patrick.net

curious2 says

is there any information on what the hacker(s) did besides briefly knocking the site offline?

I think they just found some data that was indigestible to my site by trying lots of things.

There was a flurry of hits from lots of different places, and some attempts to inject sql right before it went down. I can see that much from the nginx logs.

Unfortunately, the way I brought the site back was to restore the database from the previous night. I should have kept a copy of the bad data for analysis, but did not.

Can't upload images any more from my end.

Strategist says

And there are people like Jazz and Dan, who keep putting me on ignore, because they hate facts.

Facts?
www.youtube.com/embed/G2y8Sx4B2Sk

Patrick says

Patrick.net hacked!

Was that why it was down yesterday?

Yes, I don't know exactly how they did it, but fixed a few possible holes and have better monitoring in place now.

patnet needs a security consultant. and i mean a REAL one, not curious2.

They were after the porn!!

@Patrick, how old are your backups? How much is lost? New or old stuff?

It was the russians, we were getting close to the truth so they attacked with lucifer 6.66

justme says

Patrick, how old are your backups? How much is lost? New or old stuff?

There's a backup of the database every night at 3am. So posts and comments from 3am to 6pm on Sept 22nd were lost.

I should really have some more granular system for backing up. Maybe mysql replication.

So today I decided to google my email address. Until recently all one would find are some posts in a frog forum.

Well today shows my email address linked up with my pat net profile on some site that seems to mirror patnet:

https://whatdidyoubid.com/
I wonder if this is somehow related to the recent hack event?

This is a screen shot from google - I've erased my email address.

Woah, send me a screenshot: p@patrick.net

whatdidyoubid.com was a previous site of mine, run from the same server.

Interesting. Somehow google crawled it and picked off my email addy?

Saw just_passing-though's post. My email account is a burner and nothing linked to it. Did a search and here's a screenshot of the search result.

WookieMan says

My email account is a burner

I should have done the same. However, if Pat is able to take it down I suspect it'll eventually become un-indexed or something. Whatever happens in the long run with stale links.

Assuming Pat can take it down. O_o

Just some googling around and I found other ways people's email addresses are exposed. Notice the URLs are different:

Wow, if I search my email address on duckduckgo.com it takes me directly to my patnet profile:

/user/just_passing_through
Not sure why. My email address isn't in the page or page source. Perhaps in some metadata?

I didn't get the same result with duckdckgo.com that you did. Google linked me back with my email to whatdidyoubid.com site.

I'm also no longer getting any hits on my email with google either.

Must be left wing globalist damocrats evils at work

Status is still the same on my end. I'll just sit tight for now.

just_passing_through says

Status is still the same on my end. I'll just sit tight for now.

WTF. My screen shot was legit. I've now searched that email in two different browsers, logged into different email clients and that search result is gone that I posted with the screen shot. Even searched the exact address in the screenshot and all the info is gone on my end.

Ugh, this is terrible.

Just shot you an email Patrick.

just_passing_through says

if I search my email address on duckduckgo.com it takes me directly to my patnet profile:

@Patrick, I get the same result searching my e-mail address via Google. DuckDuckGo returns a bunch of pages that don't have my e-mail address.

@Patrick, when using Chrome to view PatNet in recent days, Malwarebytes blocked attempts to load several adware/malware sites. I have added them to my hosts file, with zeroes:

0.0.0.0 lenz.mx.com
0.0.0.0 popcash.net
0.0.0.0 oclaserver.com
0.0.0.0 tradexchange.com
0.0.0.0 venturead.com

The behavior seems specific to PatNet, and seems blocked by blocking scripts on the site and zeroing the domains in the hosts file. Repeated ADWCleaner and Malwarebytes scans of my system have found nothing on my machine.

In addition, the e-mail disclosure issue persists:

curious2 says

just_passing_through says

if I search my email address on duckduckgo.com it takes me directly to my patnet profile:

@Patrick, I get the same result searching my e-mail address via Google. DuckDuckGo returns a bunch of pages that don't have my e-mail address.

@curious2 I don't see any of those domains in any post or comment, so not sure why Malwarebytes would connect them to this site. Do you know which pages triggered the blocks? The only external scripts come from Youtube or Vimeo.

Patrick says

Do you know which pages triggered the blocks?

It happened when loading the home page in Firefox just a minute ago. Malwarebytes doesn't expressly connect the malware domains to this site, but when I load PatNet, Malwarebytes pops up repeatedly saying it blocked one site after another. It doesn't seem to happen elsewhere, at least not nearly so often.

I've been zeroing each in my hosts file, though one (barisderin.com) was already there:

0.0.0.0 admeridian.com
0.0.0.0 anytimeastrology.com
0.0.0.0 addiliate.com
0.0.0.0 barisderin.com
0.0.0.0 clickppcbuzz.com
0.0.0.0 digitaldsp.com
0.0.0.0 hotchatdate.com
0.0.0.0 lenz.mx.com
0.0.0.0 lvmobi.com
0.0.0.0 oclaserver.com
0.0.0.0 popcash.net
0.0.0.0 reimageplus.com
0.0.0.0 searchdimension.com
0.0.0.0 securesourcetofreecontent.bid
0.0.0.0 thegreatandstablecontents.download
0.0.0.0 tradeadxchange.com
0.0.0.0 venturead.com

I keep scanning my machine with ADWcleaner and Malwarebytes but they find nothing.