|
||||
|
11-16-2008, 09:49 AM | #21 |
Hall Of Famer
Join Date: Dec 2001
Location: Union City, TN
Posts: 6,383
|
First off, I'm placing blame at no one's feet.
TSW has had only one league affected out of our 14 leagues easily linked from any league on our network. That league is an OOTP league that runs Getch's utility. Is it the only OOTP league we have that runs Getch's stuff? No, but its one of only two. In my experience CMS are notorious for security holes, so I'd surmise that most of those affected were hit b/c of the CMS running the sites on Fidel's space, but it seems that there's a window in through Getch's utilities. We don't use CMS and have vBulletin, so I'm guessing since those windows were closed, the only other vulnerability left for us was Getch's utility. I just reupped the index page of our affected site and all is well again, but I will check with that other league running Getch to see if they've seen this as well. |
11-16-2008, 10:54 AM | #22 | |
All Star Reserve
Join Date: Feb 2007
Posts: 925
|
Quote:
|
|
11-16-2008, 10:56 AM | #23 |
Hall Of Famer
Join Date: Dec 2001
Location: Union City, TN
Posts: 6,383
|
I'd also look to upgrade SMF if its not up to date as well.
|
11-16-2008, 10:58 AM | #24 | |
All Star Starter
Join Date: Mar 2002
Location: Mass.
Posts: 1,963
|
Quote:
It might be tough for him to identify how they are being exploited (if they even are) without someone providing the information from their system being hacked. Someone who has been hacked should be able to see what the new timestamp of the page was that was re-written. You then should be able to go through your system logs (or have your system administrator do so) to see what was done during that time. It should be pretty clear in the logs what was used to rewrite the page with the exploit ****** within it. If it was getech's tools, you would then be able to show exactly what was being exploited for him to fix it. Or you can find out if it was something else instead. |
|
11-16-2008, 11:00 AM | #25 |
All Star Reserve
Join Date: Feb 2007
Posts: 925
|
Yeah, if it happens again to me, I will be tracking things to see if I can identify how they got in. I didn't have system log access before. The web host is working with me now.
And we were on SMF 1.16 till yesterday morning. Now we're on 1.17 |
11-16-2008, 11:19 AM | #26 |
Global Moderator
Join Date: Nov 2002
Location: Vancouver, Canada
Posts: 10,698
|
I know someone said they had already contacted Getch about it previously, but I just PMd him to make sure he knows there's concern and to add what he can. I initially said I'd ask fhomess and Solonor about it, but that was because I thought I heard Getch hadn't been around in awhile. I just noticed otherwise.
I'd like to thank everyone who has contributed everything they can to aid in flushing this out. Obviously most of us don't know all that much about this stuff so whatever we can learn from those of you who do is great. It's awesome to see how fast our community can come together to resolve a common problem. |
11-16-2008, 01:15 PM | #27 |
Minors (Triple A)
Join Date: Jul 2003
Posts: 201
|
Suicide Squeeze has been hacked several times recently by john mohov. We changed web hosts, but after a few days the hack returned. Our forum runs on SMF 1.17 currently.
Tech support advised me that my global permissions were set to allow files to be written to. They fixed the permissions for me and installed a back up. At the time we were running SMF 1.16 and as soon as the site came back up, I upgraded to SMF 1.17. Two days later we were hacked again. Hopefully that's not the case for you Paul, but don't be surprised if it happens again. I contacted tech support again and they did some additional digging. They claimed someone had stolen my ftp user name and password and hacked the site. They recommended I do a virus scan on my end, change my password and reinstall SMF. I ran the scan, but it came up empty. I even picked up another virus software package just to be certain the one I was using hadn't missed something. No virus found. I then changed my ftp password and got the site running again yesterday. It's been running for 24 hrs so far with no issues. I'm not sure how they are getting my password, but one thing I noticed when I first installed OOTP 9 was that when I entered my ftp data for online play, the password was fully visible. At the time I remember thinking that was odd, but thought nothing of it. Maybe it was the same in previous versions, but I seem to remember it always being hidden. I know you need the commissioner password to view those features, but I'm curious if there isn't some security issue with that portion of OOTP. I've never had any issues in past versions of OOTP, just since using this one. Perhaps it's just a coincidence, but I'm curious now.
__________________
Lonnie Moody Suicide Squeeze Commish AIM: SqueezeCommish Suicide Squeeze Baseball League Email: commish@suicide-squeeze.net |
11-16-2008, 01:40 PM | #28 |
Hall Of Famer
Join Date: Mar 2003
Posts: 9,004
|
For your FTP site password, I hope that it is something like 30 characters, with a good mix of uppercase, lowercase, special characters, and numbers, with no dictionary words.
It should look like: SADGs}Q|kx-/?z^\hxHs3;FGcIU0b;4qM?)%] Password security does not need to be perfect, it just needs to be good enough to be discouraging as to cause the hacker to get bored and move to the next mark. |
11-16-2008, 01:46 PM | #29 |
Hall Of Famer
Join Date: Mar 2003
Posts: 9,004
|
Dola,
If the username was determined by the hacker, that account should be killed, and never used again for any purpose whatsoever. |
11-16-2008, 03:10 PM | #30 |
All Star Reserve
Join Date: Feb 2007
Posts: 925
|
My host didn't indicate they thought he had our ftp account info, but did recommend we change our password. And our new password is indeed as cryptic as you stated, so we should be good there. With the forum updated, the passwords changed, the file permissions fixed, et. al, I'm hoping this is the end of it for me.
As I told the good guys who take part in my league, if it continues I'm just going to shut the league down. I have better things to do then deal with this crap on a daily basis. |
11-16-2008, 05:35 PM | #31 |
All Star Reserve
Join Date: Jan 2006
Posts: 868
|
Hey guys,
I've been contacted by a few PM's about this. Unfortuantely, I don't know much about hacking, but I'll help out as much as I can. My utlities use Perl, and not PhP. Not sure if that changes anything. I'm not sure how they could ever be used to hack a server. There's not a whole lot of open-ended coding in there to deviate from what it is supposed to do. My utils have no access to ftp or login info. The login info that you see in my utils is separate from the server, and only allows access to more OOTPOU screens. Even as an admin, you can't do much. Anyway, sounds like the person is getting access from the ftp server, which, as I said, my utils have no control over. Just a thought... OOTP stores the FTP server connection info in the league file. Perhaps that is somehow been compromised and that is how this person is hacking the sites? Anyway, i'll help in any way I can. PM is the best way to get a hold of me, since I don't watch the boards a ton.
__________________
Get the OOTP Online Utilities for online leagues! Includes Gamecast, Development, Live Sims, Voting and more. Check here for more details |
11-16-2008, 05:56 PM | #32 |
Minors (Triple A)
Join Date: Jul 2003
Posts: 201
|
Our new password meets the criteria mentioned by Raidergoo as well. Hopefully that puts a stop to it.
__________________
Lonnie Moody Suicide Squeeze Commish AIM: SqueezeCommish Suicide Squeeze Baseball League Email: commish@suicide-squeeze.net |
11-16-2008, 06:45 PM | #33 | |
Hall Of Famer
Join Date: Nov 2004
Posts: 6,069
|
Quote:
That said, I did notice that the password field in the login form allows unusually long passwords. In addition, are there any verifications in the code there that will prevent perl code or even php code from being entered in that field? I haven't tried but you may want to try injecting a small "write file" piece of code and stick in there to see what happens. Just a thought, Getch. You know I'm a big fan of your utilities and I appreciate your input here in this thread.
__________________
Fidel Montoya Asahi2 Baseball ex-Commissioner(Historical League Since 2004) www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!) Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required) Last edited by f.montoya; 11-16-2008 at 06:52 PM. |
|
11-16-2008, 08:14 PM | #34 |
All Star Reserve
Join Date: Feb 2007
Posts: 925
|
I too appreciate your attention to this Getch. My league uses OOTPU and I wouldn't want to try to run a league without it. I don't believe it's OOTPU. I believe it's the forums. I know we all use different forums, but forums have never been known for their security. And my forum was the first thing that was attacked.....or more specifically an ajax chat room that's embedded in the forum.
|
11-16-2008, 10:54 PM | #35 |
Hall Of Famer
Join Date: Nov 2004
Posts: 6,069
|
Forum addons are especially vulnerable to attacks. Those who make these mods will be the first to admit sometimes that writing secure code is something that doesn't get done until after there's significant negative feedback.
__________________
Fidel Montoya Asahi2 Baseball ex-Commissioner(Historical League Since 2004) www.allsimbaseball.com (OOTP web hosting - Customized sites for online leagues - Sign up, Connect OOTP and Play!) Share Your Mods - Free, unlimited and easy to upload to share your Mods instantly(free site registration required) |
11-16-2008, 11:16 PM | #36 |
Hall Of Famer
Join Date: Dec 2001
Location: Union City, TN
Posts: 6,383
|
I just thought of this:
The TSW league that was affected doesnt have a forum on its webspace. TSW forums are on the TSW site. That really leaves nothing out of the ordinary on the site besides Getch's utility and OOTP reports. |
11-17-2008, 07:18 AM | #37 |
All Star Reserve
Join Date: Feb 2007
Posts: 925
|
That certainly crossed my mind, which is why I mentioned it.
|
11-17-2008, 09:10 AM | #38 |
All Star Starter
Join Date: Dec 2005
Posts: 1,255
|
I really don't understand how Getch's utilities could be exploited. I understand the logic of looking for commonalities between the sites that have been hacked but I'd be curious to know how a hacker would exploit it. The only vulnerability I could potentially see is if the person who installed it has the file permissions incorrectly set in which case it's not really a problem with the utility.
|
11-17-2008, 09:25 AM | #39 | |
All Star Starter
Join Date: Mar 2002
Location: Mass.
Posts: 1,963
|
Quote:
Anyone who got hacked should be able to look at the timestamp of the page that was rewritten with the hidden ****** within it, and then go to your system/server admin and ask for help in tracking down the logfiles for that time frame (both ftp and http logs). Then it is just a case of looking through the logfiles to see what clearly caused the security hole. Once you get that vital piece of information you can accomplish three very important things.. 1) Either turn off or remove the security hole on your system. 2) You can contact the person responsible for the application with the security hole to inform them of the problem and see if there is a fix. 3) You can warn/inform the community of the problem so others can be aware and take precautions before anything happens to them if they use the same code. |
|
11-17-2008, 11:00 AM | #40 | |
All Star Reserve
Join Date: Jan 2006
Posts: 868
|
Quote:
What exactly happened? Did the entire site get hacked, or just the league HTML files? I could see how possibly you could use my utils to modify the league HTML files if someone got access as an admin.
__________________
Get the OOTP Online Utilities for online leagues! Includes Gamecast, Development, Live Sims, Voting and more. Check here for more details |
|
Bookmarks |
|
|