Untitled

Dear XXX,

We regret to inform you that yesterday evening around 4pm PDT Swizards.net was the target of a malicious attack. In this event, the attacker used an sql injection technique to exploit a vulnerability the code of WHMCS. As a result, the individual was able to gain access to our private database and began harassing individual users in IRC by showing them their personal information contained within our database. Last night I applied outstanding security patches to our installation and this morning the hacker went public with a post to reddit

In short, the attacker is demanding that we pay him 1BTC or he will leak the contents of this database on Monday June 20th, 2016.

I am currently unsure of how the ownership will proceed in regards this threat at this current time -- this email is only to get facts into the open.

How safe am I? What about my personal info?

We are currently operating under the assumption that the attacker has a full dump of our database. This data includes:
Name
Address
Telephone #
Client ID
Email
Hashed password for your account at Swizards.net
Limited info about your credit card if Stripe is your payment method (Last 4 digits and expiry)
The contents of all tickets
In addition to this we also store your seedbox information as well if you have an active account with us. This information contains:
Hostname
Username
Password
Root password
Because of this, we urge you to immediately change your user password (or better yet, setup private key/public key pair and disable password authentication entirely) web password and disable root login to your server via ssh.

The following commands can be used to help. If you need help, come look for support in IRC and we will be glad to assist you in this matter. DO NOT OPEN A TICKET REQUESTING THAT WE CHANGE YOUR PASSWORD TO SUCHANDSUCH. ANY "PRIVATE" INFORMATION YOU CHOOSE TO SEND US IN PLAIN TEXT VIA TICKETS MAY STILL BE IN DANGER OF BEING DUMPED AND LEAKED. We do not know the extent to which our database has been comprimised and until we can migrate to a secure server, zero secure information should be passed through our database. We will provide future updates when such a transition takes place. If you require help in completing these commands, please seek us out in IRC and a staff member will be happy to assist you.


To change your account passwords:
Login to your slot via SSH and use the following commands
sudo bash
passwd (this will allow you to change your root password)
passwd <username> (this will change the password for the supplied username)

To change your web (rutorrent) password:
htdigest /etc/htpasswd gods <username>

To change you deluge auth password:
edit the file /home/username/.config/deluge/auth -- example:
nano /home/liara/.config/deluge/auth

change the line
liara:<insecurepassword>:10

to
liara:<newpassword>:10

To secure your SSH accounts:
edit the file "/etc/ssh/sshd_config"

Find the line
PermitRootLogin Yes

and change it to
PermitRootLogin without-password
OR
PermitRootLogin no

To force public key authentication for ALL users find the following lines and ensure they are set as follows:
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Close the file and then restart your SSH server:

service sshd restart

For information on how to setup private and public keys please see the following: How do I setup SSH public key authentication?

IF YOU HAVE A SHARED SLOT WITH SWIZARDS OR DO NOT KNOW HOW TO USE THE PREVIOUS COMMANDS ON YOUR DEDICATED SERVER SEEK OUT STAFF IN IRC AND PRIVATELY REQUEST A PASSWORD CHANGE. DO NOT SEND US A TICKET REQUESTING THAT WE CHANGE YOUR PASSWORD TO SUCHANDSUCH, THESE REQUESTS WILL BE IGNORED.

I realize this is a wall of text and this may seem a daunting task. However, please do not delay following through with this task. We remain available for support in IRC and via ticket; however as mentioned several times already, do not divulge personal info in any tickets.

Hopefully we will have more updates soon.

Swizards