MetaChat REGISTER   ||   LOGIN   ||   IMAGES ARE OFF   ||   RECENT COMMENTS




artphoto by splunge
artphoto by TheophileEscargot
artphoto by Kronos_to_Earth
artphoto by ethylene

Home

About

Search

Archives

Mecha Wiki

Metachat Eye

Emcee

IRC Channels

IRC FAQ


 RSS


Comment Feed:

RSS

MetaChat is an informal place for MeFites to touch base and post, discuss and chatter about topics that may not belong on MetaFilter. Questions? Check the FAQ. Please note: This is important.

24 January 2009

Looks like MeFi has been hacked You can read about it in MetaTalk while it is still up, but I wouldn't visit for now unless you are sure your browser setup is secure. This is a sad day.
post by: grouse at: 09:45 | 94 comments
Yah, what's going on, I wonder?? Do you know the motivations behind something like this? Should I really avoid the site? I know nothing about no 'puters.
posted by Stewriffic 24 January | 09:49
Will the mods post here when it's safe to go back in the water? Or is there someplace else to look for mefi news?
posted by AcornCup 24 January | 09:51
Well, there's the Metafilter Status Blog...
posted by Stewriffic 24 January | 09:52
I would avoid visiting.

I bet *someone* will post here even if it's not a mod. There is the infrequently updated status.metafilter.com page. I would expect the admins to update it if they take the site down for a while.

Stewriffic, there's a number of reasons why people do stuff like this. But it usually boils down to either fun, or profit.
posted by grouse 24 January | 09:54
OK, I'll leave there then for now. Thanks.
posted by Stewriffic 24 January | 09:54
Yes, stay away. (Unclean! Unclean!)

It may just be coincidence, but my Norton 2009 Security was nowhere to be found right after I started poking around people's profile pages. I mean, GONE, except for a few stray folders in Program Files. I've successfully reinstalled it, and a quick tour and quick scan show no sign of any infestation, but I'm running a full scan now.

Of course, Norton has mysteriously disappeared on me twice in the past few months, so I'll be looking for other ways to protect my machine from now on. I think monthly nuking from orbit sounds pretty good.
posted by maudlin 24 January | 10:01
I have a mac, and so I have a perhaps false sense of security... Am I fucked?
posted by Stewriffic 24 January | 10:03
firefox, fwiw.
posted by Stewriffic 24 January | 10:13
I've been on it all morning...mac too. :/
posted by typewriter 24 January | 10:23
cortex is up and commented. (I can't stay away. Bad Stew.)
posted by Stewriffic 24 January | 10:26
And what did cortex say?
posted by maudlin 24 January | 10:28
"Oh Fiddly Fuck" I believe.
posted by Stewriffic 24 January | 10:29
Actually:
Great fiddly fuck. Good morning.
posted by cortex at 10:23 AM on January 24 [1 favorite -] [!]

vacapinta: Also, I noticed maybe an hour an a half or so ago that the site was strangely unresponsive. That could be when the attack was being executed.

It was at about 2pm UK time that I noticed it.
posted by vacapinta at 10:25 AM on January 24 [+] [!]
posted by Stewriffic 24 January | 10:30
Great fiddly fuck is such an appropriate, awesome response.
posted by typewriter 24 January | 10:36
Idn't it, though?
posted by Stewriffic 24 January | 10:39
I just woke pb up. Man this looks like bad news.
posted by cortex at 10:37 AM on January 24 [+] [!]
posted by Stewriffic 24 January | 10:40
I have a mac, and so I have a perhaps false sense of security was noodling around AskMe for an hour this morning... Am I fucked?

Stewriffic, I'm keeping an eye out for the answer, too. Yikes.
posted by Elsa 24 January | 10:40
Oh dear. Oh deary dear.
posted by Specklet 24 January | 10:41
Oh dear. I hope this can be easily fixed.
posted by ThePinkSuperhero 24 January | 10:44
TPS, I'm sorry to say your profile is no longer pink.
posted by Stewriffic 24 January | 10:45
Maaaaan, just when I have some free time to solve all the world's problems on AskMe THIS happens.

Now what am I going to do? (please don't say clean the fridge, please don't say clean the disgusting fridge)
posted by saucysault 24 January | 10:46
And looking at your profile was one of the first things I did, for some reason.

Go clean the fridge, saucy.
posted by Stewriffic 24 January | 10:46

I just shut down profile pages, assessing the damage now.
posted by pb at 10:48 AM on January 24 [+] [!]


Googling suggests it's not just us, at least.
posted by cortex at 10:49 AM on January 24 [+] [!]
posted by Stewriffic 24 January | 10:51
I noticed this morning that the "posted by..." line in MeFi had small fonts while in MeTa and AskMe the characters were large. Obviously related to the profile hack.
posted by ericb 24 January | 10:53
Firefox can't establish a connection to the server at metatalk.metafilter.com.

Looks like the site's been taken down, y'all.
posted by Stewriffic 24 January | 11:02
Maybe someone will give me back my pink page...
posted by ThePinkSuperhero 24 January | 11:05
"MetaFilter is having a massage?" They're going to need more than a massage this time. More like an enema.
posted by grouse 24 January | 11:06
I'm still getting in. Anyone know what this hack does? I was using mefi this morning when it seemed to go unresponsive... Wondering if I should worry...
posted by DarkForest 24 January | 11:07
I had the MeTa thread discussing this open in my browser, and when I refreshed, instead of reloading it took me to ... some thread about Microsoft, from 2002. Great googly moogly.
posted by kat allison 24 January | 11:12
DarkForest, I am not at all a computer gal, but it seems like many of the fields in the profile pages were set to go to a particular website. Said website is purported to then install malware.
posted by Stewriffic 24 January | 11:13
Direct deep links work but the down page is rewriting everything to www.metafilter.com/whatever so if you follow a MeTa link you'll get the MeFi thread of the same number.

Cortex is aware of it.
posted by skorgu 24 January | 11:13
Motherfucking fucking mothers. I LIKE THE INTERNET IT IS FUN.

We're working on it; probably need to roll back to last backup before the attack, which hopefully won't be too far. Need to nail down the actual attack vector first and close that up, though, for which I am essentially a useless jester dancing in the background. Hi!
posted by cortex 24 January | 11:13
From the status.metafilter.com page:

"It looks like some old pages were open to some drive-by sql injection scripts and some joker stuffed a bunch of crappy javascript into older posts on vulnerable subsites. We're rolling back to our latest backup and patching the old pages, so we should have this fixed up in the next few hours."
posted by kat allison 24 January | 11:14
Also somewhat of an UNOFFICIAL recap: somehow javascript code was injected into various fields of the mefi profile pages. This code tries to load various types of malware via some hacked servers and invisible iframes. If you browsed MeFi in the last few hours on IE or an old version of Firefox, get your system scanned to be careful.

Portions of profiles and projects at least have been truncated and overwritten.

Install NoScript if you want to be protected from this in the future.
posted by skorgu 24 January | 11:15
Good Morning, cortex. If I could, I'd send you coffee/tea/hot chocolate and a donut.
posted by Stewriffic 24 January | 11:16
My Firefox info:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.5) Gecko/2008120121 Firefox/3.0.5

Is that OK?
posted by Stewriffic 24 January | 11:17
fwiw, accounts should be just fine. Matt's getting a status blog entry up, I believe.
posted by cortex 24 January | 11:17
Anyone know what this hack does?

We know what the hack does in an immediate sense, but not quite sure what it does in a more in-depth sense. I.e. we know that it wrote some malicious code to the database (overwriting some stuff in the process), but without some poking around, we won't know the exact effects of that code. My guess is that it's a recruitment tool for a botnet.

If you looked at Mefi on a Windows machine (particularly XP) in the last 3 hours, and you weren't running an antivirus or a Firefox/NoScript combo, it's probably advisable to head over to www.eset.com, grab the trial version of Nod32, and do a deep system scan.
posted by milquetoast 24 January | 11:17
I type slowly because my hands are cold.
posted by milquetoast 24 January | 11:18
Thanks, Stew. My wife heard me cursing and had me coffee and toast-with-jam in like zero seconds flat. <3 wife.
posted by cortex 24 January | 11:22
some old pages were open to some drive-by sql injection scripts

From what I have been able to gather*, it was TPS' grandfathered custom profile page that fucked everything up. So sorry, my sister, but no more pink for you. And you should feel bad for allowing your vanity and hubris to ruin MetaFilter for all of us, forever.

*I have no idea what I am talking about.
posted by Meatbomb 24 January | 11:22
It looks like what the hack is supposed to do is replace various fields with a quick script forward to a compromised site that chains on forward eventually to some malicious download crap if you're using a browser that doesn't stop and say WHOA WHAT THE FUCK PARTNER on the way.

It also looks like, for all the damage it did, the hack did a really poor job of actually creating functioning links that'd start someone down that road toward badness. In most places instead of a proper hyperlink-to-hell it just created an ugly fucking mess.

That is both a relief and also kind of insulting.
posted by cortex 24 January | 11:25
lol!
posted by ThePinkSuperhero 24 January | 11:28
WHAT THE FUCK OBAMA, GEORGE BUSH KEPT US SAFE!
posted by Brandon Blatcher 24 January | 11:38
cortex, you're like Kevin Bacon at the end of Animal House: "Remain calm! ALL IS WELL!"

Thank you for updates and info!
posted by steef 24 January | 11:47
This is fucking up my worldview people, I am NOT down with this. Metafilter doesn't get massages, metafilter fights crime and slays trolls and overthinks beans and administers cockpunches to all those in need. Metafilter stands for all that is good, decent and atheistically righteous in the world today. We stand on the cusp of societal awareness of circumcision, cat declawing and mushrooms. This cannot be happening. Where is jessamyn? Have we heard from her yet?
posted by msali 24 January | 11:48
It's not noon yet in Vermont, and Saturday; Jess may still asleep. Which is just as well, since she probably can't do anything more about this than I can. We're pretty much stuck sitting on our hands until pb and Matt manage to lock shit down.
posted by cortex 24 January | 11:50
she's probably asleep. she's been sick.
posted by terrapin 24 January | 11:50
When I saw the weird bar under the askme questions I thought it was a new feature to show thread length visually. Which makes no sense. I guess there will be an upswing of people on Mecha today, huh?

Something bit me in my fridge so I am back to more friendly appliances like the computer.
posted by saucysault 24 January | 11:57
My sister was once bitten by a fridge.
posted by maudlin 24 January | 11:58
jessamyn has been hacked too? Run cortex, RUN!
posted by Brandon Blatcher 24 January | 11:59
A Twitter search reveals that people are posting about this, including this short analysis of the exploit's effects.
posted by grouse 24 January | 12:00
People suck. Not you guys. Y'all are awesome. But I think the Mefi Detective Squad should activate, find who did this, and drown them in a plate of beans.
posted by rtha 24 January | 12:27
I'd love to find out who did it, but the odds are this is an anonymous driveby by foreign script kids that wasn't specifically targeted at mefi. Tracking them down may be very difficult.
posted by cortex 24 January | 12:30
[quickly deletes profile name "AnonymousDriveby."]
posted by JanetLand 24 January | 12:56
Man, I sure hope it doesn't replace my history of thoughtful, well-reasoned, and grammatically correct comments with a bunch of stupid jokes and typo-laden snark. Because that would be terrible. In fact, it may have already happened!
posted by stet 24 January | 12:58
See this is why you surf with javascript turned off and why you don't allow browser redirects.
posted by arse_hat 24 January | 12:58
Uh wow, I saw this today on my profile page but assumed it was me. Did a scan just in case before I came over here to looksee.

Good luck, guys.
posted by goodnewsfortheinsane 24 January | 13:07
It took only minutes, the destruction of the 6 Colonies. The Blue, The Green, The Grey, Black and Brown and White. All gone. 38,700 survivors ..looking for a Home.
posted by The Whelk 24 January | 13:49
[Elsa does an anonymous drive-by for Mattpbexamyn with a two dozen doughnuts and a thermos o' coffee. Thanks and good luck, guys!]
posted by Elsa 24 January | 13:52
Just for shits 'n' giggles I tried to access my Aww Rats AskMe question and got this:

Error: File not found

Looks like you've asked for a file that doesn't exist, try out the search below to find what you are looking for, which searches across all the MetaFilter sites.

*hugs Firefox and NoScript*
posted by deborah 24 January | 13:57
It took only minutes, the destruction of the 6 Colonies. The Blue, The Green, The Grey, Black and Brown and White. All gone.

Don't forget the pink.

TPS, I'm sorry to say your profile is no longer pink.
posted by Stewriffic 24 January | 10:45

That's the hardest loss of all.

My eyes thank you, hackers.
posted by essexjan 24 January | 14:59
:(
posted by ThePinkSuperhero 24 January | 15:30
If anyone wants to poke at the bees nest, here is a defanged code snippet that just prints out the URL that your browser would IFRAME on 51yes.com. I also redacted all the cookie functions which for the query it makes just means a 0 counter is returned as on a first visit. It's another ASP on the same domain. If you just load the .aspx you'll get an ASP error. If you use the well-formed query you get a 0-length HTTP OK, even when I tried to present as an IE 6.0 I assumed they might be able to exploit, so I don't know what's up with that.

http://www.bolbycom.net/51yestest.js

INTERNET DETECTIVE WORK GO.
posted by TheOnlyCoolTim 24 January | 16:21
By the way, civil rights : terrorism :: images : hax.
posted by TheOnlyCoolTim 24 January | 16:23
THiS iS wHUT haPPeNs WhEN U fUck wITh PreTTy FLoWerS! VIVA RUSTY BOTTOMS!
posted by ROU Xenophobe 24 January | 17:22
What have you done today?
posted by Brandon Blatcher 24 January | 17:54
"What have you done today?"

been looking up my old mate's art (yeh, semi selflink and all)

http://www.debutart.com/artist/sarah-howell
posted by UbuRoivas 24 January | 18:11
I clicked on all the dodgy links this morning, thank the dog for Linux and Opera! I hope Metafilter is enjoying its massage, and comes out refreshed (and not delirious) after.
posted by goo 24 January | 18:12
Grr. Chick flick over. Now what?

Also, Sandra Bullock never gets to wear nice clothes in the movies. Why???
posted by brina 24 January | 19:02
I went looking for houses to buy. Found a really really cute one, too!
posted by Stewriffic 24 January | 19:07
There's a second status update now. "It could be a long weekend." OH NOES!
posted by grouse 24 January | 19:32
crap. I don't think I ever realized how much time I'm on that site until now.
posted by Stewriffic 24 January | 19:34
Geez I go to install kitchen cabinets all day and look what I miss. Should I be worried about anything?

and cool on the possible house find, stew
posted by chewatadistance 24 January | 19:42
yah, gotta figure out how i feel about the neighborhood. though if they've taken the photos down from the listing i emailed you, well, maybe it got sold out from under me.
posted by Stewriffic 24 January | 19:50
welp, I was actually offline and productive all day, and then I come back to THIS. What the hell, people? I guess I'll have to spend time with my husband.
posted by desjardins 24 January | 20:44
I guess it's a good thing that I closed my MeFi account last week then. What good timing!
posted by eekacat 24 January | 21:57
Doh, I just clicked on an already open metafilter tab and thought it was back up, until I clicked 'recent activity'.

Then I was sad again.

Oh well, Saturday night, off to get drunk then.
posted by empath 24 January | 21:58
*reads google cache version*
posted by UbuRoivas 24 January | 23:32
I too have been reading Google cache of old AskMes today.
posted by grouse 24 January | 23:48
WHAT THE FUCK OBAMA, GEORGE BUSH KEPT US SAFE!


Looks like George got his computer back. He's got lots of free time now...
posted by lysdexic 25 January | 00:52
update (10:01pm Pacific): We've brought back the main MetaFilter site and Ask MetaFilter. MetaTalk and the rest of the subsites will likely be back online sometime Sunday.

mathowie has his priorities backwards - I need my MetaTalk!
posted by deborah 25 January | 01:07
Yeah, we need MetaTalk now more than ever.
posted by grouse 25 January | 01:09
Yippeee!
posted by saucysault 25 January | 01:18
IT'S ALIVE!


(Kinda)
posted by The Whelk 25 January | 01:42
It's alive.

Um... Not for me.

I just got this error, and can't get to the page to notify the mods:

The request has exceeded the allowable time limit Tag: CFQUERY
The error occurred on line 207.

* Current Page: http://www.metafilter.com/
* Referring Page:
* Date and Time: Sun Jan 25 00:18:53 PST 2009
* Your Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5

posted by marsha56 25 January | 03:39
I'm not having a problem accessing the main site, or ask - but I'm not surprised that there are hiccups.

Funny, though... I thought it would be swamped with comments once it came back up, and it's pretty quiet. I guess because it's sleepy time in the U.S.
posted by taz 25 January | 04:49
It's back. Oh God, my eyes.
posted by essexjan 25 January | 05:51
The pink page is back too. It hurts my eyes, but its reappearance is strangely reassuring.
posted by caddis 25 January | 08:49
It seems that the glare from that page temporarily blinded me to essexjan's comment.
posted by caddis 25 January | 08:52
I guess we know who Matt likes best :D
posted by ThePinkSuperhero 25 January | 08:54
Yeah, site will continue to be bumpy; the security fixes unfortunately make queries more resource-hungry, and it seems like that may be leading to unresponsiveness still. Probably be a few days before we're back to 100%, but at least the blue and the green should be up from now on.
posted by cortex 25 January | 11:01
*kisses pb and cortex*
posted by Melismata 25 January | 17:14
I. Need. My. MeTa.


argh.
posted by Cunning Linguist 25 January | 19:33
Poorly kitteh! OMG! || Unexpected bounty of the credit crunch

HOME  ||   REGISTER  ||   LOGIN
All posts and comments © their authors