The website got completely defaced today...

It was already hacked on 21. february. I guess they don't care about security much.

Im actually quite surprised at this. Go4Go was affected the same way which can say this was pretty targeted.

Specially because there is really no motivation whatsoever to "hack" a site like GoSensations, which has absolutely no security value whatsoever.

_________________
Founder of Kaya.gs

That's likely not the issue here.
This are go websites after all, so they are not run by professional web developers and big companies. I wouldn't be surprised if they didn't know how the attackers got those privileges on the first place.

That's why security by obscurity is a failed idea. I hope that is considered for your website.

Security by obscurity is not the issue here (and usually in most web attacks): any web page online can be hacked. My Google account could be compromised, my VPS server could be compromised. And there's no obscurity roaming around: I have a Google account (obviously), and my VPS runs Arch Linux (although I use a high entropy, long passphrase)

_________________
Geek of all trades, master of none: the motto for my blog mostlymaths.net

For those that have said that x is likely not the issue here, what do you suppose the issue was? A hacker practicing, goofing off, or a kid that lost his last game on kgs by a half moku and was pissed at the go world?

Brodie, it was probably someone running an automated server scanner probably tied to an automated hacking tool. If the server is unprotected, bam. No need for it to be a go player, know the site or anything: you just run it against a list of IPs and a bell rings when one server can be hacked.

Security by obscurity is a way to secure a site (or something) just not telling how it was done. For example, if you use a custom built operating system or webserver stack (one you did in your spare time), it is only secure because no-one has cared to look at how to crack it, not because it is top-notch secure.

_________________
Geek of all trades, master of none: the motto for my blog mostlymaths.net

'Cept that his hack included a message that he had also hacked a series of go-related websites.

_________________
Patience, grasshopper.

It was a message in the RSS feeds/subsections. I thought that "hacked" was referring to these parts. Also afaik KGS has never been hacked.

_________________
Geek of all trades, master of none: the motto for my blog mostlymaths.net

Seems to have happened again, but under the Tygem section, and this time with the signature of Anonymous. Unless, of course, this is an April Fool's joke by Go Sensations lampooning their security problems a little while back. I'm not sure, neither of them quite seem to make sense...

It's a legit breach. The intruder claiming to be "anonymous" (what a joke) is actually some noob who is in effect using gosensations to generate money using a bitcoin javascript miner.


edit: effectively > in effect

Noob question: what does this mean? How can those "anonymus we are legion"-posts make money?

They can't make money, it's FUD. This strategy would be less effective than changing the homepage to a Paypal link that says "please send me money, thanks."

So it is not effectively generating any money then?

I am still curious about what the strategy is. How does someone believe he will make money by posting on gosensations, I can't come up with a strategy that would work even in the imagination of the most delusional. I have no idea about any of this. It's as mysterious to me like ko to a 30 kyu.

The strategy is running code on your browser to slowly mine bitcoins, but if you don't already understand the idea of Bitcoin, be prepared to spend some time figuring it out. It's ineffective because the processing power of all the computers visiting the hacked page isn't likely to amount to a penny worth of bitcoins.

I see, thanks for the explanation. This thing got me wondering enough to actually make a post here, even though discussing go was of course my original intention when I first registered.

Just went to go4go, and found a spam post there, but found no way to report it.

_________________
a1h1 [1d]: You just need to curse the gods and defend.
Good Go = Shape.
Associação Portuguesa de Go