Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Mac OS X Hints site update Site News
On the evening of April 23rd, some nefarious types accessed the admin side of Geeklog, the engine that drives this site (the latest version of Geeklog isn't susceptible to this attack). The attackers then posted a few spammy stories (which I've now deleted), deleted some hints, and (much worse) used a Geeklog function to email all registered users. My apologies for this; we're working on the problem now, and will update this story with additional information as we progress.

Update: The hints and comments from April 22nd have been restored.

Update #2: The hints and comments from April 23rd have now been restored. We may have lost a few comments, but I think I got 99% of them, thanks to the comments RSS feed. Obviously, the time/date stamps are all wrong, as I simply posted them as I recreated them. If you see something noticeably out of place (threading-wise), just let me know and I can move it around.

Update #3: Portions of the user settings system (i.e. passwords, viewing prefs, etc.) will be offline while we update the system during the day today.

Thanks, and again, my apologies...
-rob.
    •    
  • Currently 1.88 / 5
  You rated: 2 / 5 (8 votes cast)
 
[10,822 views]  

Mac OS X Hints site update | 43 comments | Create New Account
Click here to return to the 'Mac OS X Hints site update' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Mac OS X Hints site update
Authored by: j-beda on Apr 23, '09 08:27:09PM

Do we have to worry about all of our super-secret passwords? Will one of these nefarious people start posing as some of us?



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: robg on Apr 23, '09 08:30:04PM

No, because even as an admin, I have no access to user passwords. They're all hashed, and can't be changed without knowing the current password. (The hackers didn't get direct database access, only access to Geeklog's admin pages.)

-rob.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: gxw on Apr 23, '09 08:36:59PM

Saw the hacked page. Unfortunate as it causes lots of extra work for site admins but I did think the one George Bush picture was funny.
Thanks for the update post - Was wondering what was going on. The hacked stuff disappeared after a page reload.




[ Reply to This | # ]
Mac OS X Hints site update
Authored by: Zaphod42 on Apr 25, '09 02:51:55PM

anyone got a screen shot of the hacked page? I'd like to see it :)



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: mkjellman on Apr 23, '09 08:38:08PM

I've been reading the site almost daily for years now and I finally registered just to comment on this. I saw a weird post on my topsites and when the page refreshed I saw your note. Seriously, to whomever feels the need to hack this site, go somewhere where you don't have a community of people to really f-ing tick off. Thanks rob for all your hard work.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: tallackn on Apr 23, '09 08:43:55PM

Rob, always appreciated your hard work, but never bothered to see how you were being rewarded for it.

This kind of article shows how hard you do work for it. I looked about the site, but can't find anything anywhere showing if you are an owned man or are a freeholder.

So, if you are doing this off your own back, where is your PayPal donation link? I'd like to throw some cash your way to show you how much you are appreciated. :)

If you are owned, kudos to you brother! :)



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: robg on Apr 23, '09 08:51:07PM

I did it on my own through mid-2005, then quit my day job and joined Macworld to work on it as my job :).

-rob.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: MurphyM on Apr 23, '09 09:05:53PM

Rob - Do you see any point in reporting this to law enforcement? I'd be tempted to, but there's so much uninvestigated cyber-crime I'd be hard pressed to justify the time spent reporting it.

Sorry this happened to you, I'm a huge fan of your work.

-Murphy Mac



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: ziggyonice on Apr 23, '09 09:06:06PM

You may be able to pull the missing hints off an RSS feed.

I'm just checking my Safari feed now, and I've got the Google Earth and Finder hint in there, although it is missing the second half of the wording. Perhaps someone has an RSS feed that will download the entire article?



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: flammable on Apr 23, '09 09:08:21PM

Would be awesome if this place offered full feeds.

Just chiming in to say another 'thanks' to Rob - this probably isn't how you planned to spend your evening.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: robg on Apr 23, '09 09:18:07PM

Yea, I have the partial hints from the feed, but need more info to complete them (at least the Google Earth one; I can re-do the other two).

-rob.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: brachiator on Apr 23, '09 09:07:16PM

The spam from your hacker was remarkably unoffensive – I haven't been invited to an IRC channel in a looong time. ;-) Thanks for squaring it away so fast.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: pranaysanghavi on Apr 23, '09 10:36:12PM

....GENTE, OLHA COMO SOU HACKER OWNED BY [b]KELVIN[/b] & #PIMP HACKERS KISSES FOR OBAMA BRAZILIAN HACKERS?? hahah... good bye..

pulled it up from the feed.. does that mean anything?
sometimes i wonder what is the sense of that blabber attack? the Nigerian trappers are at least innovative in that they try to rob your money, .. but kisses, ..obama? .. wtf?



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: mike666 on Apr 24, '09 12:42:40AM

Sounds like a semi-clever 13 year old who got tired of hanging out in /b/ on 4chan...



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: cryptlib on Apr 23, '09 09:13:14PM

More than just logged-in users were mailed. I wasn't logged in and I got a mail.

---
% kill -H -1



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: errolbert on Apr 23, '09 09:21:11PM

I haven't logged in in AGES and I got two spam emails from them as well, so I imagine it was more than just the logged-in users.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: robg on Apr 23, '09 09:27:09PM

Sigh. Apparently all users. My sincerest apologies. Nine-plus years running this site, and it finally happened...

-rob.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: cryptlib on Apr 23, '09 09:37:19PM

It's OK dude. Have a beer on me.

---
% kill -H -1



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: Anonymous on Apr 30, '09 09:32:22AM

Hey, that's less downtime than the electricity grid. And given it needs electricity to run, that's a pretty big achievement!

Evidently, I've been using an old email address -- when it finally comes back (a week later, still waiting), I'd better visit that prefs page...



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: ppmax on Apr 23, '09 09:36:16PM

I havent logged in in over 3 months and was spammed as well.

So do they have our email addresses or did they just trigger a send?

Also: Been a registered user since '99; you've done a great job Rob



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: robg on Apr 23, '09 09:43:11PM

They just triggered a send -- Geeklog contains an admin tool to email all users.

-rob.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: S Barman on Apr 23, '09 10:03:51PM

I had to check my Junk folder to find the spam (I was curious). I guess it just did not bother me!! :-)



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: cycomachead on Apr 23, '09 10:20:33PM
I don't know if this helps you at all but there is what I have:

10.5: Change folder sort order in the Finder's Kind view
Today, 7:30 AM
In the Finder's list view, if you sort by Kind, folders are lumped together in the middle of the list. If you'd rather see all the folders at the beginning of the list, here's how to change the sort order.

In the Finder, navigate to /System » Library » CoreServices » Finder.app » Contents » Resources » English.lproj (or the folder for your language). In that folder, open the InfoPlist.strings file in a pure text editor.

Inside the file, find this section and entry:
/* General kind strings */"Folder" = "Folder";
Leave the first line alone, but change the second to read:
"Folder" = " Folder";
Note that I have added only a single space before Folder. Save the file after making the change, and then restart OS X.

To test your change, open a Finder window and view by Kind (either via View » Show View Op...


Read more…
Browse current Terminal directory in a web browser
Today, 7:30 AM
While browsing commandlinefu.com (a very useful site, by the way), I found this gem that uses Python to quickly set up a webserver for the current directory in Terminal.

First launch Terminal and cd to the directory you'd like to access via your web browser. Then just use this command to start a webserver serving just that folder (and folders within it):
python -m SimpleHTTPServer
The webserver runs on port 8000, so to access the pages in your browser, you'd use http://localhost:8000. If you'd rather run the webserver on another port, just include the port number on the python line: python -m SimpleHTTPServer 8080.

Depending on which browser you're using and the files you're browsing, you ma...


Read more…
Permanently remove updater from Google Earth 5
Today, 7:30 AM
There has been a fair amount of controversy around Google forcing users to install a background updater application before they can use Google Earth 5. A point of particular contention is that a user has no immediate control through the application interface to specify if or how often they want the Google updater service to activate.

As one can imagine, this has the potential to cause a world of hurt especially for people on limited internet connections. Personally, I just don't like not having control over what my computer does; I say what software gets installed and when it gets run. Excuse me while I keep myself from getting carried away here and going on a big rant.

Remove Google Earth's ability to install the update service

Locate your copy of Google Earth, Control-click on the application and choose Show Package Contents from the pop-up menu. No remove the following two files, based on starting at the top of the application bundle:
...

[ Reply to This | # ]
Mac OS X Hints site update
Authored by: hobbster on Apr 23, '09 10:34:50PM

I happened to have both those pages open in tabs when the site got hacked. Unfortunately I refreshed the "folder sort" tab and of course lost the content. Couldn't even find a png of it in Safari's huuuuuge cache folder. But here's the text of the "google updater" hint:

There has been a fair amount of controversy around Google forcing users to install a background updater application before they can use Google Earth 5. A point of particular contention is that a user has no immediate control through the application interface to specify if or how often they want the Google updater service to activate.

As one can imagine, this has the potential to cause a world of hurt especially for people on limited internet connections. Personally, I just don't like not having control over what my computer does; I say what software gets installed and when it gets run. Excuse me while I keep myself from getting carried away here and going on a big rant.

Remove Google Earth's ability to install the update service

Locate your copy of Google Earth, Control-click on the application and choose Show Package Contents from the pop-up menu. No remove the following two files, based on starting at the top of the application bundle:
Contents/Frameworks/KeystoneRegistration.framework/Resources/install.py
Contents/Frameworks/KeystoneRegistration.framework/Resources/Keystone.tbz
The first file is the python script used to install the updater service, while the second is a tar-bzip'd bundle that contains the updater service. If the source files aren't there, Google Earth will be incapable of installing the updater service, no matter what you tell/told it on first run.

Remove the updater application and files installed by Google Earth

If you've already been running Google Earth 5, you may also wish to do the following after completing the first part of the hint. Remove the following folders/files:
~/Library/Google/GoogleSoftwareUpdate
~/Library/LaunchAgents/com.google.keystone.daemon.plist
~/Library/Caches/com.Google.Keystone.*
~/Library/Logs/GoogleSoftwareUpdateAgent.log
The first being the Google update service, the second the launchd plist that specifies when to run the service, third any items already downloaded by the google update service, and fourth the log file from the update service.

Addendum

If you've followed thus far, you should have successfully removed the Google Update service from your Mac, and prevented Google Earth from being able to re-install the software. Note that other Google software may also use/install the Google Update service. I haven't researched that far, and so this hint applies to those only using Google Earth 5 and no other Google software. If all you wanted to do was remove the update service from Google Earth 5, you can stop reading now. If you're of the curious type, the following may be of interest to you, and is provided for informative purposes only.

Those with the ability to read programming code, particularly Python, may wish to peruse the install script to see exactly what happens when the software in installed. If you do, you may notice that providing the --nuke flag when running the script will remove the software and the launchd plist; this of course doesn't stop Google Earth re-installing it at next launch. It also doesn't remove the log, nor the update cache.

For some reason, the Keystone Registration framework also includes copies of the bundle and install script at the following locations, using the same working directory as part one of the above hint:

Contents/Frameworks/KeystoneRegistration.framework/Versions/A/Resources/
Contents/Frameworks/KeystoneRegistration.framework/Versions/Current/Resources/

Normally, .../KeystoneRegistration.framework/Versions/Current is a symlink to .../KeystoneRegistration.framework/Versions/A, and .../KeystoneRegistration.framework/Resources is a symlink to .../KeystoneRegistration.framework/Versions/A/Resources.

Not sure what's going on here, but it seems a bit redundant to have three copies of the same files. Nonetheless, removing the items in the above hint is sufficient in preventing the installation of the service.

[robg adds: I haven't tested this one.]



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: pranaysanghavi on Apr 23, '09 10:39:05PM

AI GENTEEEEEEE QUE MARAAAAAAAAAAAAAAAAAA KELVIN HACKER ZINHOOOOOOOO BEIJINHOSSSSSSSS

[pulled up from a feed] //
now wahts the point of that? i hope they didnt cause much damage to the site.. being a small time web developer, and a hobbyist for a social website, i am aware what perspires to tackle such idiotic fools.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: Anonymous on Apr 30, '09 09:36:17AM

"perspires"? A portmanteau of precipitates and transpires? I like it!



[ Reply to This | # ]
Always Update
Authored by: bedouin on Apr 23, '09 11:22:48PM

Where I used to work I had their news page setup running Geeklog. When I left I gave them all the info they needed to keep it sustained and emphasized that they'll need to update it regularly or else it will likely get owned.

Sure enough it got owned.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: buz on Apr 23, '09 11:26:49PM

Can you share (if known) your server setup or a hint on the method used? Because I run a couples of server too I would like to know whether the attacker used a known method or brute-force.

I don't want you to post all the details, it'd be too dangerous, but at least a hint so that those interested may check their setup.

Thanks.

Buz



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: robg on Apr 24, '09 04:05:43AM

It was a known exploit in Geeklog, which has been patched as of the current Geeklog release.

-rob.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: Lui-g on Apr 24, '09 01:33:43AM

Interesting - I happened to join yesterday, and made a comment on the "Set browser window size and position via URL parameters" hint which has disappeared (missed by the backup I suppose).

I did not get any spam though, so whatever they did, it was before I joined...

GoogleReader picked up the hacker's entries - it's interesting that their last entry compliments the admin, and even explains a little as to what they would have done.

Darn hackers... my comment was quite long...



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: Lui-g on Apr 24, '09 01:34:53AM

[ my comment has disappeared - not the hint. ]



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: robg on Apr 24, '09 04:52:48AM

I have now recreated all the lost comments from the three hints of April 22nd, including yours. I may have mis-threaded some of them (I tried my best to figure out where they belonged), but they're all there.

-rob.



[ Reply to This | # ]
iKarma?
Authored by: mshmgi on Apr 24, '09 05:12:18AM

I guess this is what you get for not hosting this site on Linux instead of a Mac. ;)



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: Lui-g on Apr 24, '09 05:57:02AM

that's great Rob - well done for keeping on top of things.

Lui-g.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: satcomer on Apr 24, '09 06:15:32AM

Thanks Rob for keeping us old users updated. I can't relate on the web how much I appreciated you updating us users and i sure hope it doesn't happen in the future again.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: macnixer on Apr 24, '09 07:41:20AM

It sure is an unfortunate incident. good to know that you have managed to restore all the data.

Now for a little look at the term "hacker". While many sites define the use of the word in a pejorative way, in reality the work was used and still is to describe a great programmer who knows how to "hack" into code and get things done. These people are not malicious.

On the flip side the people who "hack" into a computer with malicious intent are "crackers" as that is what they did.

I understand that the new world terminology is more towards the negative aspect of word but in reality I have a lot of respect for the real McCoy.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: robg on Apr 24, '09 10:06:25AM

I'm aware of the dual nature of the term ... but at the time this was all going down, I will admit to not thinking too much about it. I just wanted to get something online ASAP.

I've now changed the wording to remove any reference to hackers.

-rob.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: Nem on Apr 24, '09 08:15:24AM

I'm a CLI type person:

killall -9 -u stupid_hackers


Thanks for all the work you do, Rob!

---
Nem W. Schlecht
http://geekmuse.net/



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: leamanc on Apr 24, '09 09:37:14AM

Kudos, Rob! This can happen to the best of us, but at least you caught it in a timely fashion, and the work to re-create the hints and comments shows a real commitment.

I would like to mention that there are ways to backup MySQL (binary logs) that can take you back to any point in time. You would have then been able to put the site back to right before the time the hack occurred.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: robogobo on Apr 24, '09 09:54:32AM

I didn't get the email. I feel totally left out.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: Notch Johnson on Apr 24, '09 08:45:13PM

Man, I didn't get it either!



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: JJCortes on Apr 24, '09 02:34:49PM

I hope you will find a way to protect our favorite website from future cyber attacks. I didn't receive any spam from you, so only some addresses have been stolen.



[ Reply to This | # ]
Mac OS X Hints site update
Authored by: flmiller on Apr 25, '09 10:23:18AM

Note: Rob said NO addresses were stolen - spam was simply sent to existing addresses. HTH.



[ Reply to This | # ]