Tweet
Forum compromised - Change passwords
The vBulletin forum was compromised by a file upload exploit/vulnerability. The first attempts to establish a backdoor were made on 28th May. On 11th June the admin control panel was compromised and started relaying data to a domain registered on May 29th. On July 2nd code was inserted to spy on all website traffic and the suspicious domain was updated. A hidden backlink to an MMO gold farming site was inserted on the forum home page on July 5th presumably for blackhat SEO monetization. On July 7th the wiki.angband.live subdomain was verified by the attacker with google search console, presumably again for SEO abuse.
The damage was limited to the PHP/apache sections of the site/server, angband.live itself was unaffected but the forums were. I would recommend changing any passwords on any other sites that you used the same username/password for, and changing passwords here.
All the files created or modified since the initial attack have been deleted or cleaned and verified against originals, and folder permissions have been made much tighter to prevent any future exploits of this type. This should have been done before, but it has been done now.
Apologies for letting this happen. We should be safer going forward.
The damage was limited to the PHP/apache sections of the site/server, angband.live itself was unaffected but the forums were. I would recommend changing any passwords on any other sites that you used the same username/password for, and changing passwords here.
All the files created or modified since the initial attack have been deleted or cleaned and verified against originals, and folder permissions have been made much tighter to prevent any future exploits of this type. This should have been done before, but it has been done now.
Apologies for letting this happen. We should be safer going forward.