• Fur Affinity Forums are governed by Fur Affinity's Rules and Policies. Links and additional information can be accessed in the Site Information Forum.

5/17 Site Attack

Status
Not open for further replies.

Dragoneer

Site Developer
Staff member
Site Director
Administrator
It was brought to our attention last night (May 16) that someone had obtained a copy of Fur Affinity's source code via the recent “ImageTragick” exploit in the ImageMagick library (a common server-side image processing software). This exploit was patched earlier in this month, but not before a malicious user was able to download a copy of our source code, and later actively distributed it via USB drives at a convention.

We managed to get a hold of one of the USB drives and started to analyze what was distributed. While we were investigating, somebody launched a second attack against the site using information gleaned from the source code.

This attack targeted the site’s database by deleting user information, submissions, and watches. It was stopped before any further damage could be done. Other information such as journals, notes, passwords, and personal information was not affected. We're currently in the process of doing a security audit on the existing code and closing any loopholes which may be accessible from the source code.

We are also working to restore the deleted data. Our most recent full backup is from May 11, so approximately 6 days worth of new user registrations, account watches, and new submissions have been lost due to the attack. We are still trying to evaluate the scope of the attack.

We apologize for the inconvenience to the community, and are working to rectify the issues. If anyone has any knowledge/evidence as to who perpetrated the attack, or who was distributing the USB drives containing FA’s source code, please privately contact Dragoneer on Twitter (@Dragoneer) or via email at dragoneer@furaffinity.net.

We are working to restore FA as quickly as we can, but want to make sure we take proper steps to prevent any further issues. We will keep the community updated on our progress.


This is a photo of one of the USB drives distributed with FA’s source code. If you have any information on who was distributing these drives please let us know by contacting us as mentioned above.
 
Last edited:

SonicWolfe

New Member
I was expecting FA data base have a back up similar to RAID 1, aka real time back up. Even if the site is not backed up in real time, 6 days/weekly seemed a bit too long for a website, especially the ones like FA which had been attacked quite often due to its contents. A daily, bi-daily, or tri-daily back up plan would sound more reassuring.
Further more, if any loop hole/incidents may effect user content/database like this one, I think FA administrators should immediately notify users, and in order to prevent possible damage like this one, FA administrator should go as far as take the site down WHILE investigating solutions. From my own experience, 6 days of contents is quite a lot, approximately 420 pics just from my own watch lists. Some artists may not even brother to re-upload the deleted ones due to the automatic submission spam protection system (Not saying the spam protecting is unnecessary or undesirable, but in reality I knew several artists had decided not to upload comics or pictures on FA because of the current spam protection system).
 
Last edited:

Dragoneer

Site Developer
Staff member
Site Director
Administrator
I was expecting FA data base have a back up similar to RAID 1, aka real time back up. Even if the site is not backed up in real time, 6 days/weekly seemed a bit too long for a website especially like FA which had been attacked quite often due to it's contents. A daily, bi-daily, or tri-daily back up would sound more reasonable.
We have RAID 10s in all our servers. Full database and storage backups are held on other servers, so it's not quite the same as a single drive going offline and needing to replace the backup. And yes, doing daily backups is something we want to do, but with a site the size of FA, it can cause some severe slowdowns doing them constantly. We're in the process of acquiring a new backup storage system which would allow us to do said backups (but also requires a network upgrade).
 

ohtar

Overworked & Underpaid
As horrible as this is, one cant help but admire the efficiency of the attack. Its kinda impressive just how creative hackers can get! ._.

Hope you guys are able to restore the lost data. I cant imagine what a pain in the ass this is for you guys!
 

GreenReaper

Rambling Norn
I was expecting FA data base have a back up similar to RAID 1, aka real time back up.
RAID is not a backup - nor does database replication protect against malicious actors. You just end up replicating the damage, although a delay and point-in-time recovery can help.

Daily backups are a good idea, if you can manage it. Preferably held on a machine not accessible through information on the master server.
 
Last edited:

hikyuuri

New Member
Well, that explains why my account stopped working. Thank you for the update! I feel bad for those who have lost likes, watches, and submissions in the past few days because of this.
 

RestrainedRaptor

Helpless for you
With FA having been a part of IMVU for a while now, I would've expected the staff to be able to pull on their technical knowledge and resources to do a full security audit on the codebase and set up daily backups long before this incident occurred. It has been known for years that FA's code is broken and insecure, so I would've expected that to be a part of the contract - if they did any research. What exactly are they providing for the community again?
 

AndroKei

Blep.
Will Notes be lost during this process?

I can't be the only one with important commission information in Notes over the past several days.

ETA: And what about Journals?
 

Jones111

New Member
"Its kinda impressive just how creative hackers can get!"

Actually, that's not impressive. If you've got a lot of source code, you will find security loopholes sooner or later.
There are some open source libraries that include unfixed security issues since years because people are too lazy to fix them. But any decent attacker will find them.
 

Dragoneer

Site Developer
Staff member
Site Director
Administrator
With FA having been a part of IMVU for a while now, I would've expected the staff to be able to pull on their technical knowledge and resources to do a full security audit on the codebase and set up daily backups long before this incident occurred. It has been known for years that FA's code is broken and insecure, so I would've expected that to be a part of the contract - if they did any research. What exactly are they providing for the community again?
The exploit in question was not with FA's code but with a plugin called ImageMagick. Once we were made aware of the vulnerability it was patched, but were not aware that the source code had been leaked at tha time.
 

Traveller800

The sexy mistress of chaos
I don;t get it...whats the motivation? Its clearly not cash otherwise they would have demanded a ransom or something. Why would they devite time to fucking with your website? Its stupid AND cruel to the users.
 

Jones111

New Member
I'm asking this for a friend, here:

Please share details why you think that accounts haven't been breached.
Please tell the people at least to a vague amount how secure their passwords were/are.

Did you use salted hashes? Did you use breakable hashes like MD5 or sha-1?

If you didn't use salted hashes at least, you should advice anyone to change his/her password and don't reuse the current one on any other web service.
 

Quinnn

Do my stripes make me look fat?
6 days is a long time.

I'll never understand people who do stuff like this. What do they get out of ruining other peoples fun? especially since they're supposedly part of this community as well.
 

Traveller800

The sexy mistress of chaos
6 days is a long time.

I'll never understand people who do stuff like this. What do they get out of ruining other peoples fun? especially since they're supposedly part of this community as well.

that is exactly what I said, Quinnn. What goes through their heads?
 

Jones111

New Member
I don;t get it...whats the motivation? Its clearly not cash otherwise they would have demanded a ransom or something. Why would they devite time to fucking with your website? Its stupid AND cruel to the users.

Some people just do this for fun or as a challenge.
Some people want to sell the data, others hate the content so much that they simply want to destroy it.
Some people want to find users to take a ransom from.

The reason of the content deletion is probably just that the attacker(s) wanted to remove as much evidence as possible.
Deleting everything makes finding out what actually happend much harder.
 
Status
Not open for further replies.
Top