• Fur Affinity Forums are governed by Fur Affinity's Rules and Policies. Links and additional information can be accessed in the Site Information Forum.

5/17 Site Attack

Status
Not open for further replies.
kisuka

kisuka

New Member
An explanation of the exploit / hack for people who aren't in the web development or tech industry:

On the FA server is a program called ImageMagick installed. ImageMagick is used to resize images, manipulate them, etc. Tons of web services use ImageMagick for image processing. It is a very common piece of software.

On 2016/03/30 a critical security report was posted regarding ImageMagick (www.cve.mitre.org: CVE - CVE-2016-3714

Okay so. When using a website, when you have an upload form (images, files, attachments, etc) you can technically upload anything you want. When you upload a file, typically a website will check the file on the backend, to make sure it's what you want (an image, a pdf, etc) and only allow that. When you don't restrict other file types, people can upload files to the server that they can then access from the website's url (typically where uploads / images are hosted at). These malicious files are called 'web shells' which can be logged into by a third party and be used to control the server the website is on.

The exploit that was used allowed the attacker to get ImageMagick to execute commands on the server, which allowed them to most likely pop a shell and gain access to the server.

Once you are in the server, you can view config files to get access to the database.

Hope this explains things.
 
nyannom1

nyannom1

Member
Keira_Lunar said:
its more the fact im with enough social sites and i have enough passwords to rember as it is

that and the fact i made so many good friends here at FA
Click to expand...
Dear god the password remembering, it's a nightmare. GradeAUnderA made a whole video on this :
 
Keira_Lunar

Keira_Lunar

Proffesor Kikinoe
Fawk said:
^This. Yes, FA could have acted faster. But that doesn't make what other people did okay.
Like, if I don't lock my car it doesn't make whoever stole it less of a horrible person, even if it does mean I should have been more careful.
Click to expand...


indeed last year my house got broken into now my house is heavily secured

i only hope FA admins learn from this
 
nyannom1

nyannom1

Member
tbonethebunbun said:
I hate to come here and say this, but I think it's for your own good...

GO TO BED NOW... IT'S NOT COMING BACK... IT'S NOT GOING TO COME BACK... IT'S NOT GOING TO BE BACK TOMORROW, THE NEXT DAY, THE DAY AFTER THAT, SO LOG OFF, GO TO BED, AND STOP POSTING!!!!!!!!

I'm sorry... I'm just... really grouchy right now, cause my phone's been going off for 10 minutes...
Click to expand...
You do realize you can a) unwatch the thread (and still rewatch it since it's on the main page) or b) silence your phone?
Or don't, I'm just pointing out suggestions.
 
kisuka

kisuka

New Member
Keira_Lunar said:
its more the fact im with enough social sites and i have enough passwords to rember as it is
Click to expand...
You should not be remembering passwords. You should be using a password manager like KeePass to generate a unique password for every website. Then you have a master key that opens your database of passwords. On top of that, use Two-Step Authentication on every service that offers it.

If any of the websites you use have the same passwords you use on other sites, you can guarantee that every account using the same password will be hacked if they get just one of those passwords. When attackers get password lists they check those emails and passwords against a ton of services such as banking and social media.
 
Fawk

Fawk

I don't like people
So on the 3rd month, on the 30th, (so basically at the start of the 4th month) the security report was posted. It was stated that they patched the exploit earlier this month (the 5th month)
So they took about a month to patch it. tsk tsk furaffinity.

I hope they learn and jump to fix security issues much quicker next time.
 
Bourbon.

Bourbon.

Member
tbonethebunbun said:
I hate to come here and say this, but I think it's for your own good...

GO TO BED NOW... IT'S NOT COMING BACK... IT'S NOT GOING TO COME BACK... IT'S NOT GOING TO BE BACK TOMORROW, THE NEXT DAY, THE DAY AFTER THAT, SO LOG OFF, GO TO BED, AND STOP POSTING!!!!!!!!

I'm sorry... I'm just... really grouchy right now, cause my phone's been going off for 10 minutes...
Click to expand...
So turn off notifications, smartass.
 
T

tbonethebunbun

Active Member
nyannom1 said:
You do realize you can a) unwatch the thread (and still rewatch it since it's on the main page) or b) silence your phone?
Or don't, I'm just pointing out suggestions.
Click to expand...
Sorry, I'm just very very grouchy, it's like... 1:35 in the morning, and my phone's been beeping at me over and over...
 
Fawk

Fawk

I don't like people
tbonethebunbun said:
I hate to come here and say this, but I think it's for your own good...

GO TO BED NOW... IT'S NOT COMING BACK... IT'S NOT GOING TO COME BACK... IT'S NOT GOING TO BE BACK TOMORROW, THE NEXT DAY, THE DAY AFTER THAT, SO LOG OFF, GO TO BED, AND STOP POSTING!!!!!!!!

I'm sorry... I'm just... really grouchy right now, cause my phone's been going off for 10 minutes...
Click to expand...
You know that not everyone is in the same timezone as you? So it is not bedtime for everyone.
But you should sleep, you seem cranky.
 
nyannom1

nyannom1

Member
tbonethebunbun said:
Sorry, I'm just very very grouchy, it's like... 1:35 in the morning, and my phone's been beeping at me over and over...
Click to expand...
It's okay, just letting you know for the future. Get some sleep now, goodnight.
 
kisuka

kisuka

New Member
Fawk said:
So on the 3rd month, on the 30th, (so basically at the start of the 4th month) the security report was posted. It was stated that they patched the exploit earlier this month (the 5th month)
So they took about a month to patch it. tsk tsk furaffinity.
Click to expand...

Within that month period of time, tons of free to use code had been posted on github. Proof of concepts and what not on how to use the exploit to attack a server. This is how the network security field works. An exploit is reported and tons of netsec guys will create proof of concepts for their blogs/talks/conventions/etc and make that code publicly available.

It is up to the system administrators to patch the exploit in time or else they are open to attack from anyone.
 
T

tbonethebunbun

Active Member
Fawk said:
You know that not everyone is in the same timezone as you? So it is not bedtime for everyone.
But you should sleep, you seem cranky.
Click to expand...
You have no idea. Aside from my neighbor's dogs barking all hours of the night... a poor bunny deserves his bunny rest... - _ -;;
 
ZX6R

ZX6R

Member
Fawk said:
So on the 3rd month, on the 30th, (so basically at the start of the 4th month) the security report was posted. It was stated that they patched the exploit earlier this month (the 5th month)
So they took about a month to patch it. tsk tsk furaffinity.

I hope they learn and jump to fix security issues much quicker next time.
Click to expand...
From what I understand they were late by like a day or so. Even if they were less lazy by a day or two, they still would have kept them out.
 
nyannom1

nyannom1

Member
kisuka said:
Within that month period of time, tons of free to use code had been posted on github. Proof of concepts and what not on how to use the exploit to attack a server. This is how the network security field works. An exploit is reported and tons of netsec guys will create proof of concepts for their blogs/talks/conventions/etc and make that code publicly available.

It is up to the system administrators to patch the exploit in time or else they are open to attack from anyone.
Click to expand...
So basically it's almost an arms race between hackers and security?
Dang that's tough. I need to appreciate these kinds of matters more.
 
YaoiMeowmaster

YaoiMeowmaster

#FiftyFemboys
nyannom1 said:
Dear god the password remembering, it's a nightmare. GradeAUnderA made a whole video on this :
Click to expand...
That gave me the laugh I needed all day, its so fucking true Especially with job application websites. OH NO is some hacker gonna go and apply to Olive garden for me? Send a resume? The horror.

Also gave me a new person to subscribe to jesus christ this is great thanks
 
Keira_Lunar

Keira_Lunar

Proffesor Kikinoe
tbonethebunbun said:
I hate to come here and say this, but I think it's for your own good...

GO TO BED NOW... IT'S NOT COMING BACK... IT'S NOT GOING TO COME BACK... IT'S NOT GOING TO BE BACK TOMORROW, THE NEXT DAY, THE DAY AFTER THAT, SO LOG OFF, GO TO BED, AND STOP POSTING!!!!!!!!

I'm sorry... I'm just... really grouchy right now, cause my phone's been going off for 10 minutes...
Click to expand...


well im going to be washing dishes now anyway so you won't see my face or username pop up for about an hour or so but im sure you can just unsubscribe from the forum feed to this topic
 
nyannom1

nyannom1

Member
Keira_Lunar said:
goodness to think passwords got THAT complex
Click to expand...
Though I understand why sites want your password to be strong, but I agree with Grade when he says it shouldn't be a strict and mandatory thing
 
Keira_Lunar

Keira_Lunar

Proffesor Kikinoe
kisuka said:
You should not be remembering passwords. You should be using a password manager like KeePass to generate a unique password for every website. Then you have a master key that opens your database of passwords. On top of that, use Two-Step Authentication on every service that offers it.

If any of the websites you use have the same passwords you use on other sites, you can guarantee that every account using the same password will be hacked if they get just one of those passwords. When attackers get password lists they check those emails and passwords against a ton of services such as banking and social media.
Click to expand...

*shudders* no offences but i HATE the two step locking function its really messy and my phone can't take on any more apps i was lucky enough to install Steam mobile app at the least i don't need more
 
LyrrenClock

LyrrenClock

Blarg~
tbonethebunbun said:
I hate to come here and say this, but I think it's for your own good...

GO TO BED NOW... IT'S NOT COMING BACK... IT'S NOT GOING TO COME BACK... IT'S NOT GOING TO BE BACK TOMORROW, THE NEXT DAY, THE DAY AFTER THAT, SO LOG OFF, GO TO BED, AND STOP POSTING!!!!!!!!

I'm sorry... I'm just... really grouchy right now, cause my phone's been going off for 10 minutes...
Click to expand...
its called shut your phone off...with how phones are these days if they are your alarm clock when powered off they will...wait for it...turn themselves on magically! I know amazing right?!
 
D

Deleted member 82554

Guest
nyannom1 said:
While that is true, you can post art and look at other art sites, however, with some people that have commissions to do and who gain income from said commissions will still suffer (unless they have another said site that can do this, though, a percentage will still be hacked off).
Click to expand...
With FA being down most will fall back to the next best alternative, so less of a problem than having nothing at all.
Keira_Lunar said:
its more the fact im with enough social sites and i have enough passwords to rember as it is

that and the fact i made so many good friends here at FA
Click to expand...
Remembering passwords is irrelevant in this day and age. We have browsers that manage all of that, so there is no excuse on that part.

And there is no excuse on the second part, either. With FA being down most will fall back to the next best alternative, and the other sites like Weasyl, DA, etc. have plenty of good people to befriend.

Diversify, get yourself out there or you'll never know what you're missing.
 
nyannom1

nyannom1

Member
YaoiMeowmaster said:
That gave me the laugh I needed all day, its so fucking true Especially with job application websites. OH NO is some hacker gonna go and apply to Olive garden for me? Send a resume? The horror.

Also gave me a new person to subscribe to jesus christ this is great thanks
Click to expand...
Yeah, this dude is great, haha. I'm glad I made you laugh by sending it.
 
Status
Not open for further replies.
Top