Wha' happen?
January 26, 2009 10:39 AM   Subscribe

It's no use, they were behind seven proxies.
posted by mullingitover at 10:41 AM on January 26 [4 favorites]

"attacted" is my new favorite word.
posted by kate blank at 10:42 AM on January 26 [8 favorites]

Maybe we should divert our resources to education before waging war.
posted by Brandon Blatcher at 10:46 AM on January 26 [4 favorites]

More questions:
Can they be spotted on GoogleMaps?
posted by Potomac Avenue at 10:47 AM on January 26 [3 favorites]

Seven? No, seriously, somebody got a count?
posted by telstar at 10:47 AM on January 26

There was some play-by-play of the downtime over in this metachat thread, including a bit of detailed poking by TheOnlyCoolTim.

That the attack was so poorly executed (most of the injections yielded broken html rather than malicious links) and apparently took advantage of generic CF security vulnerabilities makes it seems pretty unlikely that it was targeted at Metafilter in any meaningful sense. The site that the attack ultimately tried to lead folks to is a chineses spamhive called 51yes.com with laughable fake whois info.

Googling around at the time of the attack for the target of the javascript injections suggested that we were not the only site hit by this, though whether the others got hit at the same time or whether we were just the victim of the latest salvo I don't really know.

My best (not particularly educated) guess is motiveless, impersonal drive-by from careless quantity-over-quality zombie-farming script kiddies. I don't know that we really have any info on from whom or from where the attack came.
posted by cortex at 10:48 AM on January 26 [6 favorites]

My fellow Mefites,

I post here today humbled by the task before the mods, grateful for the trust we have bestowed them, mindful of the sacrifices borne by our profile pages. I thank mathowie and pb for their service to our community, as well as the generosity and cooperation they have shown throughout this downtime.

That we are in the midst of crisis is now well understood. Our community is at war, against a far-reaching network of SQL injection and malicious code. Databases have been compromised; profiles hacked; shades of violent pink lost. These are the indicators of crisis, subject to data and statistics. Less measurable but no less profound is a sapping of confidence across our site -- a nagging fear that Metafilter's decline is inevitable, and that the next generation of five-dollar newbies must lower its sights.

Today I say to you that the challenges we face are real. They are serious and they are many. They will not be met easily or in a short span of time. But know this, Metafilter: They will be met.

We remain a young community, but in the words of languagehat, the time has come to set aside churlish pules. Our journey has never been one of shortcuts or settling for less. It has not been the path for the fainthearted -- for those who prefer Flash Friday over work, or seek only the pleasures of bunnies and chat. Rather, it has been the risk-takers, the doers, the fuckers of chickens -- some celebrated, but more often men and women obscure in their labor -- who have carried us up the long, rugged path toward recumbent bicycles and favorites.

For us, they packed up their few worldly pancakes and traveled across archives in search of a used car.

For us, they toiled in livejournalism school and doubled the Posts; endured the blue of the Pepsi and plowed the hard chops.

For us, they posted and commented, in places like Cooter and Sameasintown; Givewell and Westphalia. This is the journey we continue today. Our mods are no less vigilant than when this crisis began. Our members are no less inventive, our posts and comments no less needed than they were last week or last month or last year. Our capacity remains undiminished.

But our time of eating pancakes, of overthinking plates of beans and not recognizing mushrooms -- that time has surely passed. Starting today, we must pick ourselves up, dust ourselves off, and begin again the work of redesigning our white background.

For everywhere we look, there is work to be done. The state of the cabal calls for action, bold and swift, and we will act -- not only to create new Jobs, but to lay a new foundation for Projects. We will build the Podcast and Music, the gold stars and literal vikings that feed our RSS readers and bind us together. And we will restore SCIENCE! to its rightful place. All this we can do. And all this we will do.

As for our common defense, we reject as false the choice between jessamyn and cortex. Our administrators, faced with perils we can scarcely imagine, drafted guidelines to assure the rule of flags and the rights of flaming out, a FAQ expanded by the blood of noobs. Those ideals still light the site, and we will not give them up for expedience's sake.

For we know that our patchwork heritage is twenty dollars, the same as in town. We are a community of ponies and furries, hurf durf butter eaters and drama queens -- and clog-wearing sheepfuckers [NOT DUTCH-IST]. We are shaped by every longboat and cabal, drawn from every Christ, what an asshole; and because we have tasted the bitter swill of administrator. please hope me!, and emerged from that dark chapter stronger and more united, we cannot help but believe that this will wendell; that thou shalt always filter.

Our cameras may be new. The instruments with which we flag them may be new. But those values upon which our success depends -- cat declawing and obesity, circumcision and smoking, porn in the woods -- these things are old. These things are true. They have been the quiet force of progress throughout our history. What is demanded then is a return to these truths. What is required of us now is a new era of responsibility -- a recognition, on the part of every Mefite, that we have duties to ourselves, our community and the world; duties that we do not grudgingly accept but rather seize gladly, firm in the knowledge that there is nothing so satisfying to the mods, so defining of our stuffy intellect, than giving our all to a difficult post.

This is the price and the promise of membership.

This is the source of our confidence -- the. This is the meaning of our longboat and our cabal -- why men and women and children of every IP and every user number can join in celebration across this magnificent Matt.

So let us mark this day with remembrance, of who we are and how far we have traveled. In the year of Metafilter's birth, in the coldest of months, a small band of posters huddled by dying firewalls on the shores of an icy river. The cabal was abandoned. The longboats were advancing. The Blue was stained with blood. At a moment when the future of our community was most in doubt, its father ordered these words be read to the people:

"What. The. Fuck. Matt?"

Metafilter. In the face of our common dangers, in this winter of our hardship, let us remember these timeless words. With hope and mushrooms, let us brave once more the plates of beans, and embrace what ponies may come. Let it be said by our children's children that when we were tested, we refused to let this web site end, that we did not click back, nor did we flag; and with eyes fixed on the reload button and the mods' grace upon us, we carried forth that great post of talking cats and delivered it safely to future generations.

Thank you, God bless you, and God bless Metafilter.
posted by goodnewsfortheinsane at 10:48 AM on January 26 [243 favorites]

The British government Metafilter cabal has learned that Saddam Hussein Holden Karnofsky recently sought significant quantities of uranium bandwidth from Africa China.
posted by mr_crash_davis mark II: Jazz Odyssey at 10:54 AM on January 26 [4 favorites]

zombie-farming script kiddies

Hey! I was made by a scientist! A SCIENTIST!
posted by Astro Zombie at 10:56 AM on January 26 [9 favorites]

Potomac Avenue: "More questions: Can they be spotted on GoogleMaps?"

Why is this making a resurgence on the Internets today? We covered it in November.
posted by Plutor at 10:58 AM on January 26

Attacked. I looked at that word before I hit post, said hmmm, and posted it anyway. I blame the terrorists.
posted by longsleeves at 10:59 AM on January 26

I blame Obama's Blackberry.
posted by gman at 11:00 AM on January 26 [1 favorite]

I am deeply grateful for all the hard work you folks put in this weekend to recover from this vandalism. Good job!

I wanted to say that I hope that this page and this page will come back. I know they were only experimental prototypes, later replaced by more "official" pages, but I've always preferred their formatting and have gotten used to them.
posted by Class Goat at 11:00 AM on January 26

FATAL ATTACTION
posted by grobstein at 11:02 AM on January 26 [1 favorite]

Seriously, Matt, pb, cortex, jess: this must have been a crap-ass weekend for all of you. Thanks for taking care of metafilter this way.
posted by boo_radley at 11:11 AM on January 26 [19 favorites]

Thanks mods.
posted by jerseygirl at 11:15 AM on January 26

Good stuff in SQL misery land, guys.

I've been kinda wondering though: why do all the sites have different codebases, given that there's such a huge overlap in functionality between them?
posted by bonaldi at 11:17 AM on January 26

I have hacked
The website
That was on
The internet

And which
You were probably
Saving
For slacking

Forgive me
It was malicious
So fusion
And so cold
posted by cortex at 11:24 AM on January 26 [69 favorites]

I've been kinda wondering though: why do all the sites have different codebases, given that there's such a huge overlap in functionality between them?

A heterogeneous population is less susceptible to complete extinction if the face of a viral threat. This 'attact' suggests, if anything, that we need even MORE variation in the code of the subsites.
posted by Ryvar at 11:24 AM on January 26

in the face of. Damnit. My grammatical ability has been attacted.
posted by Ryvar at 11:25 AM on January 26 [2 favorites]

Plutor: I don't know but I definitely recommend GSV for finding criminals of all kinds.
posted by Potomac Avenue at 11:29 AM on January 26

So, um, did anyone get my email address?
posted by plexi at 11:29 AM on January 26

How is babby attacted?
posted by mkultra at 11:32 AM on January 26 [2 favorites]

How about taking over 51yes.com? Seems if they don't post correct WHOIS information they're vulnerable to losing it.
posted by crapmatic at 11:34 AM on January 26 [1 favorite]

So, um, did anyone get my email address?

To be honest, I can't say I'm 100% someone did not, but it appears that this was a random drive-by script kiddie working for one of the many IE exploit malware groups so I seriously doubt it. We don't see any evidence of someone compiling emails or dumping them to files or transfering the information anywhere.

They just wanted to post their stupid redirect payloads to infect more unpatched IE/Win installs, and it's unfortunate that we were vulnerable to it.
posted by mathowie at 11:48 AM on January 26

I never knew how much I needed you until I almost lost you.

(Thank you.)
posted by iamkimiam at 11:53 AM on January 26

And guess what? We went a whole weekend without a single MetaTalk post!
posted by iamkimiam at 11:54 AM on January 26 [4 favorites]

And guess what? We went a whole weekend without a single MetaTalk post!

I gotta lot of pent-up snarkasm.
posted by gman at 12:00 PM on January 26

Stupid Star Trek joke in


3...2..1...

Metafilter should remodulate it's shield hamonics so an attac like this would have no affect next time...
posted by SheMulp AKA Plus 1 at 12:10 PM on January 26 [4 favorites]

> This 'attact' suggests, if anything, that we need even MORE variation in the code of the subsites.

As a software engineer, I just threw up in my mouth a little.
posted by Brak at 12:23 PM on January 26 [8 favorites]

Is this why we can't have pictures?
posted by slogger at 12:23 PM on January 26

Mefi servers are in the U.S., but the attackers might have been in China -- What's the precedence regarding Internet crimes? Have any made it to some kind of international court?
posted by acro at 12:24 PM on January 26

next time get yet flu shots, ya'wl.
posted by krautland at 12:25 PM on January 26

You should rewrite Meta in .net.
posted by smackfu at 12:29 PM on January 26

Mathowie of our weary years, Jessamyn of our silent jeers, you who have moderated us thus far along the way...

drunk with the wine of the world

YES WE CAN

something about how awesome your kids are

rhyming racial funniness...

OK fuck too painful i give up
posted by allkindsoftime at 12:32 PM on January 26 [1 favorite]

I AM OUTRAGED AT HAXORZ!
posted by JeffK at 12:55 PM on January 26

You should rewrite Meta in .net.

...and I'm a little outraged at that thought. ick.
posted by JeffK at 12:56 PM on January 26 [1 favorite]

Now with MVC!
posted by Artw at 1:01 PM on January 26

I definitely recommend GSV for finding criminals of all kinds.

GSVs are usually too busy with their passengers, and ROUs like me, well, frankly, you shouldn't point us in the direction of people you might not want to explode, melt, or otherwise expire in photogenically messy ways.

This sort of thing is really best left to the GCU's. You could try contacting Grey Area, but it's not very talkative.
posted by ROU_Xenophobe at 1:18 PM on January 26 [5 favorites]

Effectorise the son of a bitch.
posted by Artw at 1:20 PM on January 26 [2 favorites]

I have all these great snarks saved up on pen and paper back at home, can't wait to post them!
posted by inigo2 at 1:22 PM on January 26 [1 favorite]

We tried to do some Extreme Programming to the site but we just ended up back at square one, covered in Mt. Dew and shame.
posted by cortex at 1:24 PM on January 26 [15 favorites]

iamkimiam: And guess what? We went a whole weekend without a single MetaTalk post!

Apparently, there was a MeTa thread about the attack (in which cortex uttered "Great fiddly fuck. Good morning."), but it went down the toilet along with the h4xx0r'd pages. Bits of it still live on in the MeCha thread linked above, though.
posted by daniel_charms at 1:24 PM on January 26 [1 favorite]

If brevity is the soul of wit, what is gnfti?
posted by Cranberry at 1:26 PM on January 26

Astro Zombie - you may have been created by scientists, but you can be grown like any other crop. Zombie farmers just increase the crop yields, once scientists perfect the serum/ virus/ radiation/ voodoo/ whatnot.
posted by filthy light thief at 1:28 PM on January 26

Come on ROU, let's have some Gravitas about this circumstance shall we?
posted by Potomac Avenue at 1:28 PM on January 26 [1 favorite]

I made you a cookie, but I attacted it.

What a strangely productive weekend for me. Thank god that's over with. Fight the good fight from the server closet, mods! Sandwiches all-around!
posted by Devils Rancher at 1:46 PM on January 26

This site would be much more secure if it were written in SNOBOL and compiled with SPITBOL. Then you'd have yourself a real flying car.
posted by SteveInMaine at 1:48 PM on January 26

This 'attact' suggests, if anything, that we need even MORE variation in the code of the subsites.

As a software engineer, I just threw up in my mouth a little.

As a guy who frequently pretends to be a virologist in order to pick up chicks (don't ask), all I can say is: tough shit, soldier! When I get back here I want to see this site coded eighty-seven ways from Sunday! Literally!

And then I want a load-balancer-analogue that randomly selects an implementation for each and every session! That's right, you bastards: reverse engineer THIS!
posted by Ryvar at 1:53 PM on January 26 [2 favorites]

They hate our awesomeness.
posted by piratebowling at 2:02 PM on January 26 [1 favorite]

At least Matt didn't decide to close up shop and auction off the domain.
posted by cjorgensen at 2:19 PM on January 26

<insert clever meme, modified to fit the situation>
posted by not_on_display at 2:30 PM on January 26

As I saw the site down at 2pm, I thought "Whoops"

At 6pm I said "Woah"

At 8pm I was all like "Whaa?"

By 11pm I was thinking "fuggit, buncha wozzers!" (booze addled, naturally.)

At 1am I decided that I was the right hand of god, the angel of Omega, and it was my sacred duty to bring those responsible to justice.

Sunday morning I realized that one should never drink, eat acrylic paint chips, and huff Jello powder when feeling vindictive. It leaves you with grape flavored nightmares.

Thanks to everyone who lost sleep fixing this.
posted by quin at 2:31 PM on January 26

Is this something I would need to spend my weekends sitting in front of the computer, having done precisely that same thing for the previous five working days, to understand?
posted by turgid dahlia at 2:34 PM on January 26 [1 favorite]

You seem awfully well informed about what you would need to have done to understand this.
posted by grobstein at 2:41 PM on January 26 [2 favorites]

> When I get back here I want to see this site coded eighty-seven ways from Sunday! Literally!

Hmmm...

Random r = new Random();
for (int i = 0; i < 87; i++)
{
    int newRandomValue = r.Next();
    GenerateDeltaFromSunday(newRandomValue);
}

There, I did the hard part. The rest is left as an exercise to...anyone. I'm going back to work.
posted by Brak at 2:45 PM on January 26

You seem awfully well informed about what you would need to have done to understand this.

Yeah, well...you stink! That's right! Of poo! Take that!
posted by turgid dahlia at 3:03 PM on January 26

shades of violent pink lost

Looks like the restore from backup brought it back.
posted by ROU_Xenophobe at 3:11 PM on January 26

My favorite part was the rollback where we got to do the most depressing day of the year all over again and couldn't whine about it on the forever lost 'This is the most depressing day of the year' FPP.
posted by xorry at 4:07 PM on January 26

My best (not particularly educated) guess is motiveless, impersonal drive-by from careless quantity-over-quality zombie-farming script kiddies. I don't know that we really have any info on from whom or from where the attack came.

So, we just got egged? I hate getting egged. It's so pointless and so bloody hard to clean up.
posted by Elmore at 4:12 PM on January 26

Oh, also, meant to say, I'm very attacted to all of you.
posted by Elmore at 4:15 PM on January 26

we just ended up back at square one, covered in Mt. Dew and shame.

That's square one for you? Yikes!
posted by aubilenon at 4:29 PM on January 26

I wonder how much GDP would increase if MetaFilter went down during the workweek.

It might save the economy.
posted by desjardins at 4:37 PM on January 26

*hugs MetaFilter*

Oh, how I missed you.

Now I have a reason to unleash my horde of zombie kittens upon the world: to find those responsible for this. Never again...
posted by rand at 5:47 PM on January 26

I have to say though, twittering along our rituals was ridiculously amusing.
posted by Phire at 5:50 PM on January 26

I demand an extra day of MeFi and three extra days of MeTa at the end of the week, by god!
posted by Navelgazer at 6:37 PM on January 26

Same here! Also, I had heaps of rare items that I've now lost since you restored from backup!
posted by turgid dahlia at 7:23 PM on January 26

Look, I don't want to go into too many details, but I'm pretty sure I've located the perpetrators of the attack on your internet chat board.

My associates and I can make sure that the threat is permanently neutralized with a minimum of collateral damage, but we'll require 50,000 favorites up front, and 50,000 favorites when the job is complete.

If you need to contact us, please place a personal ad in the LA Times saying "Hot co-ed looking for anonymous sex" and include your home phone number.
posted by popechunk at 7:34 PM on January 26 [2 favorites]

On the upside, we lost what was turning into a really ugly I/P thread forever.
posted by rodgerd at 7:40 PM on January 26

You only realize what you've got when it disappears. Thanks mods, and goodnewsfortheinsane, that was simply brilliant. Brilliant.
posted by fourcheesemac at 9:05 PM on January 26

Thanks, sincerely, for the hard work.
posted by From Bklyn at 12:47 AM on January 27

Metafilter's status blog sets an example for "keeping members in the loop."
posted by terranova at 1:25 AM on January 27

iamkimiam: And guess what? We went a whole weekend without a single MetaTalk post!

Apparently, there was a MeTa thread about the attack

I was on Saturday morning, posting in all my innocence. La La La La. Spent several minutes posting a recipe in the pie thread, then clicked over to MetaTalk and BOOM! Reading the thread was like watching a horror movie: The call is coming from inside the house! Get out of the house! I wrote some comment, hit "post." ....and just like that MetaFilter was gone, baby, gone.
posted by Secret Life of Gravy at 8:06 AM on January 27

Even if it took a few days of MeFi downtime for goodnewsfortheinsane's comment to be dreamed up, it was so worth it.
posted by LanTao at 1:56 PM on January 27

Huh, LanTao, when I click on that link from Recent Activity, it links here:

http://www.metafilter.com/contribute/activity/#609973

Is that a post-crisis bug?
posted by goodnewsfortheinsane at 2:43 PM on January 27

No, that's a LanTao-used-a-relative-link bug, which has been around for a long time. Which means either that LanTao hand-crafted a link to only the anchor tag, or LanTao is using an oooold version of one of the quoting scripts that buggily created relative rather than absolute links, if I remember right.

I just kind of like saying "LanTao", too.
posted by cortex at 2:56 PM on January 27

In any event, I fixed the link.
posted by cortex at 2:57 PM on January 27

That's an impressive mental back catalogue of faulty software you got there, buddy.
posted by goodnewsfortheinsane at 3:23 PM on January 27

Heh, I can't favourite gnfti's comment. It keeps taking me back to the top of the page. And I can't post without previewing - but is that intentional?
posted by goo at 3:29 PM on January 27

Goo, are you using any kind of script-disabling stuff (NoScript or whatall)? The faving relies on javascript, as does Live Preview, and the latter being on is what toggles off forced preview on comments, so if you're blocking the mefi scripts (I think they're hosted by google at this point) that might be the problem.
posted by cortex at 3:33 PM on January 27

Oh of course - I turned it off on Saturday. Cheers, cortex.
posted by goo at 3:39 PM on January 27

Thanks cortex. It was a manual optimisation I did without considering the Recent Activity page.
posted by LanTao at 7:29 PM on February 1