On behalf of chiefdelphi.com, I want to apologize for the vulgar private messages that were sent out to many of you Thursday evening. The forums were attacked, and some accounts were taken advantage of, and used to send out the inappropriate spam. I was unable to get to a computer, and the moderators wouldn't have been able to handle the massive attack that was going on. (2-3 requests per second, on multiple accounts, creating literally thousands of private messages)

The attack all came from one IP address, so I have banned that IP from the whole site. This should slow things down for now. Once I get back from IRI I will go through and fix an issue that may have prevented this.

How can you prevent this from happening? Don't have your username and password set to the same value. Go change your password now. Go change it regularly. Make it secure (letters, numbers, symbols, lowercase, uppercase, etc.).

I have gone through and removed the few thousand private messages (just the text) from the system. You may still see them listed in your inbox -- the body of the message will no longer show. Unfortunately, during this process some newer (thursday evening) private messages that weren't part of this attack may have been lost. If you sent a message Thursday night via PM, you may want to re-send it, just to be sure.

Again, sorry for the inapproriate content. There are measures in place to prevent this type of thing, but some always will slip through. Unfortunately this happened at a time when it couldn't be dealt with fast enough.

Let me know if you still have any issues with private messages, and I will try to fix them asap.

Thanks Brandon for fixing as quickly as you did. Unfortunately there are as many people trying to tear things down as make them better. We will always have attacks here but your great diligence has made CD the best website on the web. Thanks again for all you do.

Yep, thanks!

On another note, I now have 1 unread mail in my box from 1969 (no, that's not a typo) which I can't read or get rid of. That permanent "1 unread mail" is going to drive me batty. :D

Yep, thanks!

On another note, I now have 1 unread mail in my box from 1969 (no, that's not a typo) which I can't read or get rid of. That permanent "1 unread mail" is going to drive me batty. :D

Click the checkbox next to the message.

Then at the bottom of the page next to 'selected message' use the dropdown box to select 'delete' and press OK.

:)

Thanks Brandon for addressing this so quickly, especially when you had so many other things going on. It is a testament to your computer prowess that the website is as secure as it is. It's just too bad that the occasional hacker makes their way in to such a great website and tries to ruin such a good thing.


Enjoy IRI!

Robyn

Impressive speed for the size of the attack. At least is all done with now.

Brandon, do you have any way to reset the passwords of users that are using their username as their password? Most of the users involved had 0 or 1 posts and aren't likely to log in any time soon to see this message.

Thanks Brandon for clearing that up quickly.

Also, always choose very secure passwords. It would be even better to use different passwords for every service you use (computer, email, IM, Facebook, etc), so that if one account is compromised they cannot use the same password to get into every account you have.

Yep, thanks!

On another note, I now have 1 unread mail in my box from 1969 (no, that's not a typo) which I can't read or get rid of. That permanent "1 unread mail" is going to drive me batty. :DOn a related note, is there anyway to reset the unread messages function back to zero if the message was deleted? Mine still shows an unread message...

Thanks Brandon for clearing that up quickly.

Also, always choose very secure passwords. It would be even better to use different passwords for every service you use (computer, email, IM, Facebook, etc), so that if one account is compromised they cannot use the same password to get into every account you have.

On a related note, is there anyway to reset the unread messages function back to zero if the message was deleted? Mine still shows an unread message...

May I recommend an alphanumeric randomizer program? There are plenty for free online. It might seem like a bit much to remember for all the accounts but you get used to it.

Yes, that 1 unread message is going to drive me mad.

-Vivek

A password isn't any use if other people can figure it out easily, but it also isn't any use if you can't remember it.

Mine are completely gone as of Friday morning. Thank you very much for getting rid of the spam so quickly! Just another happy CDer knowing that Chief Delphi is the best site out there...:)

When I get back from IRI, I will be notifying those users with the same username/password that their password will be reset for them. I will also be upgrading the forums to the latest version, in the off chance that this was a vulnerability being exploited in our version of the software.

I have 2 unread PMs that I can't see in my inbox somewhere .. so I will go through and repair the PM listings when I get back home from IRI. Doing the quick fix that I did last night wasn't a complete fix .. just enough to get the inappropriate material out of peoples inboxes.

all part of web development and admnistration, always protecting your site against SQL injection, XSS attacks, etc....

On a related note, is there anyway to reset the unread messages function back to zero if the message was deleted? Mine still shows an unread message...

I thought I had the same until I looked on the last page of my inbox. It was there, without a title, with a date sent sometime in 1969 :p

I suggest people look there to see if you can delete it.

I'm so glad I just saw this thread, I was about to contact Brandon and ask why it says in BOLD that I have 1 unread private message that once I click to access the PMs there's nothing there, not even just a heading or even a hint of a PM, just the last PM I got 2 weeks ago (that I already read and responded to).

I thought I broke something! :p

I thought I had the same until I looked on the last page of my inbox. It was there, without a title, with a date sent sometime in 1969 :p

I suggest people look there to see if you can delete it.This worked for me too! Go to the very end of your inbox and see if there is a message there. No subject and was dated 12/31/1969. I deleted it and the 1 unread message disappeared!

This worked for me too! Go to the very end of your inbox and see if there is a message there. No subject and was dated 12/31/1969. I deleted it and the 1 unread message disappeared!

I, on the other hand, marked them as read, just for the nostalgic feel of having PMs from 1969. I bet that very few people will ever have this :p


Jacob

Thanks!

D'oh, I already did post in another thread about that 1 unread message - I'll be deleting that momentarily.

Anyway, regarding passwords and security, I posted a whitepaper (http://www.chiefdelphi.com/media/papers/2009) on the topic which I think is worth reading.

Don

An update: after some research, this was not a vBulletin exploit. No data was compromised, or hacked. There are multiple other forums experiencing the same PM spam, all reporting that the accounts being compromised had username==password.

I will be resetting passwords on anybody who has username==password, to prevent this from happening in the future. vBulletin will most likely prevent people from setting username==password in future versions, it looks like, as well.

I still have to clean up inboxes -- mine has 2 unread, missing PMs.

EDIT: 117 passwords reset .. and it will perform this reset automatically, every night without notice to prevent future attacks.

EDIT: The private messages should be cleaned up now. Let me know if you still have weird things happening in your PM inbox.

Anyone still have a bold number X of unread private messages but none in their inbox like I still do?

Anyone still have a bold number X of unread private messages but none in their inbox like I still do?
A few have reported it .. one person got rid of the bold # by selecting all messages, marking as read. I'll look into it a little this weekend, if I can find some time.

A few have reported it .. one person got rid of the bold # by selecting all messages, marking as read....That method worked for me.

A few have reported it .. one person got rid of the bold # by selecting all messages, marking as read. I'll look into it a little this weekend, if I can find some time.

That method worked for me.

Indeed it worked for me as well. Thanks!

Brandon - My box is showing 1 stored message, but it doesn't show up anywhere to delete. Clicking the "empty box" command doesn't get rid of it.

Brandon - My box is showing 1 stored message, but it doesn't show up anywhere to delete. Clicking the "empty box" command doesn't get rid of it.

A few have reported it .. one person got rid of the bold # by selecting all messages, marking as read. I'll look into it a little this weekend, if I can find some time.

That method worked for me.

Indeed it worked for me as well. Thanks!

Yup, me too.

Brandon - My box is showing 1 stored message, but it doesn't show up anywhere to delete. Clicking the "empty box" command doesn't get rid of it.

Same for me!

I figured it out, check the checkbox in the header of the table, then in the bottom select "Mark as read". This will force the "unread messages" number in the database to refresh.

Either a SQL DELETE was used to get rid of the messages, or there is a bug in vBulletin which doesn't issue an update after a mass delete (I don't think vBulletin has such a control panel that can delete PMs, last I checked a few years ago).

Anyways, this solution worked for me. That bold "1 Unread message" was driving me crazy too.

Either a SQL DELETE was used to get rid of the messages, or there is a bug in vBulletin which doesn't issue an update after a mass delete (I don't think vBulletin has such a control panel that can delete PMs, last I checked a few years ago).

Anyways, this solution worked for me. That bold "1 Unread message" was driving me crazy too.
I deleted the spam PMs manually via sql, but forgot about the cached count that is tied to your user record. I just updated everybodies counts, so the #s should match the messages in your inboxes now.

:(

I liked having messages from 1969 in my PM box! Then I could say to my kids, "Hey kids, when I was your age, CD got attacked, and I have these messages from 1969 to show when Brandon fixed the problem remotely from IRI using nothing but his cell phone, a wad of gum and a paperclip!"


:P On a serious note, awesome job Brandon fixing everything promptly!

Jacob