Hacker possibly targetting OOTP online leagues

[gollum65]

The link to the patch is a few posts above yours in one of KQ76's posts. I'd say the cat is out of the bag now....

[Cooleyvol]

Understood, but are we to just happen across the link?

[gollum65]

If you're asking if it's going to be "officially published as a patch file", I can't answer that, and I've mentioned before that I also don't understand why it's not been. Only the OOTP Dev Team can answer that.

And btw, we need a Mac version. I have GMs in my league who are Mac users.

[BoofBonser26]

Has anyone successfully exported a file using the new version? I'm getting errors and can't tell if the problem is me or the patch.

[Corsairs]

Quote:

Originally Posted by BoofBonser26

Has anyone successfully exported a file using the new version? I'm getting errors and can't tell if the problem is me or the patch.

For the record, Boof's trouble exporting isn't related to the patch. We just changed our FTP password. Didn't want anyone upgrading to be afraid that the new version caused export issues.

[Corsairs]

One thing I'm uncertain of: Are we still concerned about a potential security hole in Getch's online utilities? This news of a security hole in OOTP would seem to vindicate the utilities, but f.montoya indicated to me in an email tonight that there may still be a separate vulnerability there.

Might we get an official word on this from Getch himself? We've removed the utilities from our server until we're sure they're safe, but we're itching to restore them.

[gollum65]

As I posted earlier, I cannot say with 100% certainty how the hacker gained access. Sure, it's possible he got in through Getch's utilities. All that could be gleaned from the logs was the files that he altered and when he altered them.

Now, my personal opinion, given the facts that have come to light today, is that Getch's utilities are most likely safe, but that's just my opinion. I've never taken them offline in my league and unless it can be proven that they were a direct portal for an attack, I won't remove them.

All that said, Getch did post that he found a problem and was going to fix it.

[DWK]

Quote:

Originally Posted by Cooleyvol

So, can all commishes get this patch or is there a select few that are worthy of being protected against this?

Yeah I would Like to know this too

[molarmite]

Markus said if you contact him, he will give it to you. So I assume it's for everyone. It's posted on the previous page if you want a link to it.

[satchel]

My impulse is to start using the v9.2.7 patch, but I fear the effects on compatibility. If it's similar to the v9.2.3 patch, then all should be smooth. Still, I'm reluctant to go ahead before seeing others' results.

[molarmite]

I can tell that I've received exports using 9.2.7 while my owners used 9.2.3. Although Markus still suggests everyone patch up because the hacker can still get the info he needs for people's exports I believe.

[Corsairs]

It might be good if Markus popped in here and explained things to us personally. I'd still like to know what to tell my owners who are using Macs. They can't use this patch. Like satchel, I'm worried about compatibility issues during the period where I'm using 9.2.7 and they're stuck using 9.2.3.

[Buane]

Quote:

Originally Posted by Corsairs

It might be good if Markus popped in here and explained things to us personally. I'd still like to know what to tell my owners who are using Macs. They can't use this patch. Like satchel, I'm worried about compatibility issues during the period where I'm using 9.2.7 and they're stuck using 9.2.3.

Not to mention that a few people in my league who have patched are having issues even getting the game to run. One person had no problems, another patched the .exe and can't even load up OOTP anymore without getting a runtime error, another says the game doesn't load on 9.2.7 but works fine if he uses the 9.2.2 .exe...

This is truly a mess. So if I want to patch my game to protect my site from this hacker, I have to potentially lock out a number of owners from being able to export since they can't get the .exe file to work correctly?

We need some kind of word from up on high. The people in the middle have done an admirable job doing their best to see this gets fixed, but they can only do so much. I'd say that some direct communication is long overdue for the people who have suffered through a lot of trouble dealing with this issue.

[Morgan1963]

Quote:

Originally Posted by MustangLM

Suicide Squeeze has been hacked several times recently by john mohov. We changed web hosts, but after a few days the hack returned. Our forum runs on SMF 1.17 currently.

Tech support advised me that my global permissions were set to allow files to be written to. They fixed the permissions for me and installed a back up. At the time we were running SMF 1.16 and as soon as the site came back up, I upgraded to SMF 1.17. Two days later we were hacked again. Hopefully that's not the case for you Paul, but don't be surprised if it happens again.

I contacted tech support again and they did some additional digging. They claimed someone had stolen my ftp user name and password and hacked the site. They recommended I do a virus scan on my end, change my password and reinstall SMF. I ran the scan, but it came up empty. I even picked up another virus software package just to be certain the one I was using hadn't missed something. No virus found. I then changed my ftp password and got the site running again yesterday. It's been running for 24 hrs so far with no issues.

I'm not sure how they are getting my password, but one thing I noticed when I first installed OOTP 9 was that when I entered my ftp data for online play, the password was fully visible. At the time I remember thinking that was odd, but thought nothing of it. Maybe it was the same in previous versions, but I seem to remember it always being hidden. I know you need the commissioner password to view those features, but I'm curious if there isn't some security issue with that portion of OOTP. I've never had any issues in past versions of OOTP, just since using this one. Perhaps it's just a coincidence, but I'm curious now.

Our league was ha cked as well. All of the index files had ****** codes written into them that fortunately did not direct the users to another site as planned but instead made the site inoperative. I changed the FTP pw and 2 weeks to the day later we were hacked identically again. MY provider gave me the ftp logs and it shows that the hacker simply logged in, so somehow he is hacking the pw (perhaps from the league file?). I changed the PW again to a random mix of upper and lower case letters and numbers, and symbols... we will see if he attacks again.

[mikev]

Quote:

Originally Posted by Corsairs

It might be good if Markus popped in here and explained things to us personally. I'd still like to know what to tell my owners who are using Macs. They can't use this patch. Like satchel, I'm worried about compatibility issues during the period where I'm using 9.2.7 and they're stuck using 9.2.3.

No, it might be good for a public release of the patch to be issued and notification given to the whole community, rather than letting a few people know about it. That's how software patching works normally, ESPECIALLY when it's a security issue.

But, as usual, online leagues get the short end of the stick even when it comes to potentially compromising entire leagues because of a security exploit... Gotta hurry up and add more sounds!

[molarmite]

Quote:

Originally Posted by Morgan1963

Our league was ha cked as well. All of the index files had ****** codes written into them that fortunately did not direct the users to another site as planned but instead made the site inoperative. I changed the FTP pw and 2 weeks to the day later we were hacked identically again. MY provider gave me the ftp logs and it shows that the hacker simply logged in, so somehow he is hacking the pw (perhaps from the league file?). I changed the PW again to a random mix of upper and lower case letters and numbers, and symbols... we will see if he attacks again.

We found out it is the league file so you need to patch or it will happen again.

[Tony M]

It is fixed in 9.2.7, but if a Mac or Linux user downloads a 9.2.7 league they won't be able to connect because what it believes is the connection settings will not work.

Until a Mac or Linux 9.2.7 patch comes out, I don't believe that they will be able to access 9.2.7 leagues, but we'd need word from up high as to whether this is true.

[Tony M]

Quote:

Originally Posted by f.montoya

Even that doesn't solve this issue. I've seen 2 of my sites with altered (OOTP generated) index.html pages with an ****** inserted. The hole you saw is EXACTLY how the bad guy is getting in. He either plays OOTP or spent enough time around here to get enough info on how to do this.

Even if you use a limited FTP account, the ****** can still get into the OOTP reports. If this happens, you run the risk of allowing a trojan type virus to get into several league members' computers.

Been having a bit more of a think about this, and I think the following is something that should be seriously considered for OOTP10

The Online leagues work on a two-way FTP system and both the commish and the GMs have 'access' to the FTP settings (access defined as the means of getting hold of them)

The only need a GM has for FTP is really to upload their team export. There isn't necessarily a need to have an FTP download - it should be possible to do it via HTTP.

The game should have two FTPs - one for the commish and one for the GMs - and when the commish runs a sim and creates the .tar.gz file for the league it just strips out all the information pertaining to the commish FTP so the only FTP information that gets passed to the GM is the details he needs to export his team.

Then this export FTP can be given access to just one directory and there's nothing in there that can be exploited as it is just basically team_nnn.ootp files.

[Bluenoser]

Quote:

Originally Posted by Tony M

Been having a bit more of a think about this, and I think the following is something that should be seriously considered for OOTP10

The Online leagues work on a two-way FTP system and both the commish and the GMs have 'access' to the FTP settings (access defined as the means of getting hold of them)

The only need a GM has for FTP is really to upload their team export. There isn't necessarily a need to have an FTP download - it should be possible to do it via HTTP.

The game should have two FTPs - one for the commish and one for the GMs - and when the commish runs a sim and creates the .tar.gz file for the league it just strips out all the information pertaining to the commish FTP so the only FTP information that gets passed to the GM is the details he needs to export his team.

Then this export FTP can be given access to just one directory and there's nothing in there that can be exploited as it is just basically team_nnn.ootp files.

I would not want to see it go to http, it would greatly slow down owner downloads.

Anyway, the issue has bee addressed and fixed - http://www.ootpdevelopments.com/boar...ming-soon.html

[Tony M]

Quote:

Originally Posted by BruceM

I would not want to see it go to http, it would greatly slow down owner downloads.

Anyway, the issue has bee addressed and fixed - http://www.ootpdevelopments.com/boar...ming-soon.html

OK. Maybe if the league download and the exports were all in the same directory the idea above would still work as that would still be the only directory that a GM would need access to, and the Commish could have access to the other folders for report uploading.