INTERVIEW FOR CSE 2019 All ForumIAS members selected for CSE 2019 Personality Test must submit their details and DAF and register below to receive further instructions and guidance from ForumIAS. Click here to register now
INTERVIEW 2020 CHANNEL ForumIAS Channel for Interview Preparation is now Active! Please join the channel by clicking here
May I cut in ?? There is something about these techno threads and discussions which is simply irresistible for me.
A website is never hacked using javascript per se. Javascript snippets are used to modify behaviors of webpages and their components in certain ways. It used to happen a lot in the early days of Orkut (before 2007) where profiles were disfigured using scripts. But not anymore.
A website is essentially a computer program written in HTML or some other language (php, xml, python etc.) which is stored on a server. To hack a website you have to hack a server which means gaining access to the some or all of admin rights on a server computer. And then to do some damage you have to modify that program for the worse. So if Forum was indeed hacked (which I highly doubt), some guys gained access to the server and changed some functionalities. Like changing profile thumbnails of many users to a blue power-off button!!
I don't think users of Forum need to do anything on their end. A website cannot install an unauthorized program on user PC. Chrome, Mozilla, Opera, IE etc. have enough features to stop these. There is even no need to run virus scans etc. Viruses are dinosaurs in this era of ransomware and malware. No one writes them anymore.
There is only a minor threat to those who login with their Google or Facebook accounts. Their login information is shared with Forum's servers and this information might be stolen and misused for trolling or spamming. ----------------------------------------------- If anything, this is a wake up call for Forum. It should upgrade its servers. I mean literally. The forum server looks awfully outdated. It couldn't handle the bulk traffic after the prelims and slowed down. Time for a change...
Why I doubt Forum was hacked? (As in "hacked" hacked )
1. If I'm a professional or even a high level ameteur hacker, I would never bother hacking Forum. I mean, what would I gain from it ??? Bunch of guys b/w 25 and 35, discussing stuff which world doesn't care about; no money, no hot girls - someone must be fucking retard to hack such dull stuff. I think it's handiwork of some engineering college students, somewhere in India only, looking for some cheap fun.
2. I didn't use forum yesterday but now you guys say it, I believe that there was some problem. It might have been a denial-of-service attack probably. Sites which invite user content (comments, uploads, feeds) are sweet targets of DoS attacks. And it is technically the easiest attack to carry out. Any good C/C++ programmer can write a decent DoS program.
Why I doubt Forum was hacked? (As in "hacked" hacked )
1. If I'm a professional or even a high level ameteur hacker, I would never bother hacking Forum. I mean, what would I gain from it ??? Bunch of guys b/w 25 and 35, discussing stuff which world doesn't care about; no money, no hot girls - someone must be fucking retard to hack such dull stuff. I think it's handiwork of some engineering college students, somewhere in India only, looking for some cheap fun.
2. I didn't use forum yesterday but now you guys say it, I believe that there was some problem. It might have been a denial-of-service attack probably. Sites which invite user content (comments, uploads, feeds) are sweet targets of DoS attacks. And it is technically the easiest attack to carry out. Any good C/C++ programmer can write a decent DoS program.
Bro, recognize me? I am captain...supermods were deleted, me and dr king were first then root was deleted, then forumias, then neyawn was banned and then all major threads were deleted.... I was not able to login and when ever I was able to, logout was not in my control... forum titles on main discussion page were leading to sufi website.
@Root@ForumIAS@Neyawn : Any updates regarding this hack? @Root@ForumIAS profiles seem to have been deleted. Call your security guy for the next forum meet. We'll love to hear him speak too.
@jack_dawson thank god, finally someone like you from CS background is here.
So this is what happened, A guy posted this alert document cookies and document location wala script on few threads.
So the fear is that, has se stolen php session ids of all those people who have visited that particular page which has that script comment? If yes, what are the measures that we as members without any privilege can take to update our session ids?
@chameli_aunty I'm a mechanical engineer by training. Most of the good ones in world of computers are from non-CS/IT background. It's strange but true. Even Yashwant Kanitkar, of 'Let us C' fame, is a mechanical engineer!! But thanks a lot for asking. I won't brag but I've coded some stuff and won recognition in various college fests during graduation.
I agree that there must have been some unauthorized intrusion in Forum's servers. From what u explained, I can draw following probable conclusions: >> Hackers targeted the hosting server of Forum. They entered from some sort of backdoor (eg. SQL injection or XSS method; I forgot its details) to hosting provider Forum uses e.g. unsecured port, weak web server security management, etc. They got access to main server, elevated their privilege (to root, mod, admin etc.) and changed files stored directly in the hosting server.
>> Sometimes uploaded files, however innocent they may look, could contain a script that when executed on your server completely opens up your website. JPEG files can be big web security risk, even if it’s simply to change their avatar. Most images formats allow storing a comment section which could contain PHP code that could be executed by the server.
>> The said script on the page might have been served from another URL (e.g. the coaching ads Forum hosts) which gets compromised. It doesn't matter how good Forum's site security is if you link it to insecure JavaScript from a third party.
>> Admin username/password or an authenticated cookie of some admin/modmight have been sniffed over an insecure WiFi network. This was used to gain access.
NOTE: I don't know enough to elaborate on the various different ways of implementing the above attacks. I just want to give you a heads up.
## Security 101: Grab your web hosting server provider. Ask for the security control and measurement taken by your hosting provider. Outsource your hosting to a reliable provider who provides professional web security and has a good track record.
## Get a good web firewall service. Web firewall filters out most malicious traffic, so Forum would be kept safe against most SQL injections, DDoS attacks and XSS attacks. If u guys r using using Windows Server OS, switch over to Red Hat server OS. It's free and gives better protection.
## Buy more bandwidth than you you need. It will ward off chillar DoS attacks and also be a big relief to users. The forum bandwidth looks awfully less. It couldn't handle the bulk traffic of a couple of thousand users after the prelims. Put that coaching ad and test-series money to good use.
## Do penetration testing for Forum. There are many free products to assist you with this. They work on a similar basis to scripts hackers use.
## @ All mods, roots etc : Just change your passwords etc. at regular intervals. A tip: Keep core of password same, just change the suffixes every month with say name of month etc.
I reiterate, it's handiwork of some engineering college students/ naive amateurs, somewhere in India only, looking for some cheap fun. They hold a grudge against the civil services perhaps. They won't be able to sell or misuse any of this info they tempered with. Stupid fuckers, what a waste of time.
Finally, there are literally hundreds of things that you need to check to ensure that a website is safe. And no website can be 100% safe. No software was written perfect and there will be always new exploits that needs to be patched.
We are a secret self-moderated community for Civil Services preparation. Feel free to join, start a discussion, answer a question or just to say Thank you.Just dont spread the word ;)Sign in or join with Facebook or Google
ForumIAS is India’s leading Online website for UPSC IAS Exam Online Preparation and guidance. At ForumIAS, we have a dream. Our dream is to make its members achieve their IAS dream. Today thousands of aspirants have joined the elite services such as IAS, IPS, IFS, IRS and other central and state services with the right inputs provided by ForumIAS. Take a look at our IAS Toppers
Free IAS Online Preparation Initiatives by ForumIAS
Current affairs is the most important part of UPSC IAS exam. ForumIAS provides a detailed analysis of important news articles through its 9PM brief. In current affairs reading Editorials Online needs an in-depth focus and hence we provide a separate analysis of daily editorials which is not found in any other website. Click the following link to access these free preparation initiatives in Portal . ForumIAS also provides compilations and Free downloads for UPSC IAS preparation
Knowing is never enough for IAS exam. An IAS aspirant must be engaged in answer writing practice to do well in UPSC IAS Mains Exam. ForumIAS has launched a Mains Marathon initiative for IAS mains Online answer writing. Click here to access UPSC Mains Marathon initiative . For Daily Must Read Newspaper articles, Visit Must Read Newspaper page here. Must Read Newspaper is an Initiative by Team ForumIAS to provide Current Affairs links to the Must Read Articles of The Day from Newspaper.
UPSC Syllabus
The most important part of UPSC IAS exam is its syllabus and there is a need to take an in-depth look at it. Click here to view the UPSC IAS Prelims syllabus. Visit UPSC IAS syllabus page here
UPSC IAS Study Material
ForumIAS is the repository of many toppers’ Online study materials for GS Mains and Optional subjects. The most unique thing about it is that they are handwritten by toppers themselves. Click here for UPSC sample notes
Interview Preparation for IAS
Interview is the last and crucial stage for becoming an IAS officer. How to prepare for it? We provide a solution. ForumIAS is the only online website where quality IAS interview preparations happen. Online Current affairs from an interview perspective are extensively discussed and specific preparation based on candidate’s profile and hobbies can be done. Please visit this link for UPSC Interview Preparation
At ForumIAS we have an exclusive Online page to read the UPSC Interview Transcripts
Indian Forest Service (IFoS)
IFoS is one of the most sought after All India Service. ForumIAS provides the right approach to excel in this exam through their toppers who have shared their success mantras and their study materials in an elaborate manner.
About Indian Administrative Service (IAS)
IAS is considered as one of the best jobs on earth. IAS officers hold the most important positions in Central and State Governments and in Public Sector Undertakings (PSUs). They also represent India in international organizations. They take the most important decisions in the administration of Government policies and development programs.
About Indian Police Service (IPS)
IPS officers occupy higher positions in the State Police Departments, Central Armed Police Forces and Intelligence Agencies. Their most important responsibilities are maintenance of Law and Order and internal security.
About Indian Foreign Service (IFS)
IFS officers serve as diplomats in international missions and embassies of India around the world and in prominent international organizations like United Nations (UN), World Bank, and IMF. They work to promote India’s interests from a bilateral and a global perspective.
The Study portal is a single point of online IAS preparation through its several initiatives like the Must Read News Articles, the 9 PM Brief, the Mains Marathon. If you are preparing for IAS exam online, ForumIAS is the place to go. ForumIAS is proud of ForumIAS Alumni in UPSC Service who have secured top Ranks in past 5 years.
Visit Us At
ForumIAS - Offline Guidance Centre
ForumIAS Academy, 1st Floor, IAPL House, 19, Pusa Road, Opposite Metro Pillar 95-96, Karol Bagh, New Delhi-110005,
View Google Map Location
Comments
A website is never hacked using javascript per se. Javascript snippets are used to modify behaviors of webpages and their components in certain ways. It used to happen a lot in the early days of Orkut (before 2007) where profiles were disfigured using scripts. But not anymore.
A website is essentially a computer program written in HTML or some other language (php, xml, python etc.) which is stored on a server. To hack a website you have to hack a server which means gaining access to the some or all of admin rights on a server computer. And then to do some damage you have to modify that program for the worse. So if Forum was indeed hacked (which I highly doubt), some guys gained access to the server and changed some functionalities. Like changing profile thumbnails of many users to a blue power-off button!!
I don't think users of Forum need to do anything on their end. A website cannot install an unauthorized program on user PC. Chrome, Mozilla, Opera, IE etc. have enough features to stop these. There is even no need to run virus scans etc. Viruses are dinosaurs in this era of ransomware and malware. No one writes them anymore.
There is only a minor threat to those who login with their Google or Facebook accounts. Their login information is shared with Forum's servers and this information might be stolen and misused for trolling or spamming.
-----------------------------------------------
If anything, this is a wake up call for Forum. It should upgrade its servers. I mean literally. The forum server looks awfully outdated. It couldn't handle the bulk traffic after the prelims and slowed down. Time for a change...
1. If I'm a professional or even a high level ameteur hacker, I would never bother hacking Forum. I mean, what would I gain from it ??? Bunch of guys b/w 25 and 35, discussing stuff which world doesn't care about; no money, no hot girls - someone must be fucking retard to hack such dull stuff. I think it's handiwork of some engineering college students, somewhere in India only, looking for some cheap fun.
2. I didn't use forum yesterday but now you guys say it, I believe that there was some problem. It might have been a denial-of-service attack probably. Sites which invite user content (comments, uploads, feeds) are sweet targets of DoS attacks. And it is technically the easiest attack to carry out. Any good C/C++ programmer can write a decent DoS program.
So this is what happened,
A guy posted this alert document cookies and document location wala script on few threads.
So the fear is that, has se stolen php session ids of all those people who have visited that particular page which has that script comment?
If yes, what are the measures that we as members without any privilege can take to update our session ids?
I agree that there must have been some unauthorized intrusion in Forum's servers. From what u explained, I can draw following probable conclusions:
>> Hackers targeted the hosting server of Forum. They entered from some sort of backdoor (eg. SQL injection or XSS method; I forgot its details) to hosting provider Forum uses e.g. unsecured port, weak web server security management, etc. They got access to main server, elevated their privilege (to root, mod, admin etc.) and changed files stored directly in the hosting server.
>> Sometimes uploaded files, however innocent they may look, could contain a script that when executed on your server completely opens up your website. JPEG files can be big web security risk, even if it’s simply to change their avatar. Most images formats allow storing a comment section which could contain PHP code that could be executed by the server.
>> The said script on the page might have been served from another URL (e.g. the coaching ads Forum hosts) which gets compromised. It doesn't matter how good Forum's site security is if you link it to insecure JavaScript from a third party.
>> Admin username/password or an authenticated cookie of some admin/modmight have been sniffed over an insecure WiFi network. This was used to gain access.
NOTE: I don't know enough to elaborate on the various different ways of implementing the above attacks. I just want to give you a heads up.
## Security 101: Grab your web hosting server provider. Ask for the security control and measurement taken by your hosting provider. Outsource your hosting to a reliable provider who provides professional web security and has a good track record.
## Get a good web firewall service. Web firewall filters out most malicious traffic, so Forum would be kept safe against most SQL injections, DDoS attacks and XSS attacks. If u guys r using using Windows Server OS, switch over to Red Hat server OS. It's free and gives better protection.
## Buy more bandwidth than you you need. It will ward off chillar DoS attacks and also be a big relief to users. The forum bandwidth looks awfully less. It couldn't handle the bulk traffic of a couple of thousand users after the prelims. Put that coaching ad and test-series money to good use.
## Do penetration testing for Forum. There are many free products to assist you with this. They work on a similar basis to scripts hackers use.
## @ All mods, roots etc : Just change your passwords etc. at regular intervals. A tip: Keep core of password same, just change the suffixes every month with say name of month etc.
I reiterate, it's handiwork of some engineering college students/ naive amateurs, somewhere in India only, looking for some cheap fun. They hold a grudge against the civil services perhaps. They won't be able to sell or misuse any of this info they tempered with. Stupid fuckers, what a waste of time.
Finally, there are literally hundreds of things that you need to check to ensure that a website is safe. And no website can be 100% safe. No software was written perfect and there will be always new exploits that needs to be patched.