Sift Was Hacked
Apologies for the downtime. We were hacked this weekend and wanted to make sure we got all of the malicious code out. I will be posting some updates as I learn more about the exploit, and will hopefully get you guys some information about how to patch your machines.


For those who are curious the exploit in question was mpack.


It's also worth noting that this exploit only targeted users with unpatched machines so as always it is prudent to keep your machine up to date.


Update: After some reviews of our logs and data we tracked the incident to approximately 6:30 pm EST Monday night. We took the site off line around 10 am EST so the exploit was live for around 16 hours. We've contacted the abuse email for the IP in question, but chances are that it was just a compromised PC. I'd like to personally apologize for this lapse in security, and let you guys know that we are taking measures to reduce our liability in the future.


Submitted by James Roe
Comments (showing 10 of 47)
Here's some info from Panda about the exploit:

http://blogs.pandasoftware.com/blogs/pandalabs/archive/2007/05/11/MPack-uncovered_2100_.aspx

And Symantec's writeup:

http://www.symantec.com/enterprise/security_response/weblog/2007/05/mpack_packed_full_of_badness.html

0  
written by Zifnab

shit happens James, The key is to minimize the impact and the loss of data which you appear to have done. It's difficult to keep a machine up to date against exploits that haven't even been patched yet. Thanks for the update and good job.
0  
written by grspec

creepy, I'm gonna have to go virus sweep my computer when I get home now... damn you haX0rs! Damn you!

But hang in there James, like grspec said, shit happens.
0  
written by raven

i am super mega interested to know how they hacked...
did they get in to the server thru the back door or did they go thru the website and exploit some ajax or php type thing?

sorrry if i just said something completely nonsensical. i am dangerously semitechnical.

I mean... was it the videosift app that let them in, or something else on the server?

btw... macs rule.
0  
written by MINK

It was something on the server. We're talking to our tech support people about it. The asshats apparently knew that our server type was vulnerable and neglected to contact us.
0  
written by James Roe

Must have been running Asshat Linux lololol haha i crack myself up.

hello? is that New Server Company Inc? Yes I would like to place an order.
0  
written by MINK

Is there a way fo us 'clients' to see if we were infected? The links provided are very interesting from a dev point of view, but don't really help ascertain if we got hit.
0  
written by Engels

Try this website for a free scan to find out if you have been infected:

http://www.infectedornot.com/usa/

The Nanoscan was recommended by Panda Software.
0  
written by silvercord

hunt them down!
0  
written by looris

Are we sure the site is clean? I checked the log for eTrust Pest Patrol, it quarantined Emusaffil A at 1:12 pm, about the time I first checked in here today. I'm checking some other things and ways now to make sure that's it, caught it before it could install so I'm ok there.

The eTrust page shows that as a high risk one, if many others have it we might want to front page a scan and fix for that and whatever else turns up.
0  
written by drattus


login or sign up to comment