Jim Posted January 4, 2013 Share Posted January 4, 2013 Hi guys, I was one of X number affected by the recent security issue. I have no idea of the numbers affected. It was fantastic that you guys quickly addressed the issue with a security patch, but, why wasn't it made clear what the patch was actually doing? Also, why where there no instructions to explain that you need to recache all your skins and language files once applied? It not until the last few days when 1000's of my members have been affected that I realised I hadn't completed the patch. I've gone through these forums, finding some threads relating it removing suspicious files... however ended up having to file a support ticket. Surely thats a waste of your time had the info being available in the first place. I'm not sure if you don't say what the patch is doing for security reasons, but where possible for future patches, could it be mentioned why, along with additional steps to be taken? Regards Jim Link to comment Share on other sites More sharing options...
bfarber Posted January 4, 2013 Share Posted January 4, 2013 We released a patch before most of our clients would have been affected by this issue. I apologize that you were caught before the patch was available. The patch does not require skins or languages to be rebuilt. If a hacker managed to insert malicious code into those items before your site was patched, however, then that may have required your skins or languages to be rebuilt. This is unrelated to the patch, but rather is a side effect that your site was hacked unfortunately. I do apologize for the trouble, however the things you are noting are simply not requirements of installing the patch, which is why they were not mentioned. A site that was hacked could have been affected differently and actually have no requirement to rebuild skins or langs, so mentioning this only creates confusion for the average user when in fact it may not resolve their concerns. Hopefully this clears up the announcement a little, and clarifies why the things you mention weren't outlined. :) Link to comment Share on other sites More sharing options...
3DKiwi Posted January 4, 2013 Share Posted January 4, 2013 I thought the news item and instructions posted here (prior to the ACP warning message showing up) were very clear and easy to follow. I never recached my skins. Just a matter of uploading files by ftp. Simple. 3DKiwi Link to comment Share on other sites More sharing options...
AutoItScript Posted January 4, 2013 Share Posted January 4, 2013 The how to install post was fine, but I agree with the OP. Some more context about what the patch did and a pointer to how to check if you'd already been hacked would have been preferable. The attacks reported on this forum and the rest of the internet in relation to this patch all appear to have similar symptoms. My server is very nicely locked locked down and I was feeling pretty smug as I applied the patch on the 27th. Then I spent hours trying to work out if I'd already been hacked...just to be sure. I had - on the 25th. But I found out that it usually manifested itself in the cache and how to check and fix this from an non-Invision forum. There is still no official "check" or recommendation aside from "install patch". It's easy enough to update the patch post to say. "From tickets we've investigated, the most common result of recent hacks are X, here are some tips for cleaning it up. If you need additional help please file a ticket for support"). so mentioning this only creates confusion for the average user when in fact it may not resolve their concerns Average users shouldn't be running forums. If a user is in the ACP, seeing a warning message, browsing a forum, reading about a patch and using FTP/SFTP to upload a php file I'm pretty sure they could cope with some context and a cautionary click on the "rebuild skins" button if that was a common fix post-patch :D Again, without non-IPB member support I still wouldn't know what I was looking for and that this would be required on my site... Link to comment Share on other sites More sharing options...
Jim Posted January 4, 2013 Author Share Posted January 4, 2013 I thought the news item and instructions posted here (prior to the ACP warning message showing up) were very clear and easy to follow. I never recached my skins. Just a matter of uploading files by ftp. Simple. 3DKiwi This is the problem... apart from not know what the patch was for to double check if I was affected... I followed the instructions... ie upload the patch... but that hadn't solved it. It was the reply to my ticket that I subsequently made, that said I also needed to recache my skins and language files... hence this post? So is recaching part of the fix or only in some cases where just applying the patch isn't enough? Please don't think I am moaning for the sake of moaning, I just can't help but think I can't be the only person who was wondering what on earth was going on? I'm no coder, but running invision forums since 2004 I feel confident in what I'm doing. The main thing I am saying is, had I know what to look out for, ie what the patch was fixing, I could have checked after applying it... I would have found out there and then that it hadn't fixed it still, rather than days later and multiple posts from my members complaining. (I run five forums by the way and they were all affected). Jim Link to comment Share on other sites More sharing options...
bfarber Posted January 7, 2013 Share Posted January 7, 2013 This is the problem... apart from not know what the patch was for to double check if I was affected... I followed the instructions... ie upload the patch... but that hadn't solved it. It was the reply to my ticket that I subsequently made, that said I also needed to recache my skins and language files... hence this post? So is recaching part of the fix or only in some cases where just applying the patch isn't enough? Please don't think I am moaning for the sake of moaning, I just can't help but think I can't be the only person who was wondering what on earth was going on? I'm no coder, but running invision forums since 2004 I feel confident in what I'm doing. The main thing I am saying is, had I know what to look out for, ie what the patch was fixing, I could have checked after applying it... I would have found out there and then that it hadn't fixed it still, rather than days later and multiple posts from my members complaining. (I run five forums by the way and they were all affected). Jim Recaching skins and languages is not necessary to install the patch. The patch does not affect skins and languages, and they do not need to be recached in order for the patch to be effective. Without looking up your ticket, if you were instructed to recache your skins and language files, it sounds like your site may have been exploited before the patch was installed, and malicious code was added to your skin and language files in the cache/ directory. When you later recache your skins and languages in the ACP, it would overwrite whatever code was added here with the default skin/language code stored in the database. That is most likely why you were told to do this. Link to comment Share on other sites More sharing options...
anyweb Posted January 9, 2013 Share Posted January 9, 2013 I too was impacted by the URL4short.info problem and was very irritated by it indeed as the patch was installed but no information about how to check for infection or clean up infection was provided in the official announcement from IPB. I would very much like that the Senior Management at Inivision re-think how you inform your customers about security updates:- my areas of concern are about how you release security updates, in the security update announcements currently: you do not provide any information about what the update fixes, you merely state it's level of importance you do not explain how to verify if you are or are not infected you do not explain how to remeditate if you are infected I think these are very important from a security perspective, don't you ? so even though I applied the patch immediately upon reading the email I was in a false sense of security which was quickly *and thankfully* dashed by a user emailing me, due to the lack of that information above I (and my server admin) spent two days tracing the issue in order to resolve it, why on earth should we reinvent the wheel when you are already aware of the problem and resolution. I've raised a ticket on this 836474 and was asked in that ticket to voice my concern here, so I'm doing so. cheers niall Link to comment Share on other sites More sharing options...
helleborine Posted January 19, 2013 Share Posted January 19, 2013 I was affected by the hack after installing the patch... Link to comment Share on other sites More sharing options...
Stevie_Wallis Posted January 21, 2013 Share Posted January 21, 2013 Simple question.... Which files are changed by the hack and how do i fix my site? Link to comment Share on other sites More sharing options...
bfarber Posted January 21, 2013 Share Posted January 21, 2013 There has been limited information available in terms of a "pattern" for the last hack. It's not a situation where a single file is always affected. Essentially, with the last exploit, the most I can say in terms of a pattern is that on some affected sites we have seen: Language files modified. Recaching the language pack from the ACP overwrites any malicious code in this case. Skin files modified. Recaching the skins from the ACP overwrites any malicious code in this case. Non-IP.Board files written to the /cache folder, usually with names like "xz.php" or similar (in other words, not readable file names, just characters) This is not an exhaustive list of what could be seen if your site was compromised. There are many factors at play that can alter how susceptible to attack your site may be. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.