September 27, 2007

Open Door Found; Closed


The problem wasn't in Movable Type at all; it was in phpBB, as in the old forums. A combination of a hole in phpBB, the design of Movable Type, and an oversight on my part allowed the hackers to deface your pages.

I've shut down the forums. Completely. I've had too many problems with phpBB 2, and version 3 still isn't out. phpBB can be kept reasonably secure if you attend to it regularly, but I have too many things to look after to worry about something with as bad a history as this.

The hackers managed to run some other scripts as well as the one that defaced your blogs. They never had administrator access, but it's possible they made a mess in some places I haven't found yet, so I get to spend the next day or three crawling all over the system and zapping anything that looks suspicious. This *has* to be done before we can move to the new server, so I might have to put that off for another week.

Fortunately, none of this affects Minx, which is on completely separate dedicated servers, and isn't affected by the same sort of security loophole. (Which is not to claim that it's immune to attack, but it's immune to that attack.)


At least now I know what it was, and I can close the door on it. Apologies to everyone affected, particularly George Roper, who ended up (not that this was my intention) almost acting as bait so that the attackers would come back and I could catch them in the act.

Posted by Pixy Misa at September 27, 2007 07:49 AM | TrackBack

Yeah, well GM LOOKS like bait, so there you have it... ;)

Thanks for all the hard work, Pixy!

Posted by Ogre at September 27, 2007 12:57 PM

So, GM plays a honeypot online. *grin*

Glad you found the problem - if you don't find it, you can't fix it.

Posted by Teresa at September 27, 2007 02:40 PM

Ogre only thinks I look like bait cause he is so damn ugly that bait looks good by comparison.

Pixy, everyone in Munuviana needs to know of the excellent backup you provided during the hacks on my site. You were most amazing. If I can ever be "bait" again, just let me know. ;)

Posted by GM Roper at September 28, 2007 12:24 PM
