Hacked while restoring Backup of Discourse


#1

Request: This is from a anonymous profile for the privacy reason.

What we did

  • Installed Discourse
  • Bypassed bootstrap mode, for doing setup of custom maintenance page
  • Uploaded backup file and restoration was almost begin.

At this point, when I checked Forum homepage, I got shocked to see some unrecognized topic.

  • Someone posted Topic behalf of me with trolling comment
  • My Forum title, description, admin profile username, email everything was changed to make fun.

The best part, as backup restoration finished and site went live, and everything normal.

But, it’s worry point that in blank installation for approx 10 minutes, it was posted something which I completely don’t recognize. Even, I had strong password for the admin username.

I am just shocked. The NGINX logs details represent Topic URL with some IP, but that is not sufficient. I would like to know the series of details.

  • From which IP Topic was posted, profile username was changed, before site restoration and more details to find out the possible root cause.

Thanks a lot.


#4

Hi,

Can I receive one response from anyone who know Discourse very well. I need technical assistance to debug the whole issue. Please like the response, if you are interested. I will contact via private message.

Thanks


(Jeff Atwood) #5

Well, after install the only valid account is the admin who controls the email who completed the original installation. Did you add any other admin or staff accounts after the install?


#6

No, didn’t added any other admin or staff account. I couldn’t believe how this happened a lot of things very quickly while I was busy in restoring backup.

Thanks


(Michael Friedrich) #7

Since you are using the custom maintenance page, I would believe you have an Nginx instance in front of the container. If you are worrying the next time about unsolicited access, only allow your IP address to access the whole site, either via Nginx rule or firewall or socks proxy. I tend to do that with sites where I know they’re already public and might motivate funny people.


#8

The firewall is already setup.


(Michael Friedrich) #9

In that case it allows every IP address, my advice was just for the next time you’re performing such a restore.

Since you’ve asked via PM which details to put in here - I would go for analysing the Nginx logs and track the POST HTTP requests which led to the post topic. This can easily be grep’ed in the logs and should unveil at least the client’s IP address. I doubt it will help though, unless the funny person did not care much about exposing him/herself.


#10

Is it good idea to re-install Discourse?


(Jay Pfaffman) #11

Are you certain that your email has not been compromised? That would be my concern.


(Bhanu Sharma) #12

Either email account or details of the email service?
Looks like a case of someone hijacking the activation link?


#13

I was using Zohomail (linked to Gmail) that is secured by TFA (Google Auth)

Same, goes for the Gmail, it is also secured by TFA.


(Michael - DiscourseHosting.com) #14

What do you have configured in developer_emails ?