18 Apr
2017
18 Apr
'17
8:38 p.m.
On Tue, 18 Apr 2017, Markus Kalb wrote:
Hi
i find it a little bit odd that you restored the system without
disabling all the current password in the mantis system. If the
attacker might have the user passwords as you suggested this would
result in a user-level access for them at the moment. Which might make a
second hack more easy.
I'm 99% sure the attack exploited this:
http://www.mantisbt.org/blog/?p=518
to reset the administrator password, then deleted the DCP-o-matic project. I
have reset that password and updated Mantis to a fixed version.
Might it not be a good idea to reset all the user
passwords? This would
mean that all users would have to insert a new one on first reconnect
using there email to verify user right to access. (does mantis offer
this?)
There doesn't appear to be an easy way to do this, and I believe it is
unnecessary as I have reset the paswords on the only accounts with admin
privileges. Let me know if you think differently as I am far from a security
expert!
Kind regards,
Carl
Carl Hetherington via DCPomatic writes:
It has transpired that around noon GMT on 16th
April the DCP-o-matic project in
our bug database was deleted by actors unknown. It appears that they gained
administrator rights in our installation of the Mantis bug tracker.
If you have a Mantis account and you use the same password on any other sites
you are strongly advised to change this password everywhere it is used.
At the moment I don't think anything else on dcpomatic.com was compromised.
The bug tracker has been restored from a backup and I don't think much has been
lost. If you added a bug or comment since 16th April you will need to re-add
it.
Apologies for any inconvenience.
Kind regards,
Carl
_______________________________________________
DCPomatic mailing list
DCPomatic(a)carlh.net
http://main.carlh.net/cgi-bin/mailman/listinfo/dcpomatic
--
Markus Kalb
Filmkreis an der TU Darmstadt