Website Outage - Security Exploit


haloman30

Some of you may have noticed that the Elaztek Studios website has been offline for a few days.

 

Unlike some other past outages, this wasn't because of some internal server problem or some kind of migration. Unfortunately, the Elaztek website was subject to a security exploit - and the outage was us locking everything down to ensure everything is cleaned up and in working order before opening it back up again.

If you don't care about the details of the hack, here's the key bits of information:

  • No real damage appears to have been done, and our logs and analysis suggest that the attacker did not have the chance to actually perform any malicious action
  • It is still theoretically possible that the attacker was able to view and access sensitive areas, including user accounts - as such, you may wish to reset your password both here, and on any other sites that also have the same password
  • The exploit in question has been patched, and we've made several changes to limit potential future damage going forward

 

If that's all you cared about, feel free to stop reading here. If you're interested in the exploit itself and what actually went down, as well as details of what we've done to lock things down - the rest of this announcement is for you.

 

The Attack

On July 11th, at 7:39 PM, I received an email regarding my own elaztek.com account, where someone had requested a password reset. A bit before 8PM, I noticed this and was initially amused - but still went ahead and made sure I could login and such. I was able to, and clicked around in the AdminCP a bit before heading to the frontend of the website - where I noticed I was now logged out.

Returning to the AdminCP, I was now signed out - and unable to sign in. At 7:58 PM, I received another email - saying that I had logged in from another device.

Uh oh.

At this realization, I immediately hard reset the entire webserver - and then, upon it coming back online, I locked it all down from that point until today, the site has been sending out an HTTP 403. Upon further research, it appeared that the issue was due to a vulnerability within the forum software we use - one that had actually been patched some time ago, but I had neglected to update the software. At this realization, I attempted to upgrade the elaztek.com site - but ran into some technical issues with the upgrader, so I left it locked down.

I was, however, able to upgrade the Chaotic United website - which was running the same software. After that was done, with being late in the night and having work the following day - and me already being tired before all of this, I left elaztek.com offline and went to bed.

The following morning, I did some further research, and found a webpage documenting the vulnerability - all but confirming this is what happened. The previous night I had checked traffic from this IP address, and noticed it was making a large number of requests to the store application - and this exploit was in fact with that very store application. It was one of the classic blunders - input that wasn't properly sanitized, allowing for SQL injection. That page can be seen here.

As of last night, I was able to successfully get elaztek.com upgraded - I could have then likely turned things on and called it a day, however I wanted to wait until today to get a few other things sorted out first.

 

Locking Down

So - what did we do to secure things down, exactly?

Well - I won't go into everything, but some of the key highlights (besides upgrading the website, of course) include:

  • Restricting the AdminCP to specific IP addresses only
  • Rolling back the MySQL database to earlier in the day, prior to the attack
  • Ensuring that MySQL credentials are not used for multiple websites/databases to eliminate the possibility of cross-site SQL attacks
  • Permanently blocking the IP address of the attacker (isn't super useful since VPNs exist, but hey - can't hurt)
  • Testing the previous exploit ourselves, with the site software updated - the exploit is in fact patched :uwufam:

 

 

If any of you have any questions or concerns about this, feel free to reach out either here on the site, or on our Discord.





User Feedback

Recommended Comments

There are no comments to display.



Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now