Help with dealing with hacking of forum

Discussion in 'Off The Beaten Track' started by reckless, Jan 20, 2013.

  1. reckless

    reckless Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    9,384
    I'm hoping someone has some experience or suggestions about dealing with the following situation.

    As a hobby, I do some creative writing. About a year ago, I joined a ZetaBoard forum where people could post their writing and readers can comment. When you post, you are elevated to "writer" status, get a subforum for your works, and have some control over the content of that subforum. Everything was fine for several months. At the end of December, however, someone hacked the site. I don't know exactly how, but they managed to raise one of the members to an administrator, and through that account, banned the other administrators so they could not stop the hacking, made a mess of the forum by moving threads around, banned all the members, and then deleted the forum entirely.

    We got the board restored after a few days, but because the user had moved a bunch of things around before deleting the forum, it took days to move all the threads to their proper place. (Imagine it as if someone manually moved all the subforums here and jumbled them so that the skating threads were mixed withing politically incorrect and secret sources threads were public.) The user who was promoted to administrator during the hack was banned as were some other users that were accused of being involved.

    What didn't sit well with me was that the users pointing the fingers also immediately blamed the administrators of allowing the hack to happened. These users happened to be some of our younger members, mainly late-teen/college age, who had been agitating to be made administrators on the site. Within minutes of the hack, they were tweeting demands for the existing admins to step down. The next day, they created a competing site. But it did not receive much traffic and not many members from the original group joined their site.

    Out site repaired the damage as best it could and proceeded without them. Things started to return to normal, but then we began having some minor issues. The site had a shout box from which shouts started being deleted. Because writers control their subforums, including deleting posts there, the settings for the site also allow any person with "writer" status to delete shouts. In looking at the timing of when the shouts were deleted, we found that the deletions often corresponded with times when the users who had created the competing sites were active on our site. To prevent further deletions of shouts, the administrators changed withdrew those members' "writer" status. That was earlier this week. A few of them complained and one wound up getting banned.

    Yesterday, the site was hacked again. The hack itself occurred in a very similar manner to the first hack, with the user taking an account, elevating it to Admin status, deleting the other administrators, moving things around, and then deleting the entire site. The account elevated to administrator status was one of the user accounts that was banned after the first attack. But so was another user account -- an account of a user not suspected of involvement with the first hack, but of a user who had a nasty feud with the people who formed the competing site. The hackers also announced that our site is "RIP" and directed visitors to the competing site. Meanwhile, some of our writers who are unaware of all of the behind-the-scenes drama are considering moving to the competing site because it is now perceived as "safer" than the original site.

    The people from the competing site are claiming no involvement, but it is difficult for me to believe that nobody over there is connected. The administrators have tried getting assistance from ZetaBoards support and they may ask Twitter, because the site's related Twitter account also was hacked, but they were not very helpful before. So I was wondering if anyone knows of any groups or even people we can hire who might be able to helps us find out who is behind this and whether they are connected to the other site.

    I can't believe I'm even considering this over something as silly as an online writing forum, but it really feels like a violation of our community. Some of our members may have lost their creative works because ZetaBoards does not allow threads to be downloaded and they did not have complete back-ups. We all will have lost the valuable feedback we received from other members. And I am infuriated that this all may be due to some immature former members being upset that they were not put in charge so they decided to destroy our board so our members would have no choice but to go to theirs.

    If anyone has experience with these kind of things or suggestions about what we can do, I would appreciate it.
     
  2. Anita18

    Anita18 Well-Known Member

    Joined:
    Apr 22, 2001
    Messages:
    11,198
    I haven't had the experience of a top-to-bottom hacking quite like that (damn, that is THOROUGH), but I've experienced some pretty hilarious back-and-forths on Facebook groups, with multiple admins jokingly changing the group name and making it more outrageous each time. :rofl: Also, your typical trolls being approved to join, and then having to be kicked out by an admin.

    The only way to stop this, I believe, is to have only a select trusted few be "global admin" and have controls to the main forum itself. I'm a member of a very large forum community , and I was asked to be a moderator of its political forum. I declined, because it was shortly before the presidential elections and I wanted to have a life. :lol: But it was pretty clear at that point that although there were many moderators on the forum community (upwards of 15), they were only assigned to a select forum. I believe that moderators can edit objectionable posts and put members on probation, but they certainly can't change the threads entirely. I think there are at most 5 "global administrators" that have power over every forum. Only the one webmaster (which is hired by the company that owns the forums, so no funny business) has the power to delete and switch around forums entirely.

    I think the general setup is similar to FSU, and any other well-organized forum. If you give the community too much power, there's always going to be one person who insists on ruining things for everybody. Only people who have something to lose should have power over the entire forum.
     
  3. reckless

    reckless Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    9,384
    There actually were only about five admins with the power to move around and delete the subforums, so in that sense the site had a limited administration. Allowing writers to move around individual threads was never an issue and it would have really been a hassle to have to force those five admins to do everything. Say, for instance, someone was posting a novel-length work by chapter, with each chapter as a separate thread, the writer might want to pin some threads, move some older chapters to archived folders, have summaries of the novel if there were delays in posting so readers would not have reread hundreds of pages, etc. It really was easier to let the writer control where things would go and delete things that were no longer necessary. (I don't know why that also had to include allowing the writer to delete shouts, but I wasn't an admin and don't know how much control the administrators have over what powers they can give to different members.

    But, really, my concern now isn't about the administrators. I want to know how to track the culprits. Are there people out there who will do that?
     
  4. Prancer

    Prancer Dysteleological Staff Member

    Joined:
    Apr 16, 2001
    Messages:
    38,867
    First, has anyone contacted whoever runs your server? They are your best bet to trace unusual activity on the site.

    Second, the easiest way to "hack" an account is to figure out an admin's password. Admins need to have high security passwords--no birthday, child's name, favorite author, favorite book, nothing related to any creative writing, nothing related to anything ever posted on the board. Since it happened twice and so easily, that would be my first guess.

    Third, depending on the software your forum uses, your regular admins may be able to see the IP addresses for user accounts. If so, they should be able to figure it out from there by identifying the IP addresses of the poster who was given administrator privileges and cross referencing that with other IP addresses of board members. That is one reason (but only one) we never delete user accounts here--so we always have the IPs for comparison purposes.

    Sophisticated hackers would use remote logins from other IP addresses to cover their tracks, and that would be difficult to trace. Or they could just go to the public library or somewhere like that, although their IP address can still be used for general location. Most people aren't terribly sophisticated, though.

    Oops, forgot one--some boards (like this one) has an administrator log that keeps track of all administrator activity. If, say, I close a thread, it's recorded that I did it. If your board has something like that, it should be easy as pie to see if an admin account was used to make the other poster an admin. If so, look for a strange IP address for that admin and cross reference it.
     
  5. reckless

    reckless Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    9,384
    Thanks, Prancer.

    I figured they guessed an administrator's password for the first hack. But I thought the admins changed their passwords after the first hack. Unfortunately, I think they may have forgotten about an old account for one of the site founders who has passed away. It is still there, but has not been used. If the hacker accessed people's passwords the first time, he could have obtained that password and then used it to gain access for the second attack. I think the admins have to see which admin accounts were accessed around the time the user was unbanned -- or see if there is a log that will indicate who did the unbanning of the account that was used for the hack.

    I am going to pass along the information you gave to the admins and hope when they regain access to the site, they can see if our site has those features. Thanks.
     
  6. Prancer

    Prancer Dysteleological Staff Member

    Joined:
    Apr 16, 2001
    Messages:
    38,867
    Most people choose passwords that are easy to remember. Unfortunately, if you choose a password that's easy for you to remember, it's often something that you talk about a lot. A lot of people who do those things change their passwords, but don't create a password with higher security.

    We have a feature here that reports the security level of posters' passwords. Most passwords are classified as Insecure. I don't figure it matters much for the average poster, but when you have admins who do things like that, it's an issue.

    Another reason that I think that your "hacker" guessed a password is that true hacks usually come in the form of attacks. For example, we once had some internet pirates try to take over this board and what they did was bombard the admin accounts with password attempts. None of ours cracked, but they would have had the pirates been able to keep it up long enough, and then they would have been able to use our accounts to wreck the board. Our server people warned us, so we all changed our passwords several times during the attack and the pirates finally got bored and went away. But if you had a hacker trying to do something like that, you would know--the board was going haywire through the whole thing.
     
  7. smileyskate

    smileyskate New Member

    Joined:
    Oct 26, 2007
    Messages:
    667
    Reckless, nothing more to offer but just want to say I am sorry to hear about that. I have also heard of people with facebook and twitter accounts (may have nothing to do with it) having problems with their own personal computers so I agree that a password was probably guessed. Prancer, I wonder why internet pirates were trying to take over this site. What makes them hacking into sites or our computers that valuable unless they are trying to get into banking or other money accounts? For once I do wish the governments would take these crimes seriously, even if the only "breach" was invasion of privacy.
     
  8. Prancer

    Prancer Dysteleological Staff Member

    Joined:
    Apr 16, 2001
    Messages:
    38,867
    No, they wanted to take over the site; they probably would have deleted everything, blocked our access to the board, and put a big ol' waving pirate flag on the page with some sort of snarky message. They weren't trying to get poster info, just annoy us. It would have taken weeks to clean it all up and get everything back up and running.

    Anyway, you don't really need to worry about someone stealing your bank info or anything off this board. If you get a season pass through Paypal, it's Paypal that has your banking info, not us. The only thing they could get from here is the email address you registered with, and that's not particularly attractive to hackers.