Archive for myfreeforum.org Before posting please check the "stickies" in the support forums.
Please ask questions in real English and not "txt". You will get a better response.
Please do not ask support questions via PMs.
 



       myfreeforum.org Forum Index -> What's new? Announcements!
admin (no pm's please)

Slarti going down for emergency maintenance.

Quote:

After some extensive forensics and emergency development, it appears that your server has been compromised with a loadable kernel module that has altered some important system binaries. Because of this, we need to take the server down into rescue mode to reinstall the affected software from a known good location (the original media). At this time, we are relatively certain that a recently released operating system vulnerability resulted in the initial intrusion. We are still examining the code found elsewhere, but have yet to determine the vector.


Looks like we got unlucky, this would have been out of our control
thehrforum2

I realize that you have no crystal ball, but given history (hindsight) what's a rough estimate or guesstimate regarding access? Currently the message states- Cannot find server.

I have the patience of a saint, but the members of the forum aren't as understanding. Any input is useful and I appreciate all efforts involved to remedy the situation. As you mentioned, somethings are beyond our control.

Thank you,

M

www.thehrforum2.myfreeforum.org
fish

so was this a virus attack on MFF as a whole?
admin (no pm's please)

Not a virus, and not against the forums as such.

This looks like a server being compromised at the operating system level by hackers.

Operating system exploits are rare, but can happen if an exploit gets known before a fix is in place.

On a positive note, the system is now believed to be restored.

This may not be a good time to wave myff flags, but I will say that we pay good money for server level support, both to prevent this kind of thing occurring and to be able to recover if it does.
admin (no pm's please)

Looks like things are back live.
thehrforum2

Admin- permit me to wave the mff flag!

As a newbie, and not a techie at that, I have nothing but high opinions/comments of this establishment and the people behind it.

Thank you to you and your team!

M

www.thehrforum2.myfreeforum.org
admin (no pm's please)

Quote:

Unfortunately, we know little more about it. We have performed some examination of the trojaned binaries but it has not revealed much. They are packed, statically compiled binaries, so analysis using strings is not particularly useful. strace also does not reveal much, and ptrace does not work at all. libbfd does not recognize it, so gdb will not load it. objdump works if the data and header orders are forced, but the low-level output is not very informative. Thus, we are left with the unsatisfying answer of an LKM of unknown origin.

The vector of the attack is also not known precisely, but the profiles of the compromised servers thus far indicates that the vector is through an exploit in an outdated system package: The less likely the server has been completely updated recently, the more likely it was to have been compromised. We have not yet detected any malicious activity from the compromised servers, which suggests that the attackers were simply amassing zombies to create or add to an attack network.


Note this seems to be about many servers not just us.
wildgarlic

Thanks - as always any problems are handled swiftly and efficiently by admin and the team (not like some other free forum providers that I could mention!). I am always happy to wave the myff flag and have recommended other people to come and use myff in preference to other forums for the reasons I just stated.
Daniel(u1bd2005)

Admin, I haven't noticed my forum go down at all recently, and haven't had any reports of it going down by my members.

Does this mean that I am on a different server?
And if so is it possible to find out which server I am on (just wondering)?

http://the4aces.myfreeforum.org
admin (no pm's please)

You are on Zaphod.

http://forumaddress/blurb.html

shows the server  name at the top as a rule.
Daniel(u1bd2005)

admin (no pm's please) wrote:
You are on Zaphod.

http://forumaddress/blurb.html

shows the server  name at the top as a rule.


i tried typing http://the4aces.myfreeforum.org/blurb.html but it just shows the missing/suspended page and i cant see any mention of Zaphod or any server at the top of that page?
Sukisue

^ Yeah, I got the same.
CodyT07

Because of this, did the server change its location? E.g I see it in Connecticut  now. While the others it doesn't say.
admin (no pm's please)

The server is halted again to try and get this sorted
Daniel(u1bd2005)

Is the cause of this known yet? and if its still unknown does that mean that theres a risk it could happen to the other servers too?
admin (no pm's please)

Still unknown
admin (no pm's please)

Current status is an insistence that the new security will prevent a reoccurrence, but investigations are still proceeding.

Doesn't exactly satisfy me, but as I have said it can be pretty stupid to disclose any exploit details until everyone is 110% sure that the information could not be abused.

       myfreeforum.org Forum Index -> What's new? Announcements!
Page 1 of 1
Create your own free forum | Buy a domain to use with your forum