What really happened? Host trouble? Hacked? Things got messed up when updating MyBB software? It doesn’t make any sense to suddenly just get rid of the MyBB aided forum. Normally, one would develop this on the side and release it when it’s ready, make the transition from old to new site with little to no down-time. So, what was the culprit?
The transition was planned to be smooth just like you described, however, we were caught unprepared - all posts and recent backups were deleted by one of the admins -SkullTraill. He claims he had nothing to do with it, and his account was compromised.
I was planning to make a thread about this, but since you did it I'll add what I have to say right here.
I did not hack the site, leak my account info or in any other way try to compromise or sabotage the site. It is up to any of you to believe me or not, and Crow, you, my friend of like 10 years, have made it clear that you do not believe me, which is truly devastating. However most everyone does believe me, simply because of the amount of work I put into the site, I had nothing to gain by sabotaging my own work as well as that of a friend who I had only ever selflessly helped. There is no motive for me, I have not made any demands, I gain nothing.
But of course, you say you have proof that my account details were used to do the deleting (which confuses me, because the index page was also defaced, which cannot be done with a MyBB admin account to my knowledge), so I will accept blame for not securing my account well enough to have prevented it.
Any mybb page can be modified through the admincp templates, and that's exactly how the index page was modified. Your password wasn't changed, and the IP that did the mischief had been logging in to the account along with your other IPs a month before the deed. That makes it hard for me to believe you, however, there is still a possibility that someone stole your password, cookey/loginkey, or w/e mybb uses nowadays, which is why I hold no hard feelings for you.
I understand the justification for suspicion, Crow, I'm just sad that given our closeness, friendship and my many years of loyal support that when faced with a situation that clearly as even you state could be a set-up/framing/heck even a fucking coincidence, considering how poor the security was on WF2.0 (no SSL, outdated version, no 2-Factor Authentication, and admittedly my shitty 8 character alphanumeric password) that your first instinct was to blame me. When it first happened you were not so considerate, and blamed me blindly.
In any case we've both learned lessons, I doubt this will happen again. I for one have changed my passwords to extremely secure 20+ digit random ASCII/UNICODE on every platform I care about, and enabled 2FA on every place that has it. I have too many valuable accounts and too many angry script kiddie enemies for alphanumeric passwords these days.
@skltraill @crow forgive me if I'm out of line for chiming in. I'm a security engineer by day, and I may have something to add of value. In many compromises these days, the attackers use malware to gain a foothold in an admins machine and 'pivot' off of it to gain access. This allows them to use the trusted ip of the administrators home to fool user bavahior analytics. Skull: if you're innocent, and I have no way to evaluate that claim, so until I know otherwise, I'll assume you are; you may be rolling dirty. I would advise re-imaging all of your machines and reinstalling using known clean images. When restoring your backups, have your system flag and delete and binaries it encounters, maybe generate a sha256 for each of them and running it by virustotal.
Next up get a good off line password manager, and reset all of your passwords to randomly generated unique passwords.
Lastly, when you reintall your browser (after re-imaging, assuming it's not the default) do not restore the browser plugins or settings. Some times they are saved in the cloud, and restoring can restore tlmalicious settings.
Crow: depending on the size, it's probably possible to save a running copy of your last good backup to Amazon s3 for free. You can set the bucket policy up so that the backup system can write to the bucket, but doesn't have rights to modify or delete existing backups. You just set the bucket up to delete files older than X automatically and deny anyone else delete it modify existing.
Thank you for keeping the lights on in this place. It's shitty that someone messed things up. Anything I can do to lend a hand, I'm game.
You're certainly not out of line, and trust me, I have already made those changes. I regularly run malware scans and I don't install suspicious software, so I don't think it is my machine itself that is compromised. Which is evidenced by the fact that the attacker wasn't on my local IP. What is more likely is that my password was leaked (in the multitude of database leaks from other sites) because I was using a simple password that I had previously used on other sites. I have obviously reset my passwords on all major sites that I am on now, to unique 20 digit randomly generated passwords, so it's unlikely that it will happen again.