We've now restarted forum.f-secure.com. Meanwhile we've received some questions from our readers asking for more information about what happened and what we did to fix it so that others won't end up in the same situation.
The forum software we run is based on Snitz Forums 2000. While it has most basic features, the one we use has been extended into a version called Image Forums 2001. It is essentially the basic software plus modifications to support our needs such as user groups and private messages.
To cut a long story short, the group behind Snitz only maintains the basic package. On the 1st of December a security patch was announced and was withdrawn almost immediately to again be announced on the 4th of December.
We immediately implemented the patch. However, what we didn't know at the time was that a discussion was ongoing in the development forum. Not only was an improved fix recommended but there was also discussion that potential extensions to the forum might be vulnerable as well.
Turns out that's exactly what happened to us. While the main forum itself was patched it was the private messaging module that made the defacement possible. (Exploit code for this vulnerability is publically available.) We have now patched that too, and have checked through all other extensions to ensure that they are okay, and as said, the server is up and running again. No information was disclosed, the guy defaced the page and moved on not to be seen again. Typical of a Turkish defacement gang…
If you're running a discussion forum, make sure you're not only patching the main software but also any extensions you might have installed.
