Yes, the forums are down. Yes, I realize you can’t edit your own comments. Let’s talk about that.
On my Linux-based webserver, there is a user account linked to me. This “shamus” account owns all the files: All the PHP scripts to drive the blog, all the scripts to run the forums, and all the images and other random files that makes the site operate. Under normal circumstances, the entire file structure is designed so that only my user can upload, delete, and modify files.
However, you need to make some exceptions. For example, I run a WordPress plugin that makes weekly database backups. This plugin needs to be able to save these backups, which means that I need to make the backup directory writable for all users, not just the “shamus” userPHP, MySQL, and other processes are owned by the root user.. Otherwise, the backup plugin would run but it wouldn’t be allowed to save the resulting backup to disk.
So I need to make a few spots on the machine where processes not owned by me can put files. This alone isn’t enough to compromise the security of the machine, although it’s often considered something to be avoided if you can help it. The danger is that it may provide an attack vector for potential hackers. If there’s a vulnerability in either WordPress (the software that runs the blog) or PhpBB (the software that runs the forums) then they would be able to write files to these directories.
Here is a ficticious example of how something like this could work: Let’s say the forum offers a feature where users can upload their own profile image. You’re supposed to upload a JPG or PNG image file. These files end up in /forums/profileimages/. In order for this feature to work, I need to set the permissions of /forums/profileimages/ so that anyone can write to that directory. Let’s say the people who wrote the forum software didn’t do their job and the forums don’t make sure that what the user uploaded was actually an image. Like, maybe they uploaded a PHP script. This allows them to put new pages on my site, and those pages can do all sorts of nasty things.
Now, they can’t just put those pages anywhere. Those pages can only end up in /forums/profileimages/, and only the attacker will know about them. Once the upload is done, the attacker can then manually type in the URL like so:
This will cause the script to run and do whatever it’s supposed to do. This doesn’t give the attacker full control over the machine. (They can still only put new files in directories I’ve had to leave open.) They can’t re-write the blog or attack visitors directly, but this is still an alarming situation that allows them to see a lot of stuff they shouldn’t.
This is a very simplified explanation. The actual method of attack is a lot more complex and to be honest most of it is beyond me. But this is the idea in broad strokes.
A couple of months ago PeterHe doesn’t comment often so you might not know him, but Peter has been providing technical and hardware support to this site for a long time. and I discovered some files on the site that were not owned by the “shamus” user. Files like this:
Always the same pattern: A PHP file with a gibberish eight-character name, probably generated at random. These files contained highly obfuscated PHP code and were not part of the normal file structure of either WordPress or PhpBB. More importantly, they are obviously malicious in nature.
Peter and I have been battling this mess for the last month or so. We deleted all the suspect files, tightened up directory access, and then hoped we’d fixed the problem. Then a few weeks later the mystery files would show up again and we’d have to start over.
Last week the files showed up for the third time, and so we went to maximum paranoia level. We wiped WordPress clean and started over with a fresh install. We uninstalled the forums completely. This machine is now as locked down as we can make it. There are no directories with write access. This would break several of the WordPress plugins I use, but since I haven’t installed any plugins that’s not a problem yet.
If the problem returns, then I’ll need to contact my host and have them wipe the machine clean and start over. I’d hate to do that, since it would result in a ton of downtime. (The blog has about 1.2 gigabytes of images, and I don’t have a very fast upstream connection. That would be a long upload. Not to mention the time required to restore the databases and re-install everything.)
I’ve deliberately left out a lot of details on the off chance that the attacker actually reads the blogThis is unlikely. These kinds of attacks are often done by bots.. So if you’re thinking of asking, “Why don’t you guys just X?”, then keep in mind we probably did X but I’m leaving it out of this explanation.
So that’s why the forums are gone and all of our quality of life plugins are missing from the blog. It’s a known issue. We’re still investigating. If all goes well, then we’ll eventually get back comment editing and all the other little plugins we’re used to.
 PHP, MySQL, and other processes are owned by the root user.
 He doesn’t comment often so you might not know him, but Peter has been providing technical and hardware support to this site for a long time.
 This is unlikely. These kinds of attacks are often done by bots.
Blistering Stupidity of Fallout 3
Yeah, this game is a classic. But the story is idiotic, incoherent, thematically confused, and patronizing.
Final Fantasy X
A game about the ghost of an underwater football player who travels through time to save the world from a tick that controls kaiju satan. Really.
Resident Evil 4
Who is this imbecile and why is he wandering around Europe unsupervised?
Why The Christmas Shopping Season is Worse Every Year
Everyone hates Black Friday sales. Even retailers! So why does it exist?
Why I Hated Resident Evil 4
Ever wonder how seemingly sane people can hate popular games? It can happen!