Downtime and Scam Mails

User avatar
Flash
Site Admin
Posts: 1255
Joined: February 2014
Favorite Class: Cleric
Server: [EU] Fedimian
Gender: None specified

Downtime and Scam Mails

Post by Flash » October 11th, 2015, 2:24 am

Hello,

maybe you receive a scam mail from "flash@tosbase.com" sent by this forum software or noticed that TOSBase was down for several hours. This was because our server got attacked and the attacker managed to get access to the database. This access was used to log into the forum with my admin account and send out mails with a link to a fishing site. Afterwards all TOSBase data that the attacker had access to was deleted on the server. Some data that was related to our translation project wasn't deleted but got a note added "didntwanttotouchthis" which let's us believe that this was a direct attack against TOSBase and not just a usual spammer.
For the last 14 hours we were working on the server to bring as much back online as possible. Unfortunatly our last backup of the forum was on September 14th so everythy between then and now that was done in this forum is lost.
I now some people think "How can this happen?" and "Learn how to set up a server!". Even though I agree that something like this should never happen I would like to remind everyone that this is not a professional website I earn money with but simply a fan project I work on during my free time for nearly two years now. I never excepted that someone would really try to attack our site as I can't see any benefit in doing so.
I think our server actually wasn't that bad protected and the attackers failed to get full direct access however only one little exploit in one of many scripts can be enough to cause pretty big damage in the worst case. It's one thing to defend yourself against random bot net attacks or a user who really tries to attack a certain site. Even big companies have to face this problem from time to time.
The attackers apparently were able to execute code on our server without having to log into it which allowed them to cause a mess in our webserver environment. During the last hours we did our best increase the security. We reinstalled the whole system and added additional filters and other protections.

As the attacker had access to our database it is possible that he copied our user table that includes your mails and passwords. Even though phpBB stores password only hashed ("encrypted") we still recommend you to change your password if you want be save.

We are sorry for the problems this might have cost you.

Best regards,

The TOSBase Team

User avatar
Mupy
Newcomer
Posts: 3
Joined: September 2015
Gender: None specified
Contact:

Re: Downtime and Scam Mails

Post by Mupy » October 11th, 2015, 3:54 am

unfortunately, there are sons of bitches in the world.

User avatar
Lobo
Beginner
Posts: 14
Joined: August 2015
Gender: Male

Re: Downtime and Scam Mails

Post by Lobo » October 11th, 2015, 4:21 am

well i thank you for creating the site
its the most informative tos site

User avatar
Regar
Beginner
Posts: 10
Joined: September 2015
Gender: None specified

Re: Downtime and Scam Mails

Post by Regar » October 11th, 2015, 9:30 am

Has the exploit that made this possible been fixed :?:

User avatar
Gardosen
Site Admin
Posts: 172
Joined: February 2014
Favorite Class: Doppelsöldner
Gender: Male

Re: Downtime and Scam Mails

Post by Gardosen » October 11th, 2015, 9:57 am

Regar wrote:Has the exploit that made this possible been fixed :?:
we analyzed the cause of this, and found some possible reasons for it.
we can not 100% say that we are safe now, but we did everything possible in this situation to make sure no further damage can be caused by the last attack (that's why we have resetup our server and started from scratch)

Like Flash said, we never expected that someone would attack and cause such a damage to a fan project for a game which does not even earn money with it (except our small donation button) :shy:

Note: everyone who donated us something between September the 16th and today, has probably no Donator status in the forum.
When we finished the work on making everything work again, we will also update all the users who are infected by this.

Kind regards
Gardosen
My Dragoon Passive OneHanded Spear Dagger Build -> http://www.tosbase.com/tools/skill-simu ... aztoyx6nj/

User avatar
Arrex
Apprentice
Posts: 26
Joined: May 2015
Timezone: UTC+1
Location: Germany, North Rhine-Westphalia
Gender: None specified
Contact:

Re: Downtime and Scam Mails

Post by Arrex » October 11th, 2015, 10:45 am

Actually it's pretty curious that the attacker found the translation-tables and was able to edit them, but not willing to cause any harm there. Maybe he hoped that ToSBase would have dedicated BetaKeys given to them by IMC and tried to steal those for selling? That's so far the only way how I can see any gain in this attack, although it's a little far fetched.
Edit: Or it was an attack to mine email-password-pairs. Remember, people: The safest password is unsafe when you use the same everywhere and even one of those sites leaks!

User avatar
Albe
Apprentice
Posts: 66
Joined: December 2014
Timezone: UTC+1
Location: Italy
Gender: None specified

Re: Downtime and Scam Mails

Post by Albe » October 11th, 2015, 11:45 am

GG on getting the website up again in this short time keep going :no1:

User avatar
Musteque
Donator
Posts: 82
Joined: September 2014
Timezone: CET
Favorite Class: Monk
Gender: None specified

Re: Downtime and Scam Mails

Post by Musteque » October 11th, 2015, 11:46 am

Flash, keep up the good work. Any website can get hacked, "professional" or not, it doesn't mean much. To the ungrateful who complained, I'd like to see them do better. Meanwhile, I'll enjoy what TosBase has to offer that no other fansite does (stats/skill simulators, database, interactive worldmap) and a great community.

By the way, received this today. The scammers are everywhere :

Image

Link points to "savoir".

User avatar
Regar
Beginner
Posts: 10
Joined: September 2015
Gender: None specified

Re: Downtime and Scam Mails

Post by Regar » October 11th, 2015, 12:12 pm

Arrex wrote:Actually it's pretty curious that the attacker found the translation-tables and was able to edit them, but not willing to cause any harm there. Maybe he hoped that ToSBase would have dedicated BetaKeys given to them by IMC and tried to steal those for selling? That's so far the only way how I can see any gain in this attack, although it's a little far fetched.
Edit: Or it was an attack to mine email-password-pairs. Remember, people: The safest password is unsafe when you use the same everywhere and even one of those sites leaks!
Considering the content of the scam mail, it looks like the Hacker might actually be a member of the forum. Maybe the Hacker did all this just because he/she could or planned to spread trojans via scammail and compromise computers.
I think our server actually wasn't that bad protected and the attackers failed to get full direct access however only one little exploit in one of many scripts can be enough to cause pretty big damage in the worst case. It's one thing to defend yourself against random bot net attacks or a user who really tries to attack a certain site. Even big companies have to face this problem from time to time.
I'm not too happy with how the incident is handled by the staff. Yes these things happen, but not informing your users appropriately in this situation is really bad and dangerous. All tosbase users have a scam mail in their mailfolder and the staff still hasn't sent another mail round to warn them from clicking on the link in there! Users who don't check this thread still are in danger of having their computer compromised because of how the staff handles the situation. People who don't check the forum but open that mail today are in great danger - at least this could have been prevented by the staff already. It's unclear whether this will happen again in a week and there is no reassurance from the staff that it won't (that does not create a safe place for users here.). We don't even know whether the staff has contacted local authorities for prosecution or just go "Stuff happens, nothing we can do about it." - because this is how it sounds like. The response to the attack from the staff looks awfully laid back to me. :|

User avatar
Icystare
Wiki Manager
Posts: 205
Joined: August 2014
Timezone: GMT -5
Location: Canada
Favorite Class: Pardoner
Gender: None specified

Re: Downtime and Scam Mails

Post by Icystare » October 11th, 2015, 1:13 pm

Regar I don't think you understand how this works at all.

1) The site was compromised due to a security hole on the site and this will happen to all sites. Anyone with a sense of tiny sense of realism will know that it's impossible to lock down your site without making near impossible for your members to access.

2) It's not as simple as calling 911 or whatever your number is for your local authorities and have them resolve it without a proper backtrace and logs for them. 12/10 authorities will not budge until you meet at least that minimal condition. Any half decent hacker will cover their tracks well enough.

3) A second round of emails after the site was hacked? No, people aren't going to open it up until they check out the site which in turn will INFORM them of the legitimacy of the second round of emails.

4) There's no magical "Let-Me-Fix-All-Your-Security-Stuff" button. If you find one please forward it towards Flash or Gardosen along with the receipt for a two year warranty incase things break again.

5) Unless you personally have a vendetta against this hacker you will NOT go out of your way and spend your entire life searching for his sorry ass just so you can give his just desserts. You'll rather fix up the damages he made and figure out how he got in to begin with.

6) Flash and Gardosen is by no means slackers otherwise this site would've been still down. The fact they managed to salvage what they can and bring it back up at 80% functionality is already large feat especially with a two man team after the hacker toke down nearly everything but the translation project.

Also you don't need to be a member of the site to know what's happening.
Image

User avatar
Gardosen
Site Admin
Posts: 172
Joined: February 2014
Favorite Class: Doppelsöldner
Gender: Male

Re: Downtime and Scam Mails

Post by Gardosen » October 11th, 2015, 1:38 pm

Regar wrote: I'm not too happy with how the incident is handled by the staff. Yes these things happen, but not informing your users appropriately in this situation is really bad and dangerous. All tosbase users have a scam mail in their mailfolder and the staff still hasn't sent another mail round to warn them from clicking on the link in there! Users who don't check this thread still are in danger of having their computer compromised because of how the staff handles the situation. People who don't check the forum but open that mail today are in great danger - at least this could have been prevented by the staff already. It's unclear whether this will happen again in a week and there is no reassurance from the staff that it won't (that does not create a safe place for users here.). We don't even know whether the staff has contacted local authorities for prosecution or just go "Stuff happens, nothing we can do about it." - because this is how it sounds like. The response to the attack from the staff looks awfully laid back to me. :|
Everyone who knows Flash and the TOSBase project, knows the work he put into this project and how much he cared for this commmunity for the last years based on opinions and suggestions. the 16 hours of work without a break from yesterday till this morning at 4 am, is the best proof of it. (beside the simulators, skill builders, videos, translations, stat calculators, content previews, and the fact that compared to other sites, he does not spam you with advert to earn money.)

Not him and not me where laid back the last 20 hours and we are still working on the server to prevent something like this in the future.

we also took care of the topic contacting local authoroties, but we will not release any information related to this to the public.

Kind regards
Gardosen
My Dragoon Passive OneHanded Spear Dagger Build -> http://www.tosbase.com/tools/skill-simu ... aztoyx6nj/

User avatar
Flash
Site Admin
Posts: 1255
Joined: February 2014
Favorite Class: Cleric
Server: [EU] Fedimian
Gender: None specified

Re: Downtime and Scam Mails

Post by Flash » October 11th, 2015, 2:37 pm

Regar wrote:I'm not too happy with how the incident is handled by the staff. Yes these things happen, but not informing your users appropriately in this situation is really bad and dangerous. All tosbase users have a scam mail in their mailfolder and the staff still hasn't sent another mail round to warn them from clicking on the link in there! Users who don't check this thread still are in danger of having their computer compromised because of how the staff handles the situation. People who don't check the forum but open that mail today are in great danger - at least this could have been prevented by the staff already. It's unclear whether this will happen again in a week and there is no reassurance from the staff that it won't (that does not create a safe place for users here.). We don't even know whether the staff has contacted local authorities for prosecution or just go "Stuff happens, nothing we can do about it." - because this is how it sounds like. The response to the attack from the staff looks awfully laid back to me. :|
We're doing our best to handle the situation. One problem is that our mailserver still isn't 100% configured so I'm not sure if those emails could all be sent. If the mails work I'll go and send out a mail to all current users explaining the situation.
Well you can never be 100% secured against attacks. We looked at the logs trying to figure out how the attack was done and changed the server configuration & scripts to prevent this attack but that doesn't mean that there can't be another way to get access maybe even a unfixed security hole in the webserver software we have no control over (0-day exploit). Even those those are very rare you can't be sure they will never happen.
We saved our logs but unfortunately it's very very unlike that the one who did this will get caught. We noticed some ips that attacked the server and those were from different countries like China and Mexico. Probably the attacker used some proxies and even if not it's unlikely that there will be an international investigation just because of a fan site.
We never said "Stuff happens, nothing we can do about.". We installed different software restricted the access to it even more. We made sure there are as few posibilities for attackers as possible. From those 20 hours I was working on the server yesterday about half of the time we spent in configuration files to make sure the server is better secured but still this doesn't mean that we can gurantee absolute security.

Nervontuxis
Newcomer
Posts: 1
Joined: October 2015
Favorite Class: Oracle
Gender: Male

Re: Downtime and Scam Mails

Post by Nervontuxis » October 11th, 2015, 4:34 pm

I would like to add that hopefully all the users on these forum understand the amount of work it requires to maintain and especially fix all the damage done by an attack such as this. Also, there is no such thing as a secure server in the world. Even the most secure servers can be invaded, nothing is truly safe if a skilled enough hacker wants to get in.

Anyways, hopefully the servers are better protected now and this doesn't happen again.
Also, I have to say I lold at the note left on the translation :)

User avatar
PatnaSensei
Newcomer
Posts: 6
Joined: July 2015
Gender: None specified

Re: Downtime and Scam Mails

Post by PatnaSensei » October 12th, 2015, 7:04 am

the recipients name was "flash@tosbase.com" <flash@tosbase.com> and not flash@tosbase.com maybe that will help
https://youtu.be/LoF_a0-7xVQ
Image
NoThIn BuT bIg DoGs N cRoSs ThE wAy BoYs <--
-TM- C Lite †

User avatar
Fenris
Newcomer
Posts: 3
Joined: October 2015
Gender: None specified

Re: Downtime and Scam Mails

Post by Fenris » October 12th, 2015, 11:06 am

And here I thought Flash-Senpai would notice me and mail me :shy:
Image

LoveDrops
Newcomer
Posts: 1
Joined: July 2015
Gender: None specified

Re: Downtime and Scam Mails

Post by LoveDrops » October 12th, 2015, 3:06 pm

I have a feeling due to the hacker might have obtained my mail & password, that person might have actually tried to log in my facebook account also.....
All of a sudden I have a notification asking me am I logging in from Taiwan when I'm living in another country... I hope I'm wrong about this and it isn't related at all... :sob:

User avatar
Icystare
Wiki Manager
Posts: 205
Joined: August 2014
Timezone: GMT -5
Location: Canada
Favorite Class: Pardoner
Gender: None specified

Re: Downtime and Scam Mails

Post by Icystare » October 12th, 2015, 3:16 pm

LoveDrops wrote:I have a feeling due to the hacker might have obtained my mail & password, that person might have actually tried to log in my facebook account also.....
All of a sudden I have a notification asking me am I logging in from Taiwan when I'm living in another country... I hope I'm wrong about this and it isn't related at all... :sob:
Unless you use the same email address & password here and on your facebook/email account the possibility of him getting into your accounts is extremely low.
Image

User avatar
Gardosen
Site Admin
Posts: 172
Joined: February 2014
Favorite Class: Doppelsöldner
Gender: Male

Re: Downtime and Scam Mails

Post by Gardosen » October 12th, 2015, 4:57 pm

LoveDrops wrote:I have a feeling due to the hacker might have obtained my mail & password, that person might have actually tried to log in my facebook account also.....
All of a sudden I have a notification asking me am I logging in from Taiwan when I'm living in another country... I hope I'm wrong about this and it isn't related at all... :sob:
it is possible that he tried to do it, after several fails on the password, facebook sends out an email to the user.
never the less, please keep in mind that we stored the passwords encrypted, so he does not know them at all, he would have to use intense techniques to gain them. if you don't use the same password from here, somewhere else, you should be safe.

Kind regards
Gardosen
My Dragoon Passive OneHanded Spear Dagger Build -> http://www.tosbase.com/tools/skill-simu ... aztoyx6nj/

Levi Tox
Newcomer
Posts: 4
Joined: April 2015
Gender: None specified

Re: Downtime and Scam Mails

Post by Levi Tox » October 12th, 2015, 9:55 pm

im not even important enough for the mail.... i feel slightly offended

User avatar
PrincessKurumi
Donator
Posts: 80
Joined: November 2014
Timezone: GMT/UTC+8 Singapore
Favorite Class: Alchemist
Gender: None specified

Re: Downtime and Scam Mails

Post by PrincessKurumi » October 13th, 2015, 4:16 am

Yes, the moment I received it and opened the link, I knew something must have happened.

Thanks for all the hard work as usual!

Really don't understand why would people do this, nothing to be gained, only to have lost

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest