In the interest of full disclosure : failed social engineering attempt and 0day vulnerability in Betadesk
A few days ago :
Does policircuit.us belong to you?
No, never heard of it.
The owner of that domain is going around masquerading as Mircea Popescu trying to obtain logins for your account. I was contacted by 2 other service providers who sent me that information
This was on the 4th. Sorta lulzy in a let's reminisce "O hai. I was justing doing a penetration test of your site." way. Kids these days, right ?
Today I discover in my inbox a link to a support ticket I never created. In the Betadesk interface there were actually two tickets, with
Server Name: I do not know my server name
Domain Name: polimedia.us
and an empty string for the "Added by:" value.
At this point not knowing exactly the extent of the attack I duly informed the support that the respective tickets are not created by me. Less than five minutes later the IP I had published that from was being DDOSed and the attacker now had the ability to fill the Added by: string with my name.
Contrary to what the attacker might have imagined I am actually immune to DDOS, and upon realising this the entire older thread quoted above was deleted, as well as selected replies of mine from the two threads requesting login details. Eventually they both were deleted and replaced with a single
Someone has been trying to reset my passwords, can you please run a backup script of mine so I can be on the safe side,
The script in question was indicated as
Please run the following script:
By now however the support was well alerted to the problems, some modifications to the way Betadesk logging in works were dropped in (for instance the attacker had no idea that cookies had been expired and the password for my account reset, happily continuing to post as "me" while that me had never actually logged in) and that's the end of the story as far as I know.
It's unclear to me why exactly someone would be going to all this trouble to hack into Trilema, except for the case he'd happen to be one of the countless scammers / fraudsters / spammers ousted in public here. Seems a little doubtful but you never know. It's unclear to me whether the plan was to get the logins, and upon failure it was moved to getting the backup bundle (and what exactly would that do, give someone access to read all the articles without paying ?! or maybe he imagines Trilema runs a Bitcoind with BTC in it ?) or moreover the plan was to get the back-up and the entire logins song and dance was just a decoy for that (in an attempt to give the request for the back-up more weight by creating in the mind of whatever suport personnel on duty the impression that he has to pick between imaginarily dichotomous attacker A and attacker B).
What is certainly clear to me is that Betadesk has a hole, allowing an attacker to somehow escalate to admin priviledges. I don't at this time know more details than that. So, just in case you're running it : beware.