A language learners’ forum

Sadly I must say the server on which this forum his hosted was hacked. The hackers installed a password harvesting kit. This is a program which sits alongside the normal service but passes password information back to the hackers.

YOU SHOULD CONSIDER YOUR PASSWORD HERE TO BE COMPROMISED.

If you have used your password here on any other place, please go to those other places and change your password. Do not change your password here! If you change your password on the forum before it is uninfected you'll compromise your new password. There are a number of steps to be taken in order to get the forum back to a working and uninfected state. But our primary concern is your security.

In order to disinfect the forum, we'll be moving it to a new dedicated host environment and re-installing the software from scratch from an uninfected source. We'll change all administration passwords, and then we'll change all user passwords to a random string. After this is done, you'll be able to use the forgotten password option to change your password back to something of your choosing.

Over the course of the next few days the site will change to "read only" mode, and then after it has been moved and repaired, your login will fail (most likely) and you'll have to use the change password option.

We apologise for the problems, but please, please, please take this opportunity to change any password on other sites where you've used the same one as here. Security experts recommend changing passwords regularly, so even if you've had a unique password for this site you might want to rotate passwords.

Thanks for the warning. Maybe also send out an email to all forum members, as many don't read the forum regularly.

Thanks for the warning!

Stupid question: I'm assuming they have usernames (as part of the login data), but did they also get email addresses?

rdearman and I literally worked in shifts all last night to get the forum back online. But we're back!

So here's what you need to know:

1. rdearman thinks that the attacker got in through an older copy of WordPress that was running on the same server.
2. The forum has been moved to a brand new server, and the forum's code has been restored from the clean master copy that we make available on GitHub. This means that password stealing code on the old, shared server is no longer present. And there's no WordPress anywhere on the new server, either.
3. Please change your forum password, and change it on any other sites that used the same password as well.
4. The new server should have substantially better performance and far fewer database errors.

There are a lot of technical improvements under the hood; rdearman and I have been discussing this migration for quite a while now. We'll talk more about this soon. But it should be much easier to update and maintain the site, and to add new services. On the downside, the new setup costs a bit more—I don't have exact numbers yet, but I'd guess between US$35 and $50/month. If folks want to chip in, we'll figure out the details of that later. We're happy covering the costs for now.

Anyway, I've been working hard to get the site back up, and I need to go and do other stuff for a bit. But please change those passwords. And I'll try to answer questions later this evening for a bit.

Thank you very much for your patience, and our apologies for this incident.

I believe that emk and rdearman are incredible!

I still think there should be a way to pay you folks for your incredible efforts!

Thank you; thank you.

rdearman wrote:In order to disinfect the forum, we'll be moving it to a new dedicated host environment and re-installing the software from scratch from an uninfected source. We'll change all administration passwords, and then we'll change all user passwords to a random string. After this is done, you'll be able to use the forgotten password option to change your password back to something of your choosing.

Well done on your and emk's efforts. That said I just wanted to report that users' passwords didn't get changed to a random string. I was able to log in with my old password. Using the forgotten password function when logging in doesn't work - or it didn't work for me as of 6:10pm PST.

Having previously worked (interned) for a software company that has hundreds of millions of users, I really do appreciate all of the work that you both have done, I just wanted to let you know of the potential bug (or pseudo-bug).

aokoye wrote:Well done on your and emk's efforts. That said I just wanted to report that users' passwords didn't get changed to a random string. I was able to log in with my old password. Using the forgotten password function when logging in doesn't work - or it didn't work for me as of 6:10pm PST.

Thank you for letting us know that password reset is broken! We haven't expired or randomized the existing passwords yet, partly because we haven't had time, and partly because we want to test that the reset process works. We'll also need some way for people to contact the mods if their email address has changed.

In the meantime, until we figure out phpBB'd primitive password options, we strongly encourage people to change their own passwords. I'll try to find time to write up some instructions with screen shots.

Also, we now have completely automatic daily database snapshots.

To change your password, you should be able to do:

User Control Panel -> Profile -> Edit Account Settings -> Change password.

EDIT: I don't believe they took your email address. I've read up on the malware/password harvester program and it is directed at getting administration passwords and server rights. But it certainly served as a warning to me not to use the same password on different websites. So in addition to the stuff emk and I were doing, I was going through all the sites I normally visit and putting in a new, unique password.

Also, just on a side note, shouldn't be any of those stupid SQL-Error messages any more.

EDIT by emk (abusing my admin powers): If you somehow get locked out during the password change, please see this page and use the information there to contact me.

One other thing:

The Super Challenge bot has been disabled because we've moved the forum to a new server, but haven't yet moved the SC bot. However, the bot is designed to pickup any messages which it has missed when it is turned back on. So you can keep recording your progress and we'll get that moved as soon as possible.

Thank you both so much!