Back to Top

Oldschool | Welcome Guest! Register | Login

Open Chat (0)
Forums > Website News and Announcements
Explanation of Recent Downtime
9/20/14 - 4:20AM - 3 years ago
Posted by: sam_here
sam_here
VIP
553 Posts
57 Reputations
+1
Edit: the video explaining the situation:


tlr Divine's server account was compromised.

We were hacked.

Earlier today I was browsing Merchz when I noticed a new admin, one that I was unaware was promoted. Since I was never told about a new admin I started to investigate with 30 minutes until class. I quickly demoted said user and disabled all Admin and Mod access across the site. While doing some checks on some of the files I noticed that there was a plaintext logger installed on the login method. This means that some logs were sent in plaintext to a logging file which the hacker could access. I quickly deleted the code in question and the logging file after documenting some data. Realizing that the file was uploaded under Divines server access account I quickly realized this was bigger than a flaw on the site. With only a few minutes left until class and with Snow not responding to my texts I decided it would be best to disable the site and shut off the server until I was able to get back.

When I got back an hour later, Snow was too. I then started to pretype all the commands I'd run for when I turned the server back on incase the hacker was waiting for it to go back on. When I got in I disabled access to both Snow's and Divine's server account and ran a few other commands to see if any other files were edited to install a sort of back door. I did find one and removed it swiftly, all with the web service still offline. After running through some access logs I also noticed someone trying to bruteforce our server accounts. We do indeed have limits to protect an instant access to the root account and other. Whether this bruteforce attack and recent hacking are related we don't know.

--

It stinks that this has to happen to Merchz but over the course of a few weeks we'll be rolling out more secure additions to Merchz user interface as well as our side. We'll continue to monitor our systems closely and add things to notify us faster.

One of the reasons why Divine had access to the server although he doesn't program is he had to change a variable every week or two which will now be transferred to the side so it can be changed on the site instead of in the code.

Effective immediately Divine is banned until we can confirm that his computer is secure. Snow and I do not believe it was Divine who did this, but we're keeping a distance until we can find out what happened on Divine's end. He is just coming home from vacation which means it may take a bit.

All users who we believe we're directly logged will be notified soon and should change their password immediately. The database was dumped which means all username, emails, password, and ips were stolen. NO PASSWORD IS STORED IN PLAINTEXT, THEY'RE ALL ENCRYPTED.

Rough Timeline (EST):
September 18th 8:09PM - Hacker makes Merchz account
September 19th 11:00AM - Hacker keeps logging in and out of Sam's server account, running various commands.
Unknown - Hacker installs a logger into login page
September 19th 12:30PM - I remove the logger from the login page
September 19th 12:50PM - I turn off the Merchz server
September 19th 1:30PM - I turn on the Merchz server and disable Sam's access
September 19th 4:00PM - Everything is found out, including the source, and it's closed.
September 20th 3:00PM - Two factor authentication is mandatory for all server access.
September 20th 3:30PM - Further restrictions and monitoring is added.
September 21st 1:05AM - Admins obtain permissions with limited scope.
#2947 9/20/14 - 6:18PM - 3 years ago - [quote]
Posted by: Genocyber
Genocyber

VIP
6 Posts
79 Reputations
Joined: 11/14/13
0
O_o
#2948 9/20/14 - 7:41PM - 3 years ago - [quote]
Posted by: Temp
Temp
Member
3 Posts
0 Reputation
Joined: 6/29/14
0
"We were hacked."

ikr
#2949 9/20/14 - 9:06PM - 3 years ago - [quote]
Posted by: BulletSoul
BulletSoul
Member
8 Posts
1 Reputation
Joined: 3/8/14
0
This is why I keep separate passwords for every site with last pass. Hope everything gets worked out.
#2951 9/21/14 - 5:11AM - 3 years ago - Last Edit: 9/21/14 - 5:13AM - [quote]
Posted by: sam_here
sam_here
VIP
553 Posts
57 Reputations
0
Just a quick note: we've finished up the final server additions today adding two step authentication in order to even login. Two step authentication will then be rolled out on the site through Admins/Mod(s) first then as an optional toggle for any other user.

We've put out a lot of back end stuff to monitor and detect any malicious behavior.
#2952 9/21/14 - 11:40AM - 3 years ago - [quote]
Posted by: Temp
Temp
Member
3 Posts
0 Reputation
Joined: 6/29/14
0
lol.
#2953 9/21/14 - 7:01PM - 3 years ago - [quote]
Posted by: Snow
Snow

Administrator
589 Posts
22 Reputations
+1
lol.
Temp on 9/21/14 - 11:40AM


I am not finding the humor.
-Founder of Merchz
#2956 9/22/14 - 7:59PM - 3 years ago - [quote]
Posted by: Charm
Charm
VIP
2 Posts
0 Reputation
Joined: 1/28/13
0
Mmmmm...so that's why Divine hasn't been responding to my messages
#2957 9/22/14 - 9:46PM - 3 years ago - [quote]
Posted by: PandaForce
PandaForce

Member
34 Posts
35 Reputations
Joined: 6/2/14
Rsn: PandaForce
0
Thank you for the detailed update, great to hear it's been mostly sorted out. The best of luck to you in solving this entirely, and thank you for your service.
#2958 9/23/14 - 1:22AM - 3 years ago - [quote]
Posted by: Foraiel
Foraiel

Member
3 Posts
6 Reputations
Joined: 11/6/13
Rsn: Foraiel
0
Really sorry to hear that this happened. Thank you for taking the time to not only further secure the site and information on it, but go to such lengths to explain what is going on to us. If anything this gives me a bit more trust in you guys because of the efforts you are displaying through this process.
#2959 9/23/14 - 1:26AM - 3 years ago - [quote]
Posted by: ImpPateint
ImpPateint

VIP
11 Posts
9 Reputations
Joined: 4/23/13
Rsn: Imp Pateint
0
Any risk to RS accounts?
#2960 9/23/14 - 2:49AM - 3 years ago - [quote]
Posted by: sam_here
sam_here
VIP
553 Posts
57 Reputations
0
Any risk to RS accounts?
Yes since they got the password dump, and emails. I'd suggest using the authenticator for your Runescape account and a two factor authentication for your email. If you don't already change your Runescape password every month or two, regardless.
#2961 9/23/14 - 4:17AM - 3 years ago - Last Edit: 9/23/14 - 4:18AM - [quote]
Posted by: Snow
Snow

Administrator
589 Posts
22 Reputations
0
Any risk to RS accounts?
Yes since they got the password dump, and emails. I'd suggest using the authenticator for your Runescape account and a two factor authentication for your email. If you don't already change your Runescape password every month or two, regardless.

Just to clarify, they got a dump of hashed passwords. It's unlikely that they get anywhere with them, but that's of course still possible.

There were a small handful of accounts that were actually logged in plaintext, since they logged in during the time and the hacker created a log file of what they typed into the login box. If you're one of those people, then you've already been notified.

Mmmmm...so that's why Divine hasn't been responding to my messages
Charm on 9/22/14 - 7:59PM


He was also on vacation for the last week.
-Founder of Merchz
#2963 9/23/14 - 11:29PM - 3 years ago - Last Edit: 9/23/14 - 11:36PM - [quote]
Posted by: Divine
Divine

Administrator
1131 Posts
590 Reputations
Joined: 6/28/12
Rsn: Divine Ploow
0
I'm back guys.

Again, I'm really sorry this happened. Thank you to those who have shown support to us, it means really a lot considering what has happened.

Here is the video I made yesterday in which I explain the situation, for those who haven't seen it yet:

#2965 9/24/14 - 4:03PM - 3 years ago - [quote]
Posted by: Rufoo
Rufoo

Member
23 Posts
1 Reputation
Joined: 7/14/14
0
All the best with resorting things and such after this happening. I assume I'm not in any danger zone because I haven't had any message about it.
#2966 9/24/14 - 4:55PM - 3 years ago - [quote]
Posted by: sam_here
sam_here
VIP
553 Posts
57 Reputations
0
All the best with resorting things and such after this happening. I assume I'm not in any danger zone because I haven't had any message about it.
Rufoo on 9/24/14 - 4:03PM
Still they've retrieved your hashed password, email, and other things so I'd recommend changing and securing other accounts just in case.
#2968 9/24/14 - 11:13PM - 3 years ago - [quote]
Posted by: Rufoo
Rufoo

Member
23 Posts
1 Reputation
Joined: 7/14/14
0
All the best with resorting things and such after this happening. I assume I'm not in any danger zone because I haven't had any message about it.
Rufoo on 9/24/14 - 4:03PM
Still they've retrieved your hashed password, email, and other things so I'd recommend changing and securing other accounts just in case.
No Don't worry i'm safe I believe in you
#2970 9/25/14 - 5:26AM - 3 years ago - [quote]
Posted by: Rufoo
Rufoo

Member
23 Posts
1 Reputation
Joined: 7/14/14
0
All the best with resorting things and such after this happening. I assume I'm not in any danger zone because I haven't had any message about it.
Rufoo on 9/24/14 - 4:03PM
Still they've retrieved your hashed password, email, and other things so I'd recommend changing and securing other accounts just in case.
No Don't worry i'm safe I believe in you
Rufoo on 9/24/14 - 11:13PM
I did NOT write this. Changed my password immediately after. Also it seems I am unable to login on my RS accounts even though they are all having a different password than on this forum. Which looks weird to me.
#2972 9/25/14 - 1:02PM - 3 years ago - [quote]
Posted by: BulletSoul
BulletSoul
Member
8 Posts
1 Reputation
Joined: 3/8/14
0
All the best with resorting things and such after this happening. I assume I'm not in any danger zone because I haven't had any message about it.
Rufoo on 9/24/14 - 4:03PM
Still they've retrieved your hashed password, email, and other things so I'd recommend changing and securing other accounts just in case.
No Don't worry i'm safe I believe in you
Rufoo on 9/24/14 - 11:13PM
I did NOT write this. Changed my password immediately after. Also it seems I am unable to login on my RS accounts even though they are all having a different password than on this forum. Which looks weird to me.
Rufoo on 9/25/14 - 5:26AM
make sure you secure your email account. With that, if it shares your rs accounts he has an all access pass.
#2973 9/25/14 - 1:57PM - 3 years ago - [quote]
Posted by: Snow
Snow

Administrator
589 Posts
22 Reputations
0
All the best with resorting things and such after this happening. I assume I'm not in any danger zone because I haven't had any message about it.
Rufoo on 9/24/14 - 4:03PM
Still they've retrieved your hashed password, email, and other things so I'd recommend changing and securing other accounts just in case.
No Don't worry i'm safe I believe in you
Rufoo on 9/24/14 - 11:13PM
I did NOT write this. Changed my password immediately after. Also it seems I am unable to login on my RS accounts even though they are all having a different password than on this forum. Which looks weird to me.
Rufoo on 9/25/14 - 5:26AM


Definitely look into your email account. Divine had someone attempt to hack his account as well, which resulted in a lock to his account until he could get it unlocked. Very annoying.

Thanks for posting that it wasn't you.
-Founder of Merchz
#2974 9/25/14 - 2:47PM - 3 years ago - [quote]
Posted by: Rufoo
Rufoo

Member
23 Posts
1 Reputation
Joined: 7/14/14
0
All the best with resorting things and such after this happening. I assume I'm not in any danger zone because I haven't had any message about it.
Rufoo on 9/24/14 - 4:03PM
Still they've retrieved your hashed password, email, and other things so I'd recommend changing and securing other accounts just in case.
No Don't worry i'm safe I believe in you
Rufoo on 9/24/14 - 11:13PM
I did NOT write this. Changed my password immediately after. Also it seems I am unable to login on my RS accounts even though they are all having a different password than on this forum. Which looks weird to me.
Rufoo on 9/25/14 - 5:26AM


Definitely look into your email account. Divine had someone attempt to hack his account as well, which resulted in a lock to his account until he could get it unlocked. Very annoying.

Thanks for posting that it wasn't you.
Snow on 9/25/14 - 1:57PM
Thanks. Everything seems to be secure by now. Changed all passwords and added extra security on all of them. Will check what a mess is made on my RS accounts now.
#2978 9/26/14 - 4:41AM - 3 years ago - [quote]
Posted by: GhostMerching
GhostMerching
VIP
18 Posts
5 Reputations
Joined: 11/19/12
0
Thanks for the updates and transparency, guys. This is probably a good reminder for people to make sure they use different passwords for sites like this and for Runescape. If all goes belly-up at least your game account is still safe.
#2979 9/27/14 - 7:11AM - 2 years ago - Last Edit: 9/27/14 - 7:17AM - [quote]
Posted by: sam_here
sam_here
VIP
553 Posts
57 Reputations
0
After reading further into file permissions (basically chmod) we've now locked the database file, login, and register page. To read the database file you must be a sudo user on our server, only Snow and I, which means you must pass a two factor authentication login sequence along with a password (similar to Runescape with authentication). Login and register pages are read only unless again you're Snow or I. This may sound a bit confusing but it's what should have been done over two years ago.

We're currently looking to give the login system a facelift and make it easier to use in the very near future. With this update we'll be doing a simple design with more features. Mailing will be instant, recovery system will have a username OR email option, register captchas will be updated, and we'll possibly be looking into make passwords even more secure with a possible option to make your own encryption. Do note that passwords are still safe and we're NOT switching it to a different system because they are "insecure" but rather to give users a peace of mind.
#2980 9/27/14 - 3:44PM - 2 years ago - [quote]
Posted by: Panda
Panda
VIP
6 Posts
5 Reputations
Joined: 10/16/13
0
I was hacked when the 1st hack happened back in like January (along with my rs account... Though I have been VERY inactive here. I do indeed still have a large amount of trust placed in you developers. If you guys were that bad of people, when people pay the $50 or the 150m in-game gold, you all could've easily just taken those and not given anyone their VIP memberships. At least that is how I see it. because I paid the 150m gold (which yes is obviously a trust trade) and I got my access, and still have it. You guys work hard to help ALL of us, when you don't have to. You do this because you WANT to, and I can't speak for everyone, but I for one am VERY THANKFUL and GRATEFUL for you guys taking so much time and effort to do what you do for us. Even though I am inactive for now, I will indeed be using MerchZ for a very long time still.

I Thank each and everyone one of you that have made MerchZ possible over these past 2 years or so. (Even though I've only been here for maybe 1 or so) lol. Thanks guys. Also, Sam, I wish you the best and everything in making sure everything on your end is secure. I hope you will be letting us know when everything is all said and done that you and your belongings are okay and your pc and whatnot is all safe.

Thank you to all and best of luck in the future! Thanks for EVERYTHING. I won't let ANY of this decrease my trust in you. Hackers are literally "everywhere" and damn near inevitable. I am thankful there's only been what? 2 attacks since I've joined? IMO that is quite good for 2 years given todays community and their malevolent ways. So many people are dishonest these days. It's good to see a group of people like you who aren't. To me that says (and means) a lot.

Thank you.
#2981 9/27/14 - 5:58PM - 2 years ago - [quote]
Posted by: Divine
Divine

Administrator
1131 Posts
590 Reputations
Joined: 6/28/12
Rsn: Divine Ploow
0
I was hacked when the 1st hack happened back in like January (along with my rs account... Though I have been VERY inactive here. I do indeed still have a large amount of trust placed in you developers. If you guys were that bad of people, when people pay the $50 or the 150m in-game gold, you all could've easily just taken those and not given anyone their VIP memberships. At least that is how I see it. because I paid the 150m gold (which yes is obviously a trust trade) and I got my access, and still have it. You guys work hard to help ALL of us, when you don't have to. You do this because you WANT to, and I can't speak for everyone, but I for one am VERY THANKFUL and GRATEFUL for you guys taking so much time and effort to do what you do for us. Even though I am inactive for now, I will indeed be using MerchZ for a very long time still.

I Thank each and everyone one of you that have made MerchZ possible over these past 2 years or so. (Even though I've only been here for maybe 1 or so) lol. Thanks guys. Also, Sam, I wish you the best and everything in making sure everything on your end is secure. I hope you will be letting us know when everything is all said and done that you and your belongings are okay and your pc and whatnot is all safe.

Thank you to all and best of luck in the future! Thanks for EVERYTHING. I won't let ANY of this decrease my trust in you. Hackers are literally "everywhere" and damn near inevitable. I am thankful there's only been what? 2 attacks since I've joined? IMO that is quite good for 2 years given todays community and their malevolent ways. So many people are dishonest these days. It's good to see a group of people like you who aren't. To me that says (and means) a lot.

Thank you.
Panda on 9/27/14 - 3:44PM


Hey Panda

Thanks for the very nice post, we'll continue to do our best.
Like I said in the video, stuff on my end is fine, it's other people who didn't add extra protection to their accounts I'm concerned about now.

We try to look at the bright side, which is that we'll be more secure than before now.
Of course we're still sad this happened, but trying to look at the bright side of things helps you a lot more in life than focusing on the negative.
#2984 9/29/14 - 12:14AM - 2 years ago - [quote]
Posted by: Panda
Panda
VIP
6 Posts
5 Reputations
Joined: 10/16/13
0
I couldn't agree more