Gaming World Forums
General Category => General Talk => Topic started by: reko on March 16, 2008, 10:26:31 pm
-
As some of you noticed, someone attempted to 'hack' GW today.
First of all let me start by saying that overall the attempt was pathetic, and after writing a script to examine that exactly what all the guy tried to do, it became very apparent that whoever he was, he was a complete novice who just got very lucky. I know that some of you are interested in exactly how this attack was possible and I will reveal that information because it can't and won't happen again.
Let's start with what the problem was. The problem was that this new server's Apache is for whatever reason configured in a way that interpreted files such as "file.php.ext" as a PHP script. It only checked the first extension, and not the last one, like it should and does on my own server and all other servers I tried to make double sure that it should. That was how he managed to upload a script called "C99 Shell" or what the fuck ever in pubaccess. This script was basically something that a 6 year old child could use to "hack" a website. It was nothing sort of impressive, the only thing that I'm impressed of is that our provider's Apache was configured in this way.
Anyway, the guy didn't really know what he was doing, I like especially how he didn't try to check any passwords from crucial script files but instead edited our forum index with a stupid message probably thinking I wouldn't have a backup. I also like how he probably tried to check if his IP and actions were logged in a log file because he checked a log file from the logs directory. The funny thing is that instead of checking today's log, he forgot it's the 16th day, not the 6th. Yes that's right. He checked a wrong fucking log file. Had he even been smart enough to get the date right, I couldn't have been able to track everything he did to this extend.
Anyway, most of the things he did were harmless. I found the script he used in pretty much 5-10 minutes within I got noticed that we've been compromised, but I didn't want to remove the guy's access to it before I first had made sure that he didn't make any copies of the script in other places on the filesystem. That's why the whole ordeal took longer than expected, although some people on IRC still think we were pretty quick about the whole situation (it could take hours to pinpoint the problem if the hacker knew what he was doing, but this time it took mere minutes).
I did make one mistake though. I postponed disabling his access a bit too late, because I thought this was some harmless guy trying to have a bit of fun with us, since all he was doing was editing our forums index with a stupid message. That was pretty naive of me. Anyway the instant I saw that he started to delete stuff I disabled his access to the script. I obviously had backups of the files, which is why it didn't take long to recover the forums and the main site (especially since the guy was stupid enough not to get the SQL password even though it was basically given to him on a golden plate.. Not that he would've known what to do with it though). However I only have very ancient version of pubaccess backup. This isn't really a big loss because the guy didn't get to the part that he would've deleted pubaccess, but he wrote the index.php over with some stupid message. That means that essentially some of the code for the web interface was lost. I still have most of it left, like the actual file processing and uploading and image thumbnail generation and whatever. And none of the files of the users' were lost either. So basically this means that I'll have to code the web interface for it again, which isn't a huge job. This also presents a good chance to improve it and fix the few bugs it had. If you have any suggestions feel free to post here.
Another thing that got a bit messed up was the wiki. No articles are lost, but some of the (default) source code files were deleted as well as the local settings. The default source code files are obviously easy to find, but I don't have a backup of the local settings file. While it's very easy to re-configure the wiki, I think this is a good opportunity to update the MediaWiki to the latest version and fix the problem with special characters in the URL. So expect that to be done soonish too.
Also lastly a word for mods, staffers and premiums. The reason you got your Happy Zoo PMs resent was because I changed the MySQL's password as a safety measure. I forgot to change it in Happy Zoo's side, so what happened is that Happy Zoo thought that all the users got removed from the zoo so it deleted them. After I fixed the pass to the new one, it re-added all the users and re-sent PMs. Sorry about that!
-
First of all, a big thanks to the man who watches over us while we're asleep. Thanks, rami!
-
Nice work, rami!
Checking the wrong log file is just, wow.
-
I also like how he probably tried to check if his IP and actions were logged in a log file because he checked a log file from the logs directory. The funny thing is that instead of checking today's log, he forgot it's the 16th day, not the 6th.
hahaha
But glad to hear nothing really bad happened. i guess we should AGAIN pool some money for rami's goodjob-icecream...
-
Yah seriously thanks rami, I think we should bake you a cake.
-
Yah seriously thanks rami, I think we should bake you a cake.
Kaworu can you do it
can you take a picture of yourself baking a cake, with a "to rami <3" message or w/e and upload it to this topic
because i think he deserves it
c'mon surely everybody agrees with me on this right??
-
Good thing you didn't really step down...
-
I've been blamed for this attack, but it's not me. I was at a HORROR CONVENTION and when I got back I thought everyone was lying to me. :(
-
Dude I just loved how everybody on there seemed to be singing up with racist names except you (was it really you?) so their members list was like
CHINK nigger psyburn SPIC
-
Yah seriously thanks rami, I think we should bake you a cake.
Make sure it's got plenty of rhubarb...
-
I've been blamed for this attack, but it's not me. I was at a HORROR CONVENTION and when I got back I thought everyone was lying to me. :(
Registered Users: bortlet, Chink, cookie, hackerboy, j00 s4l33, Maulin Yo, Meanz, nigger, psyburn, r 3 d h o t, southpark180, SPIC, THE GREAT VAGEYENA
:hmm:
-
You can do it Kaworu!!!
well ok don't do it if you don't want to but man that would have been excelent... i can see you in an apron...
-
It's a good thing it wasn't so terrible now this event will be forever remembered
-
Oh wow, good job Rami.
-
Dude I just loved how everybody on there seemed to be singing up with racist names except you (was it really you?) so their members list was like
CHINK nigger psyburn SPIC
I wish I was here when this happened.
Someone framed me man. This is like that one time when someone hacked my account and everyone(including Wishmoo) went ape shit on me. I am INCREDIBLY devoted to GW guys. I don't want to go Jason Bourne.
-
Man, the work is never over for you.
Thanks.
-
great job, ramirez
quick question: did we get our old zoo login and passwords or brand new ones (too lazy to check and compare)
-
Registered Users: bortlet, Chink, cookie, hackerboy, j00 s4l33, Maulin Yo, Meanz, nigger, psyburn, r 3 d h o t, southpark180, SPIC, THE GREAT VAGEYENA
:hmm:
[01:29:59 ][/01:29:59] <%Sarevok> [20:28:05] <+Sarah> i like how PSYBURN joined <--it was me :(
-
So, if he checked the wrong log, you have his IP and know who it is, right?
-
thanks rami.
Did you track this guy and his IP after though?
-
Yes I have the IPs (actually there's 2).
-
Don't mess with the PK project you imbecile.
they'll... player kill you.
-
What a fucking idiot. he failed me now how will i overtake gw.... :hmm:
-
Here I am thinking he may have exploited something in the new blog system... but it was just a mere upload to the pubaccess? How boring.
-
so basically i hope the hacker reads this
YOU ARE FUCKING DUMB
even dumber than me...
-
I think if your life has reached the level where you're hacking internet forums without any expertise or reason you're gonna kill yourself soon because your life is worthless.
-
i dont care much or think the dude is just SOME BIG LOSER since i bet this was like no work at all, it was just kind of funny for a few minutes and then it was fixed.
basically i love you hacker : )
-
Here I am thinking he may have exploited something in the new blog system... but it was just a mere upload to the pubaccess? How boring.
I'm experienced enough not to leave any stupid vulnerabilities in my code, but I gotta admit that I never thought of the extension issue that was used against us today. Even if it's badly configured Apache, which I'm not 100% sure of, it's really my mistake in the end.
Edit. Not trying to say that this guy isn't a fucking moron because he is.
-
so basically i hope the hacker reads this
YOU ARE FUCKING DUMB
even dumber than me...
low blow
-
WELL HACKER YOU FUCKED UP MY WHOLE DAY
i hope you are happy
-
WELL HACKER YOU FUCKED UP MY WHOLE DAY
i hope you are happy
don't be a victim couch....
then the terrorists win.............
-
What was the stupid message?
-
Dumb as he is, he still got further than 99% of the people who have actually threatened to hack GW (red archer, Jin Kiyami, etc)
-
too bad rami... first you're fired for being a pedo now you let gw get hacked
it's time to pass the torch on buddy (to me)
-
By the way, was the criminal registered on GW? With what username?
-
Oh right I wondered what that PM was about.
Good job in fixing it so fast, btw, rami.
-
Wow, I was away today from the forums and I totally missed this, but I'm really happy rami got everything under-control. Kudos to him!
-
whatever rami should be banned because of his kid porn
-
Haha and I was just thinking you guys put something immature as a notifier that you were working on the forums.
-
Maybe the staff will reconsider having you step down for uploading child pron. Take that GW![/joke]
-
Yes I have the IPs (actually there's 2).
Are you going to do anything or hold onto them just in case?
What was the stupid message?
Just some dumb OMGFGHAXXOR_21 writing
-
this was just a PR stunt to get rami back in good favour imo
-
I am pretty sure the IPs were just proxies or whatever, but I'll report them to the respective ISPs anyway.
-
(http://motdidr.com/img/gw hacked opps lol.png)
please turn pubaccess back on so this image doesnt kill my server :(
-
Maulin Yo Waz!?!
Anyway, everything is fixed. Good job and thanks, rami.
-
rami doing it big!
-
we're dealing with a psychopath here
-
RMN did it!
-
Who?
-
Red Master Ninja
-
if only.... you made girlbones lit mod...
-
rockin 'n' rollin in cyberspace
-
RMN did it!
i was saying this on #gamingw when gw got hacked but i don't think anyone believed it :(
-
hahaha oh man, fuck this, I miss all the great GWevents :(
-
wow, nice work rami!
-
i didnt know what was going on, i thought someone was just playing a joke. good job though, thanks a lot man
-
hate to bump this but when is pubaccess coming back?