Forum rollback - 08/10/2018

[Nervous]

To celebrate our almost one year anniversary, I have unfortunately one of the most heartbreaking bad news I had to announce to you since the opening of this server: 3 months of forum content was lost today.

 

The staff team worked all day in order to use the google cache and collect the pages that could still be found in order to put them back at their current version. We managed to save lot of feature showcases, faction threads, multiple announcement / information threads and will put them back online during the evening / tomorrow.

I invite everyone to search on Google cache for their lost posts: https://webcache.googleusercontent.com/search?q=cache:

 

How did this happen?

At 8:06 this morning, an attack started from the Tor network, directly targeting a specific file on the server (/en/api/api.php): 

The attacker knew exactly which database name he had to target, and which file.

This file was sneakily placed on our server the 9th of September 2018, along with multiple other ones in case that one would be deleted.

 

Upon access, the file grants the following page:

 

Now, what's the goal of such page since the password is still needed?

Most of you know I'm very strict when it comes to security (not enough unfortunately as you can see today), so I disable every critical accounts external access. It means that even If you find our root user password of the database, you need to compromise the whitelisted server to access it.

What happens with such a page: the connection is ran directly from the whitelisted server. In that case, anyone having the password can log in.

 

How was the password recovered?

The password was obtained using a legit access to the server by one of our former developer. He checked the password of the forum, saved it then placed these files knowing he might need it in the future since external accesses are blocked.

 

But why wasn't the password changed?

When a developer leaves, we change all passwords he directly had access to, and all remote servers accesses. We usually do not change passwords of internal applications that requires a server access, since external connections are blocked, and we have more than 15 of these passwords. Changing it all the time someone moves out would be a mess and we ruled out that it wasn't necessarely necessary as It would mean one of the developers had maliciously planned a future attack few hours before his accesses are removed. Did I think people I work with able to do such a thing? No, but once again we had the example of extremely malicious persons in the past and this is entirely my fault here.

 

Is my password safe?

Yes, just like any developers having access to databases they can see an encrypted hash of your password that cannot be decrypted as the hashes are following best security standards. However, the action of the attacker was an immediate drop of all databases. I still recommend a change of your password, and as usual make sure you only use your GTAW password on GTAW and not anywhere else.

 

Why were the backups only from July?

The last backup is from Apache's issue where his account was hacked and someone deleted all the faction forum. I switched to a new server after that day for storage reasons (more backups), and unfortunately all backups were corrupted. Always test your backup restore friends.

 

What now?

I am done with my forensic analysis of the attack and I have the full name, ID along with a list of 3 IP addresses that were used during the attack:

• 146.0.42.41
• 149.202.238.204
• 2405:8100:8000:5ca1::5c:c7ea

I already confronted the person I believe responsible for this, which denied and It's his right. I will fill from tomorrow a police report with all the server logs. I have a very low amount of hope anything will get out of it, except from one of the IPs that are from an OVH server. 

 

We're now all working as hard as we can to bring back as many threads as possible, however I know most of you will be deeply damaged by the loss of hundreds of screenshots from your factions threads. This is something I hope most of you kept save and can put back, and I know most of you will be extremely angry about it. I would too and I lost some major threads I will not recover either.

 

We went through many hard times this years, multiple forum deletion, teamspeak deletion, cryptominer from a greedy web developer placed on our website for few hours, leak of staff information... And we also met a true monster that we had to fight for months against his denial of service attacks. We always managed to limit the impact thanks to the strict work made by everyone in the team especially on backups. However this time we failed you, I personally failed you, and this will be a great lesson for the future. I do apologize for the insane amount of content lost, and I hope you'll be able to forgive me about it. I personally always learn from these and will not see this as a defeat, but as a good lesson.

 

I also invite any of you to not directly attack or insult anyone you feel might be responsible for this. While the timing is definitely odd and the goal was just to destroy and harm our community, and even If forensic evidence have forged my opinion: I will not accept any public targeted and named attack.

 

 

 

Edited October 8, 2018 by Nervous

[Pascal]

Here's how to attempt to recover your posts:

You'll need to find the old link of the post/forum section you want to view. Place it at the end of this link:

https://webcache.googleusercontent.com/search?q=cache:

 

So for example, you can view a cached version of the forums through:

https://webcache.googleusercontent.com/search?q=cache:https://forum.gta.world/en/index.php

 

If you want to navigate through the cached website, you can't simply click on the links. You'll need to right click links, copy link address, then paste this at the end of the 'cache:' link. For example, if you want to access a cached version of factions, you do this:

https://webcache.googleusercontent.com/search?q=cache:https://forum.gta.world/en/index.php?/forum/6-factions/

[Mecovy]

A vast majority of faction topics, feature documents etc has been recovered. However we were unable to get the screenshots from the factions section. The root of your page has been saved however. 

 

I have posted the factions, however complex threads have not been reformatted. I have a hard copy of all images if you need it. PM me on discord @Mecovy #6666 and i will sort it with you

 

Edited October 8, 2018 by Mecovy

[Nervous]

We might have to take down the forum few hours during the next days for unscheduled maintenance so don't be affraid If it's unaccessible again!

[Karner]

It really sucks that such an unnecessary and unprecedented attack on the community has taken place. Take your time guys, better this was done now than next month when the next backup would have been 4 months lost instead of three. That being said, I trust in the community to pool together and qualm any frustrations they may have.

[Law]

To attack a community over x,y and z is pretty sad, regardless of their reasons. Sorry for the loss but it's not something we can't recover from.

 

May the daily, reaction limit for posts be increased from 3 to 10 or something? This would be great to get back all the likes for backed up screenshots and posts :)

Edited October 8, 2018 by Law

[Humour]

Proud of you, Nervous, both for admitting a mistake and working so unbelievably hard to fix it. Props!

[Critchalee]

lets all just eat some chicken and let it blow over

[Nevermore]

5 minutes ago, Critchalee said:

lets all just eat some chicken and let it blow over

Eyyy

[Guest]

I am born again. And fuck the hackers, our mood is unbreakable.