Home | Webstore
Latest News: OOTP 25 Available - FHM 10 Available - OOTP Go! Available

Out of the Park Baseball 25 Buy Now!

  

Go Back   OOTP Developments Forums > Prior Versions of Our Games > Earlier versions of Out of the Park Baseball > Earlier versions of OOTP: Online Leagues > Earlier versions of OOTP: Commissioner's Corner

Earlier versions of OOTP: Commissioner's Corner Want to run an online league? Want to learn about the 'ins' and 'outs' of being a commish? This is the place!

Reply
 
Thread Tools
Old 11-17-2008, 12:29 PM   #41
Alan T
All Star Starter
 
Join Date: Mar 2002
Location: Mass.
Posts: 1,963
Quote:
Originally Posted by Getch View Post
There's a 20-char limit on the passwords.

What exactly happened? Did the entire site get hacked, or just the league HTML files? I could see how possibly you could use my utils to modify the league HTML files if someone got access as an admin.

Getech, I haven't had a site get attacked but from what people say, it sounds like a standard ****** insertion. What is happening is the league's main page I assume is being modified with a small line of html code added to insert an ****** pointing at a specific offsite URL. That is all that is being done in this attack.
Alan T is offline   Reply With Quote
Old 11-17-2008, 12:50 PM   #42
Getch
All Star Reserve
 
Getch's Avatar
 
Join Date: Jan 2006
Posts: 868
Heh, just because you haven't been infected doesn't mean it isn't my utilities. However, if files beyond the league HTML files are infected, that would rule out one idea I had.

If it happens again, I would look at the timestamps of the files in the OOTPOU directory and subdirectories. With the exception of logging in, anything inputted or done within OOTPOU is written to a file, which would have its timestamp updated.
__________________
Get the OOTP Online Utilities for online leagues!
Includes Gamecast, Development, Live Sims, Voting and more.
Check here for more details
Getch is offline   Reply With Quote
Old 11-17-2008, 01:03 PM   #43
Alan T
All Star Starter
 
Join Date: Mar 2002
Location: Mass.
Posts: 1,963
Quote:
Originally Posted by Getch View Post
Heh, just because you haven't been infected doesn't mean it isn't my utilities. However, if files beyond the league HTML files are infected, that would rule out one idea I had.

If it happens again, I would look at the timestamps of the files in the OOTPOU directory and subdirectories. With the exception of logging in, anything inputted or done within OOTPOU is written to a file, which would have its timestamp updated.
I actually don't use your utilities. I just am trying to help people find out what is causing their problem. I had given the same suggestion that you just did. (except I suggested looking through the http and ftp logs on the server. I am unaware of what logging your utility also does).
Alan T is offline   Reply With Quote
Old 11-17-2008, 06:17 PM   #44
f.montoya
Hall Of Famer
 
f.montoya's Avatar
 
Join Date: Nov 2004
Posts: 6,066
Quote:
Originally Posted by Getch View Post
Heh, just because you haven't been infected doesn't mean it isn't my utilities. However, if files beyond the league HTML files are infected, that would rule out one idea I had.

If it happens again, I would look at the timestamps of the files in the OOTPOU directory and subdirectories. With the exception of logging in, anything inputted or done within OOTPOU is written to a file, which would have its timestamp updated.
Actually, the activity of the login form is where we need to monitor.
__________________
Fidel Montoya

Asahi2 Baseball ex-Commissioner(Historical League Since 2004)
www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!)
Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required)

Last edited by f.montoya; 11-17-2008 at 06:25 PM.
f.montoya is offline   Reply With Quote
Old 11-17-2008, 11:02 PM   #45
satchel
Hall Of Famer
 
satchel's Avatar
 
Join Date: Apr 2002
Location: Ft Smith AR
Posts: 2,681
The JL and the NPBL both use SMF forums software, and we both got spammed over the past week. We both updated to the new version, and haven't seen anything since, but this is either a coincidence, or it's connected somehow to the php hacks on the other leagues' sites.
satchel is offline   Reply With Quote
Old 11-17-2008, 11:04 PM   #46
fhomess
Hall Of Famer
 
fhomess's Avatar
 
Join Date: Nov 2002
Posts: 3,584
I don't really know much more about this hacking thing with regards to the OOTPOU than Getch does, but I did think of one thing. A potential problem with the OOTPOU is that the passwords are stored unencrypted, so if your commish is using the same ID/password combo for the utils that he's using for the website, you'd be compromising your security.
__________________
StatsLab- PHP/MySQL based utilities for Online Leagues
Baseball Cards - Full list of known templates and documentation on card development.
fhomess is offline   Reply With Quote
Old 11-18-2008, 03:01 PM   #47
Getch
All Star Reserve
 
Getch's Avatar
 
Join Date: Jan 2006
Posts: 868
Quote:
Originally Posted by fhomess View Post
I don't really know much more about this hacking thing with regards to the OOTPOU than Getch does, but I did think of one thing. A potential problem with the OOTPOU is that the passwords are stored unencrypted, so if your commish is using the same ID/password combo for the utils that he's using for the website, you'd be compromising your security.
Yep. That plus I am sure many owners (or ex owners) never changed their password, so logging in to a user generally is not hard (I've done it many times on sites that needed help with something. Just try some users until 'baseball' let me in).

I really feel that if my utils had a security breach, it'd be somewhere as a user logged in. However, where is up in the air. Simply getting the server logs, as well as looking at the timestamps of files that changed at the time of the hack, will go a long way to solving this issue, rather than guessing at what it might be.
__________________
Get the OOTP Online Utilities for online leagues!
Includes Gamecast, Development, Live Sims, Voting and more.
Check here for more details
Getch is offline   Reply With Quote
Old 11-18-2008, 05:17 PM   #48
Getch
All Star Reserve
 
Getch's Avatar
 
Join Date: Jan 2006
Posts: 868
Hey guys,

I found a way to be able to edit files on the server from OOTPOU. It doesn't require being logged in either. I will patch it up as well as try to find other similar ways of doing it.

Of course, this might not be how he pulled it off. You'd only figure it out by staring at my code until you saw how you could hack the URL to do it. But, I was able to create a file on the file system, so it should be fixed.
__________________
Get the OOTP Online Utilities for online leagues!
Includes Gamecast, Development, Live Sims, Voting and more.
Check here for more details
Getch is offline   Reply With Quote
Old 11-18-2008, 06:04 PM   #49
f.montoya
Hall Of Famer
 
f.montoya's Avatar
 
Join Date: Nov 2004
Posts: 6,066
Quote:
Originally Posted by Getch View Post
Hey guys,

I found a way to be able to edit files on the server from OOTPOU. It doesn't require being logged in either. I will patch it up as well as try to find other similar ways of doing it.

Of course, this might not be how he pulled it off. You'd only figure it out by staring at my code until you saw how you could hack the URL to do it. But, I was able to create a file on the file system, so it should be fixed.
Nice going Getch!! Usually a hack job like this past week is just someone who doesn't stare at code(even though it's available if he really wanted to find it) but just throws out a bunch of things until something works, or until all attempts fail, and then he moves on. He obviously knows the file hierarchy within forum software and never directly attacks his doorway.

As an update, it turns out that the 5th league that uses OOTPOU, that didn't get hit, was hiding all links to the utility from the public. Login and account verification via Mambo was necessary before the links, including login, were shown. Although the url's themselves were public, at first glance, the hacker intent on using OOTPOU may have thought it didn't exist and moved on.

Anyway Getch, a quick Google on iframes and other injection methods could give you the same kind of list that the bad guy is using. That may also help.

Thanks again! We certainly appreciate your looking into this.
__________________
Fidel Montoya

Asahi2 Baseball ex-Commissioner(Historical League Since 2004)
www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!)
Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required)
f.montoya is offline   Reply With Quote
Old 11-18-2008, 06:37 PM   #50
gollum65
All Star Reserve
 
Join Date: Feb 2007
Posts: 925
I certainly hope it wasn't OOTPU that was exploited and I've never stated I thought it was. I appreciate Getch being proactive and taking steps to make his utilities more secure.
gollum65 is offline   Reply With Quote
Old 11-18-2008, 07:25 PM   #51
molarmite
Hall Of Famer
 
molarmite's Avatar
 
Join Date: Jul 2005
Location: Minnesota
Posts: 4,887
Blog Entries: 1
Ever since Fidel switching forums and we started over with a new database, no more problems so thanks for that Fidel.
__________________
From the wise mind of Davey Eckstein

"Now all you need is a signature. A quote or initial, perhaps."


[
molarmite is offline   Reply With Quote
Old 11-18-2008, 09:18 PM   #52
yajeflow
Minors (Double A)
 
Join Date: Mar 2003
Location: newport beach
Posts: 199
for the record, the rude island baseball congregation loves us some fidel montoya.
yajeflow is offline   Reply With Quote
Old 11-23-2008, 07:38 AM   #53
f.montoya
Hall Of Famer
 
f.montoya's Avatar
 
Join Date: Nov 2004
Posts: 6,066
Quote:
Originally Posted by yajeflow View Post
for the record, the rude island baseball congregation loves us some fidel montoya.
__________________
Fidel Montoya

Asahi2 Baseball ex-Commissioner(Historical League Since 2004)
www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!)
Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required)
f.montoya is offline   Reply With Quote
Old 12-03-2008, 07:58 AM   #54
gollum65
All Star Reserve
 
Join Date: Feb 2007
Posts: 925
Ok guys. My site was attacked twice more since I made my last post in this thread. This morning was the 2nd time, and this time they edited every single index.php file on my website. I lost count after 17. I have time stamps on all these files. I have the site saving logs for each day. The only thing I don't know is how to find out how the files were accessed. If anyone can tell me what log to look in and how to tell what was used to edit the files, please do so. commish(at)ashmaplebaseball.info is my email.
gollum65 is offline   Reply With Quote
Old 12-03-2008, 10:06 AM   #55
Corsairs
Hall Of Famer
 
Corsairs's Avatar
 
Join Date: Aug 2007
Posts: 2,359
Quote:
Originally Posted by gollum65 View Post
Ok guys. My site was attacked twice more since I made my last post in this thread. This morning was the 2nd time, and this time they edited every single index.php file on my website. I lost count after 17. I have time stamps on all these files. I have the site saving logs for each day. The only thing I don't know is how to find out how the files were accessed. If anyone can tell me what log to look in and how to tell what was used to edit the files, please do so. commish(at)ashmaplebaseball.info is my email.
Are you still using Getch's utilities?
__________________
Founder of the Planetary Extreme Baseball Alliance (PEBA)
Premiere OOTP fictional league where creativity counts and imagination is your only limitation
Check for openings - contact us today!
Corsairs is offline   Reply With Quote
Old 12-03-2008, 10:14 AM   #56
Tony M
Global Moderator
 
Tony M's Avatar
 
Join Date: Feb 2006
Location: Here
Posts: 6,156
Blog Entries: 3
Just been chatting to gollum about this.

I raised an issue with Andreas a couple of days after this thread started about a potential problem and was promised an emergency patch the following day which hasn't materialised.

I don't know if this is how the hacker(s) have been compromising sites, but I was able to find the IP address of gollum's hacker within a couple of minutes of downloading his league and logging in to his ftp site and reading the log files. I could have quite easily at that point done all sorts of things to his site.

Until the emergency patch comes out there's nothing that can be done to prevent this potential way in, unless you are able to set up a separate FTP user that only has access to the OOTP directories and no access to forums, etc.

I'm not going to give the details of how this is done (for the obvious reasons that a searchable and indexed forum would put it into the public domain)

*waits for the proverbial to hit the fan now*

Last edited by Tony M; 12-03-2008 at 10:18 AM.
Tony M is offline   Reply With Quote
Old 12-03-2008, 10:33 AM   #57
gollum65
All Star Reserve
 
Join Date: Feb 2007
Posts: 925
When Tony says "within a couple of minutes", he's being modest. We had been trading PMs about this, and while he was writing one, he went from "can I look at the logs" to "here's the hacker's information and what files he hacked".

Needless to say I'm STUNNED and very angry that an apparent exploit exists in OOTP9 that was known about by the developers and nothing has been done to correct it yet. This needs to be resolved NOW! Every OOTP Online League site is at risk until it is!

The good news is, this appears to get Getch off the hook, or at least in these cases.
gollum65 is offline   Reply With Quote
Old 12-03-2008, 10:46 AM   #58
Tony M
Global Moderator
 
Tony M's Avatar
 
Join Date: Feb 2006
Location: Here
Posts: 6,156
Blog Entries: 3
Until this patch comes out there are two things that can be done to remove this potential exploit.

1) Create an FTP user that only can access the exports and reports directory and use that in the Online League options
2) Remove any public link to the league file. If you have a new GM, give them a link in email. If the league can't be downloaded then you can't get the details you need to log-in
Tony M is offline   Reply With Quote
Old 12-03-2008, 10:47 AM   #59
Tony M
Global Moderator
 
Tony M's Avatar
 
Join Date: Feb 2006
Location: Here
Posts: 6,156
Blog Entries: 3
Of course, it could be that it is still another way that is being exploited to perform these hacks, but hopefully that's something we can find out soon.
Tony M is offline   Reply With Quote
Old 12-03-2008, 11:51 AM   #60
f.montoya
Hall Of Famer
 
f.montoya's Avatar
 
Join Date: Nov 2004
Posts: 6,066
Guys, this is scary. I have some 50+ online leagues that I host. I didn't even need to know how it was done to figure out how to do it(I got into my own site in 15 minutes)

The bad guy can easily plop in a piece of code and he can pretty much overwrite any index file he knows of(and that's a lot if you are using popular CMS's and community forum software).

PLEASE get this patched Andreas and Markus!!!
__________________
Fidel Montoya

Asahi2 Baseball ex-Commissioner(Historical League Since 2004)
www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!)
Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required)
f.montoya is offline   Reply With Quote
Reply

Bookmarks

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 08:36 AM.

 

Major League and Minor League Baseball trademarks and copyrights are used with permission of Major League Baseball. Visit MLB.com and MiLB.com.

Officially Licensed Product – MLB Players, Inc.

Out of the Park Baseball is a registered trademark of Out of the Park Developments GmbH & Co. KG

Google Play is a trademark of Google Inc.

Apple, iPhone, iPod touch and iPad are trademarks of Apple Inc., registered in the U.S. and other countries.

COPYRIGHT © 2023 OUT OF THE PARK DEVELOPMENTS. ALL RIGHTS RESERVED.

 

Powered by vBulletin® Version 3.8.10
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Copyright © 2020 Out of the Park Developments