inherit
262477
0
Aug 20, 2022 8:31:54 GMT -8
joopiter
9
October 2020
joopiter
|
Post by joopiter on Oct 10, 2020 22:15:00 GMT -8
Forum URL: war-robots-forum.freeforums.net/I just logged into our forum as a moderator to check on things and the entire forum has been emptied. The membership is still there but 5-6 years worth of threads are gone without a trace. What's the best action to take next? Is there a server back-up to proboards forums?
|
|
inherit
262477
0
Aug 20, 2022 8:31:54 GMT -8
joopiter
9
October 2020
joopiter
|
Post by joopiter on Oct 10, 2020 22:41:12 GMT -8
Update: So in checking our security log, there was a user with admin/moderator privileges that deleted all threads and then deleted their account. I don't think this was an inside job as we have a pretty tight knit group of moderators on this forums. So my questions still stand from above... what can we do? is there a back-up?
|
|
inherit
222558
0
Mar 28, 2024 15:57:27 GMT -8
Willow
799
June 2015
willowelf
|
Post by Willow on Oct 10, 2020 22:54:23 GMT -8
This is a situation that a PB employee will have to handle. Sadly, there is probably no way to restore your forum due to official PB policy normally. That being said, please check back when a Red can reply.
So sorry to hear about this. That's horrible. *hugs* If it helps.
|
|
inherit
252032
0
Sept 18, 2023 9:07:51 GMT -8
Retread
Tribbial Pursuit.
5,014
January 2018
retread
|
Post by Retread on Oct 11, 2020 7:15:04 GMT -8
Update: So in checking our security log, there was a user with admin/moderator privileges that deleted all threads and then deleted their account. I don't think this was an inside job as we have a pretty tight knit group of moderators on this forums. So my questions still stand from above... what can we do? is there a back-up? Hi joopiter Willow is correct. ProBoards policy precludes the restoration of user-deleted content. That includes content deleted by Staff of the forum. I would suggest banning the IP associated with the deletion of ALL threads. And more importantly, the owner of the forum should read this Help Guide article: Preventing Forum Content DeletionIt would be prudent to take steps to limit the damage that can be caused by a disgruntled staff member in the future and to reduce the likelihood of accidental deletions. ProBoards Admins* are online Monday through Friday from 9am-5pm PST/PDT (with the exception of some US holidays). When online, one of the Reds may have additional recommendations.
|
|
inherit
262477
0
Aug 20, 2022 8:31:54 GMT -8
joopiter
9
October 2020
joopiter
|
Post by joopiter on Oct 11, 2020 8:21:22 GMT -8
Update: So in checking our security log, there was a user with admin/moderator privileges that deleted all threads and then deleted their account. I don't think this was an inside job as we have a pretty tight knit group of moderators on this forums. So my questions still stand from above... what can we do? is there a back-up? Hi joopiter Willow is correct. ProBoards policy precludes the restoration of user-deleted content. That includes content deleted by Staff of the forum. I would suggest banning the IP associated with the deletion of ALL threads. And more importantly, the owner of the forum should read this Help Guide article: Preventing Forum Content DeletionIt would be prudent to take steps to limit the damage that can be caused by a disgruntled staff member in the future and to reduce the likelihood of accidental deletions. ProBoards Admins* are online Monday through Friday from 9am-5pm PST/PDT (with the exception of some US holidays). When online, one of the Reds may have additional recommendations. Thank you for the reply Retread! In the past, have you seen a normal privileges member of a forum somehow "hack" or "break into" the admin section to do damage or unwanted changes. The reason I say this is that this member (see attached) that deleted all threads and then deleted themself was not moderator nor an admin of any kind. We only have a handful of moderators and none of us know him. Attachments:
|
|
#e61919
Support Staff
224482
0
Member is Online
1
Mar 28, 2024 16:36:42 GMT -8
Scott
23,131
August 2015
socalso
|
Post by Scott on Oct 11, 2020 8:48:30 GMT -8
joopiter, according to the security log, that member was added to the member group VSTF. That group does have the power Forum Cleanup, which allows the member to delete all threads and posts.
|
|
inherit
252032
0
Sept 18, 2023 9:07:51 GMT -8
Retread
Tribbial Pursuit.
5,014
January 2018
retread
|
Post by Retread on Oct 11, 2020 9:08:46 GMT -8
Thank you for the reply Retread! In the past, have you seen a normal privileges member of a forum somehow "hack" or "break into" the admin section to do damage or unwanted changes. The reason I say this is that this member (see attached) that deleted all threads and then deleted themself was not moderator nor an admin of any kind. We only have a handful of moderators and none of us know him. Hi joopiterYou might be able to determine who added that member to the VSTF group. I think you can filter your Security Logs by Group Logs > Member Changes. If the Staff member whose account was used to add the rogue to VSTF doesn't remember taking that action, it's possible the rogue guessed the staff member's password and logged into that staff members account. Also, the IP address associated with that action should appear in the right-most column. You may be able to do some detective work via your Security Log. Your forum might still be at risk if there is a staff account where the password is known by someone other than the account holder.
|
|
Kami
Forum Cat
Posts: 40,002
Mini-Profile Theme: Kami's Mini-Profile
#f35f71
156500
0
Offline
Jul 24, 2021 11:48:29 GMT -8
Kami
40,002
July 2010
kamiyakaoru
Kami's Mini-Profile
|
Post by Kami on Oct 11, 2020 11:13:03 GMT -8
No; I have been here for 15 years now and every time this happens it has been a result of some setting misconfiguration — an staff group is set to "open" and allows anyone to join, or powers were given to a group without thought, or someone had a weak and easily guessed password.
In theory it's not impossible, but practically speaking it would be strange to target a single forum when the effort to "hack" could be used to target the service as a whole; 15 years without a breach is also a really good track record.
It seems you have been given insight as to how this person was able to do this but I wanted to give some background context as well.
|
|
#e61919
Support Staff
224482
0
Member is Online
1
Mar 28, 2024 16:36:42 GMT -8
Scott
23,131
August 2015
socalso
|
Post by Scott on Oct 11, 2020 14:38:19 GMT -8
joopiter , you can always search through the Security Log as Retread suggested. However it does show that the member was added to that particular member group back in 2017. Also there is nothing that stands out as being unusual. Now regarding: Kami is correct when she said 'no' - and in that any perceived "hack" has been due to either a trusted member gone rogue, a guessed login, or sharing login credentials. Another possibility is if a public computer is used (coffee shop, school, work, etc) and the member did not log out and their session was still active when another used the computer. Though to stumble across an open login, figure out how to make the deletes and then delete just that particular member account with no other forum "damage" seems a bit of a stretch. IMHO. Usually it's a shared login or rogue member.
|
|
inherit
262477
0
Aug 20, 2022 8:31:54 GMT -8
joopiter
9
October 2020
joopiter
|
Post by joopiter on Oct 11, 2020 16:54:08 GMT -8
Thanks for all the great feedback.
I'm off to put my detective cap on and see what I can dig up.
|
|
inherit
262477
0
Aug 20, 2022 8:31:54 GMT -8
joopiter
9
October 2020
joopiter
|
Post by joopiter on Oct 11, 2020 18:55:59 GMT -8
joopiter , according to the security log, that member was added to the member group VSTF. That group does have the power Forum Cleanup, which allows the member to delete all threads and posts. Thank you Scott for finding this. Sorry to nitpick this issue, but how did you find this member (pillowofdoom) so quickly in the security log? And where they were added with those privileges. I tried doing an IP, name, filtered searches and for the life of me couldn't locate it.
|
|
inherit
252032
0
Sept 18, 2023 9:07:51 GMT -8
Retread
Tribbial Pursuit.
5,014
January 2018
retread
|
Post by Retread on Oct 11, 2020 19:57:30 GMT -8
Thank you Scott for finding this. Sorry to nitpick this issue, but how did you find this member (pillowofdoom) so quickly in the security log? And where they were added with those privileges. I tried doing an IP, name, filtered searches and for the life of me couldn't locate it. Hi joopiter I'm sure Scott won't consider that nitpicking. Helping you understand how to use your security log will give you valuable experience that can improve your ability to manage the forum. From the screenshot you attached in this post: support.proboards.com/post/7253992/thread, it was apparent the member who deleted all posts, then deleted their account had the username pillowofdoom. I can only guess how Scott found the event where pillowofdoom was added to the VSTF group. It may have gone something like this (and you can try this yourself): When viewing the Security Log, you'll see a field that reads All Logs. Click on that and a dropdown will appear. Hover over Group Logs and a second dropdown will appear to the right of the first. Slide your cursor to the second dropdown and click on Member Changes. The new list will show only events where a member was added to or deleted from a group. Scroll through the list and you should be able to find the entry where pillowofdoom was added to the VSTF group. As Scott mentioned, that occurred in 2017 so you might need to look through several pages to find it. Please let me know if you are successful with this.
|
|
inherit
258874
0
Sept 12, 2023 6:28:38 GMT -8
khooster
10
July 2019
khooster
|
Post by khooster on Oct 12, 2020 6:06:38 GMT -8
joopiter , you can always search through the Security Log as Retread suggested. However it does show that the member was added to that particular member group back in 2017. Also there is nothing that stands out as being unusual. Now regarding: Kami is correct when she said 'no' - and in that any perceived "hack" has been due to either a trusted member gone rogue, a guessed login, or sharing login credentials. Another possibility is if a public computer is used (coffee shop, school, work, etc) and the member did not log out and their session was still active when another used the computer. Though to stumble across an open login, figure out how to make the deletes and then delete just that particular member account with no other forum "damage" seems a bit of a stretch. IMHO. Usually it's a shared login or rogue member.
Hi Scott,
I'm the current owner of the forum being mentioned. Is there anyway to find out who gave the guilty party said powers and when?
Because it's not a name I'm familiar with.
|
|
inherit
252032
0
Sept 18, 2023 9:07:51 GMT -8
Retread
Tribbial Pursuit.
5,014
January 2018
retread
|
Post by Retread on Oct 12, 2020 6:42:25 GMT -8
Hi Scott,
I'm the current owner of the forum being mentioned. Is there anyway to find out who gave the guilty party said powers and when? Because it's not a name I'm familiar with.
Hi khoosterScott might provide a better technique than I described when he's online later today. But you should be able to get the information you need by the process I described in this post: support.proboards.com/post/7254055/threadAccording to Scott that action was taken in 2017 so you might need to paginate back a few pages. When you find the entry in the Security Log, the name of the staff member who assigned pillowofdoom to the group will be in the left-most column.
|
|
inherit
258874
0
Sept 12, 2023 6:28:38 GMT -8
khooster
10
July 2019
khooster
|
Post by khooster on Oct 12, 2020 6:49:15 GMT -8
Hi Scott,
I'm the current owner of the forum being mentioned. Is there anyway to find out who gave the guilty party said powers and when? Because it's not a name I'm familiar with.
Hi khooster Scott might provide a better technique than I described when he's online later today. But you should be able to get the information you need by the process I described in this post: support.proboards.com/post/7254055/threadAccording to Scott that action was taken in 2017 so you might need to paginate back a few pages. When you find the entry in the Security Log, the name of the staff member who assigned pillowofdoom to the group will be in the left-most column. Thanks!
Another question for Scott is whether there is a way to perhaps PAY for the ability to restore what was lost. Some places have a rollback feature and I was wondering if there was a option where we could pay to have it restored?
|
|