to be good across the board is deeper than an inch 😉
So, I’ll take notes on our actions and lessons learned and share them with you. I may wait a bit, document it, reflect on it, and then package it up to share. In the meantime, I have learned that nobody is perfect and now it’s time to learn some new aspects of server hardening.