We got hacked :-/

Official support for: u-he.com
RELATED
PRODUCTS

Post

Some of u-he's sites were hacked by some clever idiot with what appears to be an exploit for an old PhpBB tonight.

I got most of it back up and running, but Uhniverse, Vst Source Code Archive, Caugui and Scripting will be gone forever. No problem with Uhniverse, because the new website will be up in a week or so. The other stuff was rarely frequented, so not too much a big deal. (They even defaced a testing site for the new stuff, but didn't find the actual construction area)

It would be great if someone could check if the downloads and all are working and virus- free. Logfiles indicate no serious harm, but better be cautious.

I'm just too knackered after sorting things... need sleep.

Thanks,

Urs
Last edited by Urs on Mon Jun 13, 2011 1:00 pm, edited 1 time in total.

Post

@Brian - ftp accounts will be back next week.

@Betateam - will send email when we're back up!
Last edited by Urs on Sun Jun 05, 2011 8:04 am, edited 1 time in total.

Post

This machine is fairly well armored. I'll give it a shot [edit: Windows versions; I can't virus-scan Mac stuff, only have a very old Mac] and let you know what happens. Very sorry to hear this.
Last edited by Meffy on Sat Jun 04, 2011 10:54 pm, edited 1 time in total.

Post

Damn, really sorry to hear that. May the culprits' nuts fall off, their crops go stale and their tongues cleave to the roof of their mouth.

Post

ariston wrote:Damn, really sorry to hear that. May the culprits' nuts fall off, their crops go stale and their tongues cleave to the roof of their mouth.
What they didn't know is that we have friends who speak their language. We actually have friends who live in their country :hihi:

Post

I downloaded these files:
Zebra25Winstaller.zip
ACE_1_0_Win.zip
Uhbik11Win.zip
MFM201Win.zip
FilterscapeVSTWin1.1.zip
FilterscapeManual.zip
FSVA_eco_vst.zip

Microsoft Security Essentials scan with the latest malware definitions finds nothing suspicious. Same with Spybot Search and Destroy, also with the latest definitions and whatnot.

Oops, I missed that the image for Triple Cheese was a link (the name isn't). Downloaded and tested, also no thread found in either scanner.

Post

Urs, I suggest MD5 checksumming all your binaries against copies on your PC, would probably be the easiest way to determine with certainty that nothing has been tampered with.

Something like this will work on the server:

Code: Select all

find . -name "*.zip" | xargs md5sum
Good luck mate :)
Last edited by fgimian on Sun Jun 05, 2011 12:30 am, edited 1 time in total.

Post

Good thought, that. Fortunately I haven't deleted the downloads yet. Here are their MD5 checksums:

Code: Select all

16f4ffba9e8fba5fffd2dba3872ebbb6 *Zebra25Winstaller.zip
83cc0a6b24786de83a4ca16b77dfcf83 *ACE_1_0_Win.zip
e34ba037292ee07b9d151e4c30b71653 *Uhbik11Win.zip
a94b9aa33b12cb291678359b4dfbb2be *MFM201Win.zip
f8896f73cc522d8e09bb4385bcdd29e9 *FilterscapeVSTWin1.1.zip
6e338e78fdca991a18e687ea2bda6733 *FilterscapeManual.zip
cca5c775c56d54b975038f2bda5b1228 *FSVA_eco_vst.zip
706880d2ac71d0506454f25f496bcf92 *TripleCheeseWin.zip

Post

I'm pretty sure we're fine. They guy just collects defaced websites as trophys. He wouldn't dare anything more serious because his address is easily traced. You'd wonder why he even bothers to launch his attacks from different ip addresses when you can simply google his website and get a proper Whois. Call it FAIL I guess.

Goes to show though. Forgot to update one phpBB to 3.0.8 (or so) and *plop* there they go. The future website will have only 1 phpBB, and it'll be up to date at any time.

I'll try to check the checksums anyway. Tomorrow.

Thanks,

Urs

Post

Thanks Meffy :)

I can at least confirm the 2 products I own which I downloaded a long time ago:

Code: Select all

e34ba037292ee07b9d151e4c30b71653 *u-he Uhbik 1.1/Uhbik11Win.zip
16f4ffba9e8fba5fffd2dba3872ebbb6 *u-he Zebra 2.5/Zebra25Winstaller.zip
Unfortunately I never downloaded all the other binaries in the past :(

Another idea is to check if any file has recently been modified on your server (especially PHP scripts .etc)

Code: Select all

find . -type f -mtime -5
This will show you all files that have been modified in the last five days.

Post

Sorry to hear about the hacking thing.
Makes me wanna learn how to protect against such things from happening.
I'm in the process of building a website now, and I'm contemplating getting the extra security features, which add a lot to the cost...unfortunately.

Post

Urs wrote:@Brian - ftp accounts will be back next week.
Yep, verified I can't login to the PatchLib. Let me know when it's back up. Feel free to send me a new password and I'll use that too.

Post

So after checking it out a bit further it seems they installed a little script that would let them replace index.html files with their "modified" version. It doesn't seem like they had any other intentions. Just collecting defacement trophys :roll:

Post

Urs wrote:I'm pretty sure we're fine. They guy just collects defaced websites as trophys. He wouldn't dare anything more serious because his address is easily traced. You'd wonder why he even bothers to launch his attacks from different ip addresses when you can simply google his website and get a proper Whois. Call it FAIL I guess.
Go on WHOIS it then? Might as well out the twat - he doesn't deserve protection

Post

aMUSEd wrote:Go on WHOIS it then? Might as well out the twat - he doesn't deserve protection
The guys have a radical and obviously antisemitic background. Just outing them might not be the right answer. I need to sleep over this, and I first need to sit down with a person who speaks their language and see what they are about.

Post Reply

Return to “u-he”