Jump to content


Photo

Just what happened today?


  • Please log in to reply
56 replies to this topic

#1 reko

reko

    Advanced Member

  • Administrators
  • 13043 posts
  • LocationFinland

Posted 16 March 2008 - 10:26 PM

As some of you noticed, someone attempted to 'hack' GW today.

First of all let me start by saying that overall the attempt was pathetic, and after writing a script to examine that exactly what all the guy tried to do, it became very apparent that whoever he was, he was a complete novice who just got very lucky. I know that some of you are interested in exactly how this attack was possible and I will reveal that information because it can't and won't happen again.

Let's start with what the problem was. The problem was that this new server's Apache is for whatever reason configured in a way that interpreted files such as "file.php.ext" as a PHP script. It only checked the first extension, and not the last one, like it should and does on my own server and all other servers I tried to make double sure that it should. That was how he managed to upload a script called "C99 Shell" or what the fuck ever in pubaccess. This script was basically something that a 6 year old child could use to "hack" a website. It was nothing sort of impressive, the only thing that I'm impressed of is that our provider's Apache was configured in this way.

Anyway, the guy didn't really know what he was doing, I like especially how he didn't try to check any passwords from crucial script files but instead edited our forum index with a stupid message probably thinking I wouldn't have a backup. I also like how he probably tried to check if his IP and actions were logged in a log file because he checked a log file from the logs directory. The funny thing is that instead of checking today's log, he forgot it's the 16th day, not the 6th. Yes that's right. He checked a wrong fucking log file. Had he even been smart enough to get the date right, I couldn't have been able to track everything he did to this extend.

Anyway, most of the things he did were harmless. I found the script he used in pretty much 5-10 minutes within I got noticed that we've been compromised, but I didn't want to remove the guy's access to it before I first had made sure that he didn't make any copies of the script in other places on the filesystem. That's why the whole ordeal took longer than expected, although some people on IRC still think we were pretty quick about the whole situation (it could take hours to pinpoint the problem if the hacker knew what he was doing, but this time it took mere minutes).

I did make one mistake though. I postponed disabling his access a bit too late, because I thought this was some harmless guy trying to have a bit of fun with us, since all he was doing was editing our forums index with a stupid message. That was pretty naive of me. Anyway the instant I saw that he started to delete stuff I disabled his access to the script. I obviously had backups of the files, which is why it didn't take long to recover the forums and the main site (especially since the guy was stupid enough not to get the SQL password even though it was basically given to him on a golden plate.. Not that he would've known what to do with it though). However I only have very ancient version of pubaccess backup. This isn't really a big loss because the guy didn't get to the part that he would've deleted pubaccess, but he wrote the index.php over with some stupid message. That means that essentially some of the code for the web interface was lost. I still have most of it left, like the actual file processing and uploading and image thumbnail generation and whatever. And none of the files of the users' were lost either. So basically this means that I'll have to code the web interface for it again, which isn't a huge job. This also presents a good chance to improve it and fix the few bugs it had. If you have any suggestions feel free to post here.

Another thing that got a bit messed up was the wiki. No articles are lost, but some of the (default) source code files were deleted as well as the local settings. The default source code files are obviously easy to find, but I don't have a backup of the local settings file. While it's very easy to re-configure the wiki, I think this is a good opportunity to update the MediaWiki to the latest version and fix the problem with special characters in the URL. So expect that to be done soonish too.

Also lastly a word for mods, staffers and premiums. The reason you got your Happy Zoo PMs resent was because I changed the MySQL's password as a safety measure. I forgot to change it in Happy Zoo's side, so what happened is that Happy Zoo thought that all the users got removed from the zoo so it deleted them. After I fixed the pass to the new one, it re-added all the users and re-sent PMs. Sorry about that!
Posted Image
big thanx to dragonslayer for sig!

#2 dada

dada

    VILLAIN

  • Administrators
  • 17476 posts
  • Locationsuperhell

Posted 16 March 2008 - 10:30 PM

First of all, a big thanks to the man who watches over us while we're asleep. Thanks, rami!


#3 bonermobile

bonermobile

    Advanced Member

  • Salty Members
  • 7431 posts

Posted 16 March 2008 - 10:35 PM

Nice work, rami!

Checking the wrong log file is just, wow.

#4 bonzi_buddy

bonzi_buddy

    Kaiser

  • Salty Members
  • 2975 posts
  • Locationswimming, with my obv. blue towel on my neck

Posted 16 March 2008 - 10:35 PM

I also like how he probably tried to check if his IP and actions were logged in a log file because he checked a log file from the logs directory. The funny thing is that instead of checking today's log, he forgot it's the 16th day, not the 6th.

hahaha
But glad to hear nothing really bad happened. i guess we should AGAIN pool some money for rami's goodjob-icecream...

#5 Kaworu

Kaworu

    Advanced Member

  • Salty Members
  • 17123 posts

Posted 16 March 2008 - 10:35 PM

Yah seriously thanks rami, I think we should bake you a cake.

#6 bonzi_buddy

bonzi_buddy

    Kaiser

  • Salty Members
  • 2975 posts
  • Locationswimming, with my obv. blue towel on my neck

Posted 16 March 2008 - 10:36 PM

Yah seriously thanks rami, I think we should bake you a cake.

Kaworu can you do it
can you take a picture of yourself baking a cake, with a "to rami <3" message or w/e and upload it to this topic
because i think he deserves it

c'mon surely everybody agrees with me on this right??

#7 Sarah

Sarah

    Advanced Member

  • Members
  • 6391 posts

Posted 16 March 2008 - 10:38 PM

Good thing you didn't really step down...

#8 pburn

pburn

    Advanced Member

  • Salty Members
  • 4936 posts
  • LocationNJ

Posted 16 March 2008 - 10:39 PM

I've been blamed for this attack, but it's not me. I was at a HORROR CONVENTION and when I got back I thought everyone was lying to me. :(
Posted Image

#9 Kaworu

Kaworu

    Advanced Member

  • Salty Members
  • 17123 posts

Posted 16 March 2008 - 10:41 PM

Dude I just loved how everybody on there seemed to be singing up with racist names except you (was it really you?) so their members list was like
CHINK nigger psyburn SPIC

#10 Lord Kamina

Lord Kamina

    Advanced Member

  • Members
  • 4901 posts

Posted 16 March 2008 - 10:41 PM

Yah seriously thanks rami, I think we should bake you a cake.


Make sure it's got plenty of rhubarb...

Posted Image

if you're a vegan you support baby killers


#11 Liman

Liman

    Advanced Member

  • Members
  • 2204 posts
  • LocationSweden

Posted 16 March 2008 - 10:42 PM

I've been blamed for this attack, but it's not me. I was at a HORROR CONVENTION and when I got back I thought everyone was lying to me. :(


Registered Users: bortlet, Chink, cookie, hackerboy, j00 s4l33, Maulin Yo, Meanz, nigger, psyburn, r 3 d h o t, southpark180, SPIC, THE GREAT VAGEYENA

:hmm:
Ock ock, Ack ack!
Beware of the cursed monkey spit!

#12 bonzi_buddy

bonzi_buddy

    Kaiser

  • Salty Members
  • 2975 posts
  • Locationswimming, with my obv. blue towel on my neck

Posted 16 March 2008 - 10:44 PM

You can do it Kaworu!!!

well ok don't do it if you don't want to but man that would have been excelent... i can see you in an apron...

#13 Mince Wobley

Mince Wobley

    Advanced Member

  • Members
  • 4828 posts
  • LocationI'll never eat an airplane

Posted 16 March 2008 - 10:45 PM

It's a good thing it wasn't so terrible now this event will be forever remembered
Play Raimond Ex (if you haven't already)


I'll not TAKE ANYTHING you write like this seriously because it looks dumb

#14 Xeno|Soft

Xeno|Soft

    Advanced Member

  • Members
  • 6166 posts

Posted 16 March 2008 - 10:46 PM

Oh wow, good job Rami.

#15 pburn

pburn

    Advanced Member

  • Salty Members
  • 4936 posts
  • LocationNJ

Posted 16 March 2008 - 10:47 PM

Dude I just loved how everybody on there seemed to be singing up with racist names except you (was it really you?) so their members list was like
CHINK nigger psyburn SPIC

I wish I was here when this happened.

Someone framed me man. This is like that one time when someone hacked my account and everyone(including Wishmoo) went ape shit on me. I am INCREDIBLY devoted to GW guys. I don't want to go Jason Bourne.
Posted Image

#16 local_dunce

local_dunce

    Advanced Member

  • Salty Members
  • 344 posts

Posted 16 March 2008 - 10:48 PM

Man, the work is never over for you.

Thanks.

now is the winter of our discontent


#17 ase

ase

    Advanced Member

  • Members
  • 7691 posts

Posted 16 March 2008 - 10:58 PM

great job, ramirez

quick question: did we get our old zoo login and passwords or brand new ones (too lazy to check and compare)

#18 bonermobile

bonermobile

    Advanced Member

  • Salty Members
  • 7431 posts

Posted 16 March 2008 - 10:58 PM

Registered Users: bortlet, Chink, cookie, hackerboy, j00 s4l33, Maulin Yo, Meanz, nigger, psyburn, r 3 d h o t, southpark180, SPIC, THE GREAT VAGEYENA

:hmm:

[01:29:59 PM] <%Sarevok> [20:28:05] <+Sarah> i like how PSYBURN joined <--it was me :(

#19 Finality

Finality

    Advanced Member

  • Members
  • 2631 posts
  • LocationNew Jersey, USA

Posted 16 March 2008 - 11:02 PM

So, if he checked the wrong log, you have his IP and know who it is, right?

#20 Madolah

Madolah

    ;Wyrm

  • Salty Members
  • 2042 posts
  • LocationSt.John's , Newfoundland, Canada

Posted 16 March 2008 - 11:14 PM

thanks rami.

Did you track this guy and his IP after though?

Wyrm  | Madolah | ær 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users