So uh this happened....

[GigaLem]

One time the forums was being redirected to some sort of blog today
Some of the other members on IRC noticed this as well
its fixed now, do any of you know what or who caused this?
and do weed need to stay alert for when it happens again?

[namida]

If this happens again, please give me the exact link of where it redirects to. If it still has the "lemmingsforums.net" link, try to get the name or something of the site. Without this, I can't really look too much into it unless I catch it when it happens.

First - was it the NearlyFreeSpeech.net blog? If so, that'd indicate a problem on the host's side, and the site being redirected to the blog to explain it; this would be very unusual but probably also indicate nothing to worry about.

Beyond that, I can't do anything without knowing more detail. If you (or anyone else) can shed any more light on this, please do and I'll look into it. (In future if this happens again - please also check if www.neolemmix.com is affected). And it goes without saying, no matter what the redirected site appears to be, do not trust it or any downloads / etc on it; unless you are 100% sure you know what you're doing.

[Crane]

I've had quite a few moments where the site has suddenly stopped responding (usually just timing out), and I simply have to wait a while for it to come online again.

[namida]

Okay, so; as I briefly discussed on #lix earlier (but didn't post here); the site in question was identified thanks to Ramon and NaOH. The site in question appears to be a fairly innocent blog that's hosted on NearlyFreeSpeech.net (the same host Lemmings Forums (and the NeoLemmix website, for that matter) is on). As such, most likely what's happened is a random and rare glitch in the host's routing; I have reported the matter to them, as although in the case of a site like ours being redirected to a presumably innocuous blog it's pretty harmless, it could have major security implications if it were to occur with, say, a commerce-related site.


In terms of security risks, in a worst case scenario (ie: if it was an intentional hack and not a random glitch, and the blog redirected to was actually trying to gather cookies / form data / etc submitted; this is extremely unlikely and there is probably nothing to worry about; I am simply providing this information partially for full disclosure purposes and partly in case anyone is the super-paranoid type who likes to be aware of these things):

- If the redirect started happening to you at the exact time you tried to log in (ie: not one or two pages after; but the very first page to load after you entered your username / password and clicked "log in"), it is possible that the other site may now have your password. In this case, you should change it here and anywhere else you use it - once again, I stress, not only is this very unlikely to actually be the case (it's a worst-case scenario), but it is only even a possibility if the redirect started happening to you at the exact same time you tried to log in.

- Otherwise, at most they may have your login authorization cookie from this site, if you use the "remain logged in option" (but were already logged in before the redirect happened). This does not give them your password, as the cookie does not save your password itself, it simply remembers that you successfully logged in. At most, they could possibly be able to use it to access this site logged into your account; at worst, they could see the visible information in your profile settings (the only thing I can think of that might be visible here, but not visible publicly, is your email address). At any rate, the authorization stored in the cookie can be invalidated by simply logging out from any PC (or other device, eg. smartphone) that you're logged in on; including one that you logged in on later than when this happened.

- If you didn't try to access the site during the time this was happening, then there is zero risk whatsoever to you.


Yet again, I will stress that the above possibilities are based on an absolute worst-case scenario, and it is more likely that nothing has happened at all.


I have also made an up-to-date backup of the site about 20 minutes ago (at the time of writing this post). This is partly due to this incident, in case anything more serious happens around the same time (although I'd say by this point, we're probably safe), but also partly because we're fairly due for another one anyway - the previous backup was about two weeks ago, and although in practice I don't keep to this target very well, I ideally want to do backups at least 3 times per two months anyway.

[namida]

I have received this response from NFS:

On Thu, 13 Aug 2015, 06:05:49 UTC, Namida Verasche wrote:
> Although I did not see it myself, several users reported that for a
> short period of time, attempts to visit the site instead caused them
> to see quezi.com (which according to Whois records, is also hosted
> with NFS.net).

Hmm, we tested this at some length but were unfortunately unable to reproduce it
or identify how it could have happened.

If it does happen again, definitely let us know as soon as possible. Thanks for
the report; that's definitely not something that's acceptable to us.

Thanks,
Jeff

--
<email address redacted>
NearlyFreeSpeech.NET Member Support
http://www.NearlyFreeSpeech.NET/
"Not Free. Close Enough."

This does indeed make it sound like a one-off glitch. Should this happen again (whether or not it's the same site), please let me know ASAP by #lix if I'm online there, otherwise via email (hayanninja at yandex dot com) or Facebook (https://www.facebook.com/profile.php?id=100009499383966); be sure to let me know what site it's redirecting to (if you don't have a URL, then at least a name; or a description of the site and a few phrases of text copied&pasted from it).

[mobius]

thanks for keeping us informed