- Joined
- Nov 14, 2012
TL;DR: I forgot to secure something important but I do not believe anything of consequence has been leaked.
On October 19th, a scraper using a VPN accessed the /.git/ directory on the forum. This is data left by a versioning software which tracks changes to files. I use it to manage the forum's source code (not attachments, user data, databases, etc). When I was working on the disks recently, I had left it behind and had not properly secured access against it on the webserver.
The scraper then downloaded all available data, which is source code managed by that repository. This is basically just the stock software used by the forum and some add-ons, mostly ones I did not write. The code I write is managed by other git repositories they did not gain access to. This is important because it means that the algorithm used to generate billpay ids is not leaked and does not need to be changed.
Today, this was published as a torrent. After 2.5 hours the site was taken down to review the damage.
Crucially, the config.php file which stores credentials was not leaked. Old versions of it had been committed. I verified that all remote servers were secured against remote logins from unrecognized sources. Local services only listen on local IPs, or via sockets, so remote access was not possible. Because the files accessed were old, the s3 credentials were not valid and could not be used. I am very confident no s3 data was leaked but I am checking with our provider just in case.
I have rotated all credentials out of an abundance of caution.
Moving forward,
Edit: I've confirmed no malicious connections were made to the remote S3.
On October 19th, a scraper using a VPN accessed the /.git/ directory on the forum. This is data left by a versioning software which tracks changes to files. I use it to manage the forum's source code (not attachments, user data, databases, etc). When I was working on the disks recently, I had left it behind and had not properly secured access against it on the webserver.
The scraper then downloaded all available data, which is source code managed by that repository. This is basically just the stock software used by the forum and some add-ons, mostly ones I did not write. The code I write is managed by other git repositories they did not gain access to. This is important because it means that the algorithm used to generate billpay ids is not leaked and does not need to be changed.
Today, this was published as a torrent. After 2.5 hours the site was taken down to review the damage.
Crucially, the config.php file which stores credentials was not leaked. Old versions of it had been committed. I verified that all remote servers were secured against remote logins from unrecognized sources. Local services only listen on local IPs, or via sockets, so remote access was not possible. Because the files accessed were old, the s3 credentials were not valid and could not be used. I am very confident no s3 data was leaked but I am checking with our provider just in case.
I have rotated all credentials out of an abundance of caution.
Moving forward,
- Webserver will implement more best practices.
- Backup S3 bucket will have an IP whitelist and be more purpose-specific to handle worst case scenario.
Edit: I've confirmed no malicious connections were made to the remote S3.
Last edited:
