BNETDocs
More updates on the security intrusion
BNETDocs

I have further investigated the security intrusion given the data I have in the database as well as the server access logs.

At this time, it is my belief that there may be more data deleted than what was originally estimated. The intruder attempted to cover their tracks, but didn't cover them all, which is how Kyro noticed them in the first place. When anything gets deleted, the content is put into a logs table as part of the logging documentation, but it looks like they deleted logs from the table too, just not all of their logs. I know this because the access logs show that they executed deletions on some logs, and the logs don't exist in the table when they clearly should.

In any case, I've looked at the code a little closer and found SEVERAL security holes everywhere. I am uncomfortable with this after inheriting this website. To that end, I am committed to creating a newer website, with probably the same interface but at the very least a new core with far less security holes. To aid in any security holes that weren't found and I've tried to patch, I have set the database user to read-only mode; so if a security hole is found and tried to be taken advantage of, at most is they will get to know how things look, but won't be able to modify or execute anything.

There will be two servers for the new website. The "production" server, which will be at http://dev.bnetdocs.org, and then also my "local" server, which won't be available to the public. The code will also be open-sourced, available at https://github.com/BNETDocs/bnetdocs-phoenix. I've already committed some code there if you wish to check it out, and the production server is also up and running with the code. I feel that having the code open-source won't be a security issue, since I am taking precautions to salt everything as well as provide options to change the hardcoded salts via a config file (so the real salt isn't available from the code necessarily).

I have also disabled the 503 Service Unavailable error page so that bots and users alike will be happy visiting this website again (the notices and emails were pretty annoying).

Comments

no one has commented yet.