As some of you noticed, someone attempted to 'hack' GW today.

First of all let me start by saying that overall the attempt was pathetic, and after writing a script to examine that exactly what all the guy tried to do, it became very apparent that whoever he was, he was a complete novice who just got very lucky. I know that some of you are interested in exactly how this attack was possible and I will reveal that information because it can't and won't happen again.

Let's start with what the problem was. The problem was that this new server's Apache is for whatever reason configured in a way that interpreted files such as "file.php.ext" as a PHP script. It only checked the first extension, and not the last one, like it should and does on my own server and all other servers I tried to make double sure that it should. That was how he managed to upload a script called "C99 Shell" or what the fuck ever in pubaccess. This script was basically something that a 6 year old child could use to "hack" a website. It was nothing sort of impressive, the only thing that I'm impressed of is that our provider's Apache was configured in this way.

Anyway, the guy didn't really know what he was doing, I like especially how he didn't try to check any passwords from crucial script files but instead edited our forum index with a stupid message probably thinking I wouldn't have a backup. I also like how he probably tried to check if his IP and actions were logged in a log file because he checked a log file from the logs directory. The funny thing is that instead of checking today's log, he forgot it's the 16th day, not the 6th. Yes that's right. He checked a wrong fucking log file. Had he even been smart enough to get the date right, I couldn't have been able to track everything he did to this extend.

Anyway, most of the things he did were harmless. I found the script he used in pretty much 5-10 minutes within I got noticed that we've been compromised, but I didn't want to remove the guy's access to it before I first had made sure that he didn't make any copies of the script in other places on the filesystem. That's why the whole ordeal took longer than expected, although some people on IRC still think we were pretty quick about the whole situation (it could take hours to pinpoint the problem if the hacker knew what he was doing, but this time it took mere minutes).

I did make one mistake though. I postponed disabling his access a bit too late, because I thought this was some harmless guy trying to have a bit of fun with us, since all he was doing was editing our forums index with a stupid message. That was pretty naive of me. Anyway the instant I saw that he started to delete stuff I disabled his access to the script. I obviously had backups of the files, which is why it didn't take long to recover the forums and the main site (especially since the guy was stupid enough not to get the SQL password even though it was basically given to him on a golden plate.. Not that he would've known what to do with it though). However I only have very ancient version of pubaccess backup. This isn't really a big loss because the guy didn't get to the part that he would've deleted pubaccess, but he wrote the index.php over with some stupid message. That means that essentially some of the code for the web interface was lost. I still have most of it left, like the actual file processing and uploading and image thumbnail generation and whatever. And none of the files of the users' were lost either. So basically this means that I'll have to code the web interface for it again, which isn't a huge job. This also presents a good chance to improve it and fix the few bugs it had. If you have any suggestions feel free to post here.

Another thing that got a bit messed up was the wiki. No articles are lost, but some of the (default) source code files were deleted as well as the local settings. The default source code files are obviously easy to find, but I don't have a backup of the local settings file. While it's very easy to re-configure the wiki, I think this is a good opportunity to update the MediaWiki to the latest version and fix the problem with special characters in the URL. So expect that to be done soonish too.

Also lastly a word for mods, staffers and premiums. The reason you got your Happy Zoo PMs resent was because I changed the MySQL's password as a safety measure. I forgot to change it in Happy Zoo's side, so what happened is that Happy Zoo thought that all the users got removed from the zoo so it deleted them. After I fixed the pass to the new one, it re-added all the users and re-sent PMs. Sorry about that!

Man, the work is never over for you.

Thanks.